IASAE Level II

Attribute

Level

Experience

Usually has at least 5 years of IASAE experience.

System Environment

NE IASAE.

Knowledge

Applies knowledge of IA policy, procedures, and workforce structure to design, develop, and implement a secure NE.

Supervision

• For IA issues, typically reports to an IASAE Level III, IAM, or DAA.

• May report to other senior IASAE for network operational requirements.

Other

• Relies on experience and judgment to plan and accomplish goals.

• LN opportunities are extremely limited and must meet requirements of Table E3.T1. of DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003.

IA Certification

Within 6 months of assignment to position.

IASAE-II.1. Identify information protection needs for the NE.

IASAE-II.2. Define NE security requirements in accordance with applicable IA requirements (e.g., DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999 and organizational security policies).

IASAE-II.3. Provide system related input on IA security requirements to be included in statements of work and other appropriate procurement documents.

IASAE-II.4. Design security architectures for use within the NE.

IASAE-II.5. Design and develop IA or IA-enabled products for use within a NE.

IASAE-II.6. Integrate and/or implement CDS for use within a Computing Environment (CE) or NE.

IASAE-II.7. Develop and implement security designs for new or existing network system(s). Ensure that the design of hardware, operating systems, and software applications adequately address IA security requirements for the NE.

IASAE-II.8. Design, develop, and implement network security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.

IASAE-II.9. Design, develop, and implement specific IA countermeasures for the NE.

IASAE-II.10. Develop interface specifications for the NE.

IASAE-II.11. Develop approaches to mitigate NE vulnerabilities and recommend changes to network or network system components as needed.

IASAE-II.12. Ensure that network system(s) designs support the incorporation of DoD-directed IA vulnerability solutions, e.g., IAVAs.

IASAE-II.14. Develop IA architectures and designs for systems processing SCI that will operate at Protection Level 1 or 2 as defined in Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999.

IASAE-II.15. Assess threats to and vulnerabilities of the NE.

IASAE-II.16. Identify, assess, and recommend IA or IA-enabled products for use within an NE; ensure recommended products are in compliance with the DoD evaluation and validation requirements of DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and DoD Directive 8500.1, “Information Assurance (IA),” October 24, 2002.

IASAE-II.17. Ensure that the implementation of security designs properly mitigate identified threats.

IASAE-II.18. Assess the effectiveness of information protection measures used by the NE.

IASAE-II.19. Evaluate security architectures and designs and provide input as to the adequacy of security designs and architectures proposed or provided in response to requirements contained in acquisition documents.

IASAE-II.20. Ensure security deficiencies identified during security/certification testing have been mitigated, corrected, or a risk acceptance has been obtained by the appropriate DAA or authorized representative.

IASAE-II.21. Provide input to IA C&A process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

IASAE-II.22. Participate in an IS risk assessment during the C&A process and design security countermeasures to mitigate identified risks.

IASAE-II.23. Provide engineering support to security/certification test and evaluation activities.

IASAE-II.24. Document system security design features and provide input to implementation plans and standard operating procedures.

IASAE-II.25. Recognize a possible security violation and take appropriate action to report the incident.

IASAE-II.26. Implement and/or integrate security measures for use in network system(s) and ensure that system designs incorporate security configuration guidelines.

IASAE-II.27. Ensure the implementation of NE IA policies into system architectures.

IASAE-II.28. Ensure the implementation of subordinate CE IA policies is integrated into the NE system architecture.

IASAE-II.29. Obtain and maintain IA certification appropriate to position.

IASAE Level II

Attribute

Level

Experience

Usually has at least 5 years of IASAE experience.

System Environment

NE IASAE.

Knowledge

Applies knowledge of IA policy, procedures, and workforce structure to design, develop, and implement a secure NE.

Supervision

• For IA issues, typically reports to an IASAE Level III, IAM, or DAA.

• May report to other senior IASAE for network operational requirements.

Other

• Relies on experience and judgment to plan and accomplish goals.

• LN opportunities are extremely limited and must meet requirements of Table E3.T1. of DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003.

IA Certification

Within 6 months of assignment to position.

IASAE-II.1. Identify information protection needs for the NE.

IASAE-II.2. Define NE security requirements in accordance with applicable IA requirements (e.g., DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999 and organizational security policies).

IASAE-II.3. Provide system related input on IA security requirements to be included in statements of work and other appropriate procurement documents.

IASAE-II.4. Design security architectures for use within the NE.

IASAE-II.5. Design and develop IA or IA-enabled products for use within a NE.

IASAE-II.6. Integrate and/or implement CDS for use within a Computing Environment (CE) or NE.

IASAE-II.7. Develop and implement security designs for new or existing network system(s). Ensure that the design of hardware, operating systems, and software applications adequately address IA security requirements for the NE.

IASAE-II.8. Design, develop, and implement network security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.

IASAE-II.9. Design, develop, and implement specific IA countermeasures for the NE.

IASAE-II.10. Develop interface specifications for the NE.

IASAE-II.11. Develop approaches to mitigate NE vulnerabilities and recommend changes to network or network system components as needed.

IASAE-II.12. Ensure that network system(s) designs support the incorporation of DoD-directed IA vulnerability solutions, e.g., IAVAs.

IASAE-II.14. Develop IA architectures and designs for systems processing SCI that will operate at Protection Level 1 or 2 as defined in Director of Central Intelligence Directive 6/3, “Protecting Sensitive Compartmented Information within Information Systems”, June 5, 1999.

IASAE-II.15. Assess threats to and vulnerabilities of the NE.

IASAE-II.16. Identify, assess, and recommend IA or IA-enabled products for use within an NE; ensure recommended products are in compliance with the DoD evaluation and validation requirements of DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 and DoD Directive 8500.1, “Information Assurance (IA),” October 24, 2002.

IASAE-II.17. Ensure that the implementation of security designs properly mitigate identified threats.

IASAE-II.18. Assess the effectiveness of information protection measures used by the NE.

IASAE-II.19. Evaluate security architectures and designs and provide input as to the adequacy of security designs and architectures proposed or provided in response to requirements contained in acquisition documents.

IASAE-II.20. Ensure security deficiencies identified during security/certification testing have been mitigated, corrected, or a risk acceptance has been obtained by the appropriate DAA or authorized representative.

IASAE-II.21. Provide input to IA C&A process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

IASAE-II.22. Participate in an IS risk assessment during the C&A process and design security countermeasures to mitigate identified risks.

IASAE-II.23. Provide engineering support to security/certification test and evaluation activities.

IASAE-II.24. Document system security design features and provide input to implementation plans and standard operating procedures.

IASAE-II.25. Recognize a possible security violation and take appropriate action to report the incident.

IASAE-II.26. Implement and/or integrate security measures for use in network system(s) and ensure that system designs incorporate security configuration guidelines.

IASAE-II.27. Ensure the implementation of NE IA policies into system architectures.

IASAE-II.28. Ensure the implementation of subordinate CE IA policies is integrated into the NE system architecture.

IASAE-II.29. Obtain and maintain IA certification appropriate to position.