Security Program Management (CISO) Specialty Area Qualification Matrix *

Specialty Area Framework Category: Oversight & Development

Specialty Areas responsible for providing leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.

Security Program Management (CISO) Description

Oversees and manages information security program implementation within the organization or other area of responsibility. Manages strategy, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and/or other resources.

Example Job/Billet Titles

  • Chief Information Security Officer (CISO)
  • Common Control Provider
  • Cybersecurity Officer
  • Enterprise Security Officer
  • Facility Security Officer
  • Information Technology (IT) Director
  • Principal Security Architect
  • Risk Executive
  • Security Domain Specialist
  • Senior Agency Information Security (SAIS) Officer

Master Tasks and KSAs

Detailed information on the Tasks and Knowledge, Skills and Abilities (KSAs) associated with each Navy Specialty Area can be found in the Master Task & KSA List spreadsheet on the NAVIFOR website (requires credentials/CAC to access).

Initial Training

Initial training qualification for a specialty area is generally met by a High School diploma or equivalent and completion of Navy "A" school (for Navy enlisted).

Minimum Credential Requirement

You must meet one of the education, training, or certification requirements in the Qualifications Table below. See “Understanding Qualifications” on the Qualifications Table for more information on the order of precedence for the minimum credential requirement.

Qualifying Degrees

The Qualifications Table below includes college degrees in the Education section. For example, "Bachelor degree from accredited University." To view a list of degree programs that are acceptable for this Specialty Area, click List of Qualifying Degrees below or the Information icon in the Qualifications Table.

Worksheet View

Click the button to toggle in and out of the worksheet view for the qualifications table. Turning the worksheet view on will allow you to mark requirements and qualifications for your proficiency level, and then print a printer-friendly version of the matrix worksheet.

Note: The Qualification Matrix information on this page will be in a different order when printed to reduce the number of pages needed.

View Proficiency Level(s)

Qualifications Table

All qualifications have not been met.
 
Entry/Apprentice Intermediate/Journeyman Advanced/Master
Associate Degree from accredited University Bachelor Degree from accredited University Graduate Degree from accredited University
CNSSI 4011-Information Systems Security (INFOSEC) Professionals CNSSI 4012-Senior Systems Managers/4013-System Administrators/4014-Information Systems Security Officers (ISSO) /4015-Systems Certifiers/4016-Risk Analysts CNSSI 4012-Senior Systems Managers/4013-System Administrators/4014-Information Systems Security Officers (ISSO) /4015-Systems Certifiers/4016-Risk Analysts
  NDU CISO certificate-Chief Information Security Officer (CISO) NDU CIO certificate-Chief Information Officer (CIO)
OR
 
AQD GA7-Information Dominance Warfare - Information Assurance Officer AQD GA7-Information Dominance Warfare - Information Assurance Officer AQD GA8-Information Dominance Warfare - Chief Information Officer
  NEC 742A Network Security Vulnerability Technician NEC 741A Information System Security Manager
OR
AND
 
W/O privileged access- NAVEDTRA 43469 Watchstation 304 - Information Assurance Manager W/O privileged access- NAVEDTRA 43469 Watchstation 304 - Information Assurance Manager W/O privileged access- NAVEDTRA 43469 Watchstation 304 - Information Assurance Manager
With privileged access- NAVEDTRA 43469 Watchstation 301 - Information Assurance Technician Level I With privileged access- NAVEDTRA 43469 Watchstation 302 - Information Assurance Technician Level II With privileged access- NAVEDTRA 43469 Watchstation 303 - Information Assurance Technician Level III

Note: The Qualification Matrix information on this page will be in a different order when printed to reduce the number of pages needed.

*If you have recommendations for degrees, qualifications, NECs or credentials for this matrix, direct them to NAVIFOR. Questions and recommendations regarding the Cyber IT/CSWF model, matrix, policies, implementation guidelines, and compliance should be directed to: Navy_CSWF_Program_Helpline@navy.mil

This is an official U.S. Navy websiteUpdated: March 16, 2020
TOP

Entry / Apprentice

Basic understanding of computer systems and related cybersecurity software and hardware components.

  1. 1-3 years' experience (recommended)
  2. Enlisted E-1 through E-4
  3. Officer O-1 through O-2
  4. Civilian Grades 5, 7, and 9

Intermediate / Journeyman

Working knowledge and application of IS and Security operational characteristics for a variety of computer platforms, networks, software applications, and OSs.

  1. 4-6 years' experience (recommended)
  2. Enlisted E-5 through E-6
  3. Officer O-3 through O-4
  4. Civilian Grades 9, 11, 12

Advanced / Master

Advanced application and mastery of IS, plans, and functions, and is responsible for the management of complex projects, and initiatives with large scope.

  1. 7+ years' experience (recommended)
  2. Enlisted E-7 through E-9
  3. Officer O-5 through O-6/W-1 through W-5
  4. Civilian Grades 13 and above

Click link to go to CompTIA A+ ce COOL Snapshot page.

The CompTIA A+ ce certification demonstrates competency as a computer support technician. The A+ ce certification is appropriate for entry-level technicians who perform tasks such as installation, configuration, diagnosing, preventive maintenance and basic networking. Security, safety and environmental issues, and communication and professionalism are also covered. It is recommended, although not required, that candidates have nine to twelve months of related hands-on experience as an IT professional.

Click link to go to CompTIA Network+ ce COOL Snapshot page.

Network+ ce is an intermediate skill level certification for IT technicians who can describe the features and functions of networking components and manage, maintain, troubleshoot, install, operate and configure basic network infrastructure. In addition, certification holders have a basic understanding of enterprise technologies, including cloud and virtualization technologies. Network+ ce is appropriate for computer network technicians, engineers, analysts and administrators. Although not a prerequisite, it is recommended that CompTIA Network+ ce candidates have at least nine months of experience in network support or administration or academic training, along with a CompTIA A+ ce certification.

Click link to go to Cisco Certified Network Associate (CCNA) Routing and Switching COOL Snapshot page.

Cisco Systems, Inc., Cisco Certified Network Associate (CCNA) Routing and Switching is for entry-level network engineers that validates the ability to install, configure, operate, and troubleshoot medium-size route and switched networks. The CCNA Routing and Switching certification is appropriate for Network Specialists, Network Administrators, and Network Support Engineers with a recommended 1-3 years of experience. There are no experience or education requirements that must be met prior to taking the exam(s). Candidates must pass the CCNA accelerated exam or the ICND1 and ICND2 exams to achieve this certification.

Important note:  As of February 24, 2020, the CCNA Routing and Switching certification is no longer available.  It has been replaced by a new, consolidated CCNA exam and a restructured CCNA program. Please see the Cisco website for additional information.

Click link to go to Certified Information Systems Security Professional (CISSP) COOL Snapshot page.

The International Information Systems Security Certification Consortium, Inc. (ISC 2), Certified Information Systems Security Professional (CISSP) is an advanced skill level certification for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles. Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience.

Click link to go to Systems Security Certified Practitioner (SSCP) COOL Snapshot page.

International Information Systems Security Certification Consortium, Inc. (ISC 2), Systems Security Certified Practitioner (SSCP) is an intermediate skill level certification for individuals involved in network and systems security administration responsible for developing the information security policies, standards, and procedures. Candidates manage implementation across various hardware and software programs in their organization. The SSCP is targeted toward those working towards positions such as Network Security Engineers, Security Systems Analysts, or Security Administrators. It is also appropriate for personnel in other non-security disciplines that require an understanding of security but do not have information security as a primary part of their job description, including information systems auditors; application programmers; system, network and database administrators; business unit representatives, and systems analysts. Candidates must have at least one year of paid work experience in one or more of the seven domains of the SSCP Common Body of Knowledge (CBK).

Click link to go to CompTIA Security+ ce COOL Snapshot page.

The CompTIA Security+ ce certification designates knowledgeable professionals in the field of IT security. Security+ ce is an entry-level certification that demonstrates a candidate has the knowledge and skills required to install and configure systems to secure applications, networks, and devices; perform threat analysis and respond with appropriate mitigation techniques; participate in risk mitigation activities; and operate with an awareness of applicable policies, laws, and regulations. The successful candidate will perform these tasks to support the principles of confidentiality, integrity, and availability. It is recommended that candidates hold the Network+ and two years of experience in IT administration with a security focus.

Click link to go to GIAC Security Leadership Certification (GSLC) COOL Snapshot page.

The Global Information Assurance Certification (GIAC), GIAC Security Leadership Certification (GSLC) is an advanced skill level certification for information security manager and security professionals with leadership responsibilities. The GSLC validates a practitioner's understanding of governance and technical controls focused on protecting, detecting, and responding to security issues. GSLCs have demonstrated knowledge of data, network, host, application, and user controls along with key management topics that address the overall security lifecycle. There are no prerequisites for the GSLC certification. Candidates must pass a written exam.

Click link to go to Certified Information Security Manager (CISM) COOL Snapshot page.

The Certified Information Security Manager (CISM) is an advanced certification for the individual who designs, builds, and manages an enterprises information security. CISM focuses on information risk management as the basis of information security. It also includes material on broader issues such as how to govern information security as well as on practical issues such as developing and managing an information security program and managing incidents. This certification is targeted toward experienced information security managers and those who have information security management responsibilities. Five or more years of information security work experience, with a minimum of three years of information security management work experience is required.

Click link to go to Certified Authorization Professional (CAP) COOL Snapshot page.

The International Information Systems Security Certification Consortium Inc. (ISC 2), Certified Authorization Professional (CAP) is ideal for IT, information security and information assurance practitioners and contractors seeking to prove their understanding of the RMF. It is evidence candidates have the advanced knowledge and technical ability to formalize processes to assess risk and establish security documentation. Candidates must pass a written exam and have at least two years of cumulative, paid work experience in one or more of the seven domains of the (ISC)² CAP Common Body of Knowledge (CBK).

Click link to go to CompTIA Advanced Security Practitioner (CASP) ce COOL Snapshot page.

The CompTIA Advanced Security Practitioner (CASP) ce certification is targeted to individuals with advanced-level security skills and knowledge. The CASP ce exam is designed to verify an applicant’s knowledge and skill in the areas of enterprise security, risk management, research and analysis, and the integration of computing, communications, and business disciplines. Although there are no required pre-requisites, the CASP ce certification is intended to follow the CompTIA Security+ ce certification as the next step in security certifications. A minimum of 10 years of experience in IT administration with at least 5 years in hands-on technical security experience is recommended.

Click link to go to Certified Chief Information Security Officer (CCISO) COOL Snapshot page.

The International Council of Electronic Commerce Consultants (EC-Council), Certified Chief Information Security Officer (CCISO) certification is aimed at producing top-level information security executives. The CCISO focuses on the application of information security management principles from an executive management point of view. Candidates must meet CCISO requirements detailed on the agency's site. Candidates who do not yet meet the CCISO requirements but are interested in information security management can pursue the EC-Council Information Security Management (EISM) certification. Candidates must pass a written exam.