Securely Provision

Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating IT.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0026: Ability to analyze test data.
  • A0030: Ability to collect, verify, and validate test data.
  • A0040: Ability to translate data and test results into evaluative conclusions.
  • A0123: Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0027: Knowledge of organization's enterprise information security architecture. 
  • K0028: Knowledge of organization's evaluation and validation requirements. 
  • K0037: Knowledge of Security Assessment and Authorization process. 
  • K0044: Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • K0057: Knowledge of network hardware devices and functions. 
  • K0088: Knowledge of systems administration concepts.
  • K0091: Knowledge of systems testing and evaluation methods.
  • K0102: Knowledge of the systems engineering process.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0139: Knowledge of interpreted and compiled computer languages.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0170: Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 
  • K0179: Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 
  • K0199: Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
  • K0203: Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • K0212: Knowledge of cybersecurity-enabled software products.
  • K0250: Knowledge of Test & Evaluation processes for learners. 
  • K0260: Knowledge of Personally Identifiable Information (PII) data security standards. 
  • K0261: Knowledge of Payment Card Industry (PCI) data security standards. 
  • K0262: Knowledge of Personal Health Information (PHI) data security standards. 
  • K0287: Knowledge of an organization's information classification program and procedures for information compromise. 
  • K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
  • S0015: Skill in conducting test events.
  • S0021: Skill in designing a data analysis structure (i.e., the types of data a test must generate and how to analyze that data).
  • S0026: Skill in determining an appropriate level of test rigor for a given system.
  • S0030: Skill in developing operations-based testing scenarios.
  • S0048: Skill in systems integration testing.
  • S0060: Skill in writing code in a currently supported programming language (e.g., Java, C++).
  • S0061: Skill in writing test plans.
  • S0082: Skill in evaluating test plans for applicability and completeness.
  • S0104: Skill in conducting Test Readiness Reviews.
  • S0107: Skill in designing and documenting overall program Test & Evaluation strategies.
  • S0110: Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.
  • S0112: Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events.
  • S0115: Skill in preparing Test & Evaluation reports.
  • S0117: Skill in providing Test & Evaluation resource estimate.
  • S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • T0058: Determine level of assurance of developed capabilities based on test results.
  • T0080: Develop test plans to address specifications and requirements.
  • T0125: Install and maintain network infrastructure device operating system software (e.g., IOS, firmware).
  • T0143: Make recommendations based on test results.
  • T0257: Determine scope, infrastructure, resources, and data sample size to ensure system requirements are adequately demonstrated.
  • T0274: Create auditable evidence of security measures.
  • T0393: Validate specifications and requirements for testability.
  • T0426: Analyze the results of software, hardware, or interoperability testing.
  • T0511: Perform developmental testing on systems under development.
  • T0512: Perform interoperability testing on systems exchanging electronic information with other systems.
  • T0513: Perform operational testing.
  • T0539: Test, evaluate, and verify hardware and/or software to determine compliance with defined specifications and requirements.
  • T0540: Record and manage test data.
  • Capability Indicators for System Testing and Evaluation Specialist
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications addressing network infrastructure, mobile device integration, hardware evaluation, operating systems, technical support, managing, maintaining, troubleshooting, installing, and configuring basic network infrastructure, authentication, security testing, intrusion detection/prevention, incident response and recovery, attacks and countermeasures, cryptography, and malicious code countermeasures
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, new attack vectors (emphasis on cloud computing technology, mobile platforms, and tablet computers), new vulnerabilities, existing threats to operating environments, network types, network media, switching fundamentals, TCP/IP, IP addressing and routing, WAN technologies, operating and configuring IOS devices, and managing network environments, risk management, categorization of information systems, selection and monitoring of security controls, security control implementation and assessment, and information system authorization
    • Recommended: Yes
    • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management, information, security program development and management, information security incident management, change management/incident handling for managers, common attacks and malware, managing access control, security policy, disaster recovery and contingency planning, total cost of ownership, operational security, physical security and facility safety, privacy and web security, protecting intellectual property, network infrastructure, quality and growth of the security organization, cryptography, vulnerabilities, wireless security, network and endpoint security technologies, network protocols for managers, project management, managing the mission, integration
    Continuous Learning
    • Recommended: Yes
    • Examples: 40 hours annually (may include regular cybersecurity news alerts and industry newsletters, receiving mentoring, job shadowing)
    • Recommended: Yes
    • Examples: 40 hours annually (may include boot camps, tool-specific workshops)
    • Recommended: Yes
    • Examples: 40 hours annually (may include speaking at security conferences to share knowledge and learn from others, learning new and emerging tools)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: Associate's, Bachelor's
    • Example Topics: Computer science or IT security (certificate in information systems security may substitute an associate's degree)
    • Recommended: Yes
    • Example Types: Bachelor's
    • Example Topics: Computer science or IT security (certifications in systems management, systems administration, system certification, and risk analysis may substitute for a bachelor's degree)
    • Recommended: Yes
    • Example Types: Master's, Ph.D.
    • Example Topics: Computer science or security (advanced certifications in systems management, systems administration, system certification, and risk analysis may substitute a graduate degree)
    Experiential Learning
    • Recommended: Yes
    • Examples: Experience in development and/or testing; supervised on-the-job training in information assurance
    • Recommended: Yes
    • Examples: Supervised on-the-job training in information assurance
    • Recommended: Yes
    • Examples: Advanced knowledge and implementation experience of the Software Development Lifecycle (SDLC); on-the-job experience in information assurance
    Training
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Essentials of cybersecurity, systems administration
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Network security vulnerability, information system security manager, advanced network analysis
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Information system security management