Icon that says Oversee and Govern with a magnifying glass image.

Develops policies and plans and/or advocates for changes in policy that support organizational cyberspace initiatives or required changes/enhancements.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0003: Ability to determine the validity of technology trend data.
  • A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
  • A0037: Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues.
  • Capability Indicators for Cyber Policy and Strategy Planner
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: Certifications addressing analysis, assessment, control, mitigation and management of risk within a federal management and acquisition framework containing personal data; identifying, implementing and integrating management, acquisition and administrative risk methodologies for securing critical and sensitive information infrastructures, strategic planning (how to plan the plan, historical analysis, horizon analysis, visioning, environmental scans [SWOT, PEST, porters etc.], mission, vision, and value statements), planning to ensure institutional effectiveness, security policy development (policy establishes bounds for behavior, policy empowers users to do the right thing, should and shall, policy, policy versus procedure, policy needs assessment processes, organizational assumptions, beliefs and values (ABVs), relationship of mission to policy, organizational culture, comprehensive security policy assessment (using the principles of psychology to implement policy, applying the SMART method to policy, how policy protects people, organizations and information, case study, the process to handle a new risk, behavior-related polices, acceptable use, ethics, warning banners, policy development process, policy review and assessment process, wrap-up), leadership and management competencies (leadership building blocks, coaching and training, change management, team development, motivating, developing the vision, leadership development, building competencies, importance of communication, self-direction, brainstorming, relationship building, teamwork concepts, leader qualities, leadership benefits), access control theory, Mitnick-Shimomura attack, network addressing, network fundamentals, network mapping and scanning, network protocol, vulnerability management overview, vulnerability scanning, web application security, windows automation, auditing and forensics, hotfixes and backups, active directory and group policy overview, wireless security, info privacy technology, privacy program governance (organization level, develop the privacy program framework, implement the privacy policy framework, metrics) privacy operation lifecycle (assess your organization, protect, sustain, respond), program management, disciplined, data-driven approach and methodology for eliminating defects
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing information privacy technology, privacy program governance (organization level, develop the privacy program framework, implement the privacy policy framework, metrics) privacy operation lifecycle (assess your organization, protect, sustain, respond), program management, risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, monitoring of security controls, understand basic cybersecurity concepts and definitions, apply cybersecurity architecture principles, identify components of a cybersecurity architecture, define network security architecture concepts including (topology, protocols, components, principles), understand malware analysis concepts and methodology, recognize the methodologies and techniques for detecting host-and-network-based intrusions via intrusion detection technologies, identify computer network defense and vulnerability assessment tools, including open source tools and their capabilities, understand system hardening, apply penetration testing principles, tools, and techniques, define network systems management principles, models, methods, and tools, understand remote access technology and systems administration concepts, distinguish system and application security threats and vulnerabilities, recognize system lifecycle management principles, including software security and usability, local specialized system requirements for safety, performance, and reliability, types of incidents (categories, responses, and timelines for responses), disaster recovery and business continuity planning, incident response and handling methodologies, security event correlation tools, how different file types can be used for atypical behavior, investigative implications of hardware, operating systems, and network technologies, as well as basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data, network traffic analysis methods recognize new and emerging information technology and information security technologies including (the current threat landscape, mobile devices, cloud computing and storage), project management (initiating, planning executing, monitoring and controlling, closing), business continuity and disaster recovery, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, network security, security policy and awareness, systems and application security, information security governance, and Balance Score Card Indicator (BSI)
    • Recommended: Yes
    • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, authentication, authorization, and accountability, cryptography foundations, information security and risk management principles, network foundations, information security governance, security program development and management, incident management, BSI (Balance Score Card Indicator)
    Continuous Learning
    • Recommended: Yes
    • Examples: Involvement with policy, legislation, government/agency-wide policy groups (CNNS, NIST)
    • Recommended: Yes
    • Examples: 40 hours annually (may include policy lifecycle, communications)
    • Recommended: Yes
    • Examples: 40 hours annually (leading change, leading people, business acumen, building coalitions)
    Education
    • Recommended: Yes
    • Example Types: Bachelor's, M.B.A., J.D.
    • Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience
    • Recommended: Yes
    • Example Types: Bachelor's, M.B.A., J.D.
    • Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience
    • Recommended: Yes
    • Example Types: Master's, Ph.D.
    • Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience
    Experiential Learning
    • Recommended: No
    • Examples: N/A
    • Recommended: Yes
    • Examples: Prior Information security experience
    • Recommended: Yes
    • Examples: Prior Information security experience
    Training
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0127: Knowledge of the nature and function of the relevant information structure (e.g., National Information Infrastructure).
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • K0234: Knowledge of full spectrum cyber capabilities (e.g., defense, attack, exploitation). 
  • K0248: Knowledge of strategic theory and practice.
  • K0309: Knowledge of emerging technologies that have potential for exploitation.
  • K0311: Knowledge of industry indicators useful for identifying technology trends.
  • K0313: Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development).
  • K0335: Knowledge of current and emerging cyber technologies.
  • K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
  • S0176: Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
  • S0250: Skill in preparing plans and related correspondence.
  • T0074: Develop policy, programs, and guidelines for implementation.
  • T0094: Establish and maintain communication channels with stakeholders.
  • T0222: Review existing and proposed policies with stakeholders.
  • T0226: Serve on agency and interagency policy boards.
  • T0341: Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials.
  • T0369: Ensure that cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity, diversity, and fair hiring/employment practices.
  • T0384: Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals.
  • T0390: Review/Assess cyber workforce effectiveness to adjust skill and/or qualification standards.
  • T0408: Interpret and apply applicable laws, statutes, and regulatory documents and integrate into policy.
  • T0425: Analyze organizational cyber policy.
  • T0429: Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities.
  • T0441: Define and integrate current and future mission environments.
  • T0445: Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan.
  • T0472: Draft, staff, and publish cyber policy.
  • T0505: Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services.
  • T0506: Seek consensus on proposed policy changes from stakeholders.
  • T0529: Provide policy guidance to cyber management, staff, and users.
  • T0533: Review, conduct, or participate in audits of cyber programs and projects.
  • T0537: Support the CIO in the formulation of cyber-related policies.
  • A0023: Ability to design valid and reliable assessments.
  • A0028: Ability to assess and forecast manpower requirements to meet organizational objectives.
  • A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
  • A0037: Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues.
  • A0042: Ability to develop career path opportunities.
  • A0053: Ability to determine the validity of workforce trend data.
  • Capability Indicators for Cyber Workforce Developer and Manager
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications addressing talent management, strategic workforce planning, business strategy, differentiated segments, environmental scan, current state, gap analysis, action planning, monitoring and reporting, getting started, conclusion, business and economic development intelligence, career development principles, collaboration and problem solving, customer service methodology, diversity, labor market information and intelligence, principles of communication, program implementation principles and strategies, workforce development structure, policies and programs, business management and strategy, workforce planning and employment, human resource development, compensation and benefits, employee and labor relations, risk management, system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, building financial acumen, improving financial literacy, acting on meaningful analytics, the ROI of engagement, collaboration, and retention (ECR), building trust and transparency, execution and change management, and influencing skills
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications addressing the linkage between business strategy and talent acquisition strategy, creating a partnership with hiring managers, talent acquisition, sourcing strategy, talent pipelines, connection between the employer value proposition and talent acquisition strategy, data-driven decisions (sourcing channel effectiveness, projecting candidate availability in the talent pipeline, tying metrics to business strategy and applied talent acquisition analytics), change strategy, leadership engagement, stakeholder analysis, communications, HC and workforce impact analysis, learning and training, process and infrastructure, project management, performance management, change execution, point of contact for staff and stakeholders, deliver HR services, and perform operational HR functions, compensation and benefits, employee and labor relations, risk management, system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, building financial acumen, improving financial literacy, collaboration and retention, building trust and transparency, execution and change management, and influencing skills
    • Recommended: Not essential but may be beneficial
    • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security
    Continuous Learning
    • Recommended: Yes
    • Examples: Exposure to workforce policy, legislation impacting the cyber workforce, interagency advisory groups/councils, industry conferences and workshops
    • Recommended: Yes
    • Examples: 40 hours annually (may include policy, legislation, interagency advisory groups/councils, industry conferences and workshops, business process reengineering, organizational design, change management, communications)
    • Recommended: Yes
    • Examples: 40 hours annually (may include policy, legislation, interagency advisory groups/councils, industry conferences and workshops, business process reengineering)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: Bachelor's
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: Master's, Ph.D.
    • Example Topics: N/A
    Experiential Learning
    • Recommended: Yes
    • Examples: Experience/apprenticeships involving cyber HR and HC, internal rotations supporting cyber teams
    • Recommended: Yes
    • Examples: Experience/apprenticeships involving cyber HR and HC, internal rotations supporting cyber teams; prior information security experience
    • Recommended: Yes
    • Examples: Experience/apprenticeships involving cyber HR and HC, internal rotations supporting cyber teams
    Training
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Workforce planning/HC
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Workforce planning, cybersecurity, legislative
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Technical cybersecurity/IT, instructional design, HC, learning styles, organizational design, change management, communications
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0127: Knowledge of the nature and function of the relevant information structure (e.g., National Information Infrastructure).
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0147: Knowledge of emerging security issues, risks, and vulnerabilities.
  • K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0204: Knowledge of learning assessment techniques (rubrics, evaluation plans, tests, quizzes). 
  • K0215: Knowledge of organizational training policies.
  • K0233: Knowledge of the National Cybersecurity Workforce Framework, work roles, and associated tasks, knowledge, skills, and abilities.
  • K0234: Knowledge of full spectrum cyber capabilities (e.g., defense, attack, exploitation). 
  • K0241: Knowledge of organizational human resource policies, processes, and procedures.
  • K0243: Knowledge of organizational training and education policies, processes, and procedures.
  • K0309: Knowledge of emerging technologies that have potential for exploitation.
  • K0311: Knowledge of industry indicators useful for identifying technology trends.
  • K0313: Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development).
  • K0335: Knowledge of current and emerging cyber technologies.
  • S0108: Skill in developing workforce and position qualification standards.
  • S0128: Skill in using manpower and personnel IT systems.
  • T0001: Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk.
  • T0004: Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements.
  • T0025: Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.
  • T0044: Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.
  • T0074: Develop policy, programs, and guidelines for implementation.
  • T0094: Establish and maintain communication channels with stakeholders.
  • T0099: Evaluate cost/benefit, economic, and risk analysis in decision-making process.
  • T0116: Identify organizational policy stakeholders.
  • T0222: Review existing and proposed policies with stakeholders.
  • T0226: Serve on agency and interagency policy boards.
  • T0341: Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials.
  • T0352: Conduct learning needs assessments and identify requirements.
  • T0355: Coordinate with internal and external subject matter experts to ensure existing qualification standards reflect organizational functional requirements and meet industry standards.
  • T0356: Coordinate with organizational manpower stakeholders to ensure appropriate allocation and distribution of human capital assets.
  • T0362: Develop and implement standardized position descriptions based on established cyber work roles.
  • T0363: Develop and review recruiting, hiring, and retention procedures in accordance with current HR policies.
  • T0364: Develop cyber career field classification structure to include establishing career field entry requirements and other nomenclature such as codes and identifiers.
  • T0365: Develop or assist in the development of training policies and protocols for cyber training.
  • T0368: Ensure that cyber career fields are managed in accordance with organizational HR policies and directives.
  • T0369: Ensure that cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity, diversity, and fair hiring/employment practices.
  • T0372: Establish and collect metrics to monitor and validate cyber workforce readiness including analysis of cyber workforce data to assess the status of positions identified, filled, and filled with qualified personnel.
  • T0373: Establish and oversee waiver processes for cyber career field entry and training qualification requirements.
  • T0374: Establish cyber career paths to allow career progression, deliberate development, and growth within and between cyber career fields.
  • T0375: Establish manpower, personnel, and qualification data element standards to support cyber workforce management and reporting requirements.
  • T0376: Establish, resource, implement, and assess cyber workforce management programs in accordance with organizational requirements.
  • T0384: Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals.
  • T0387: Review and apply cyber career field qualification standards.
  • T0388: Review and apply organizational policies related to or influencing the cyber workforce.
  • T0390: Review/Assess cyber workforce effectiveness to adjust skill and/or qualification standards.
  • T0391: Support integration of qualified cyber workforce personnel into information systems life cycle development processes.
  • T0408: Interpret and apply applicable laws, statutes, and regulatory documents and integrate into policy.
  • T0425: Analyze organizational cyber policy.
  • T0429: Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities.
  • T0437: Correlate training and learning to business or mission requirements.
  • T0441: Define and integrate current and future mission environments.
  • T0445: Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan.
  • T0472: Draft, staff, and publish cyber policy.
  • T0481: Identify and address cyber workforce planning and management issues (e.g. recruitment, retention, and training).
  • T0505: Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services.
  • T0506: Seek consensus on proposed policy changes from stakeholders.
  • T0529: Provide policy guidance to cyber management, staff, and users.
  • T0533: Review, conduct, or participate in audits of cyber programs and projects.
  • T0536: Serve as an internal consultant and advisor in own area of expertise (e.g., technical, copyright, print media, electronic media).
  • T0537: Support the CIO in the formulation of cyber-related policies.
  • T0552: Review and approve a supply chain security/risk management policy.