View Position Qualification

13-509-1250

Name

Cyber Incident Responder

Status

Published

Version

1.3

Updated

12/2/2019 4:31:34 PM

Original Release

11/07/2017

Last Major Release

12/02/2019

NQS Position

Resource Category

Cybersecurity

Primary Core Capability

Cybersecurity

Secondary Core Capability

Resource Kind

Personnel

Overall Function

The Cyber Incident Responder mitigates, prepares for, responds to, and recovers systems from cyber threats

Single resource

In conjunction with a NIMS typed team

NIMS Typed Team

Cyber Incident Response Team

In conjunction with a NIMS typed unit

NIMS Typed Unit

Description Notes

Not Specified

Supporting Core Capabilities
None

Types
Type	Description
Type 1	The NIMS Type 1 Cyber Incident Responder: 1. Serves as the team leader on the Cyber Incident Response Team 2. Responds to crisis or urgent situations aimed at mitigating, preparing for, responding to, and recovering systems from cyber threats 3. Completes cyber incident response reports during and after deployments
Type 2	The National Incident Management System (NIMS) Type 2 Cyber Incident Responder: 1. Works under the technical direction of a NIMS Type 1 Cyber Incident Responder aimed at mitigating, preparing for, responding to, and recovering systems from cyber threats 2. Responds by completing actions that are crucial to prevent loss of life, preserve property, and secure information while investigating and analyzing all relevant response activities 3. Supports the NIMS Type 1 Cyber Incident Responder by preparing reports during and after deployments, which include all actions taken to properly document a cyber incident during the operation

Education

Not Specified

Component Types
Type	Criteria
Type 1	Not Specified
Type 2	Not Specified

Training

Any use of the term “forensics” is descriptive of a skill or capability and does not imply a law enforcement role.

Component Types
Type	Criteria
Type 1	Same as Type 2
Type 2	Completion of the following: 1. IS-100: Introduction to Incident Command System, ICS-100 2. IS-200:Basic Incident Command System for Initial Response, ICS-200 3. IS-700: National Incident Management System, An Introduction 4. IS-800: National Response Framework, An Introduction 5. IS-860: National Infrastructure Protection Plan, An Introduction 6. Agency Having Jurisdiction (AHJ)-determined cyber forensics training

Experience

The knowledge, skills, and abilities align with the National Initiative for Cyber Education (NICE) National Cybersecurity Workforce Framework.

Component Types
Type	Criteria
Type 1	Same as Type 2, PLUS: Knowledge, Skills, and Abilities: 1. Writing technical reports that describe the exploited vulnerability, the applied security control(s) to correct the immediate problem, and any recommended additional controls or changes in process or policy 2. Writing executive-level reports and presentations to communicate the cause of the exploited vulnerability, the applied security control(s) to correct the immediate problem, and any recommended additional controls or changes in process or policy with senior leaders AHJ-documented and validated experience demonstrated in the following areas: 1. Coordinating with and providing expert technical support to enterprise-wide CND specialists to resolve CND incidents 2. Performing in command and control functions in response to incidents 3. Identifying and assessing the capabilities and activities of cyber criminals or foreign intelligence entities
Type 2	AHJ-documented and validated knowledge, skills, and abilities demonstrated in the following areas: 1. Data backup, types of backups, and recovery concepts and tools 2. How network services and protocols interact to provide network communications 3. Evidence recovery techniques and the use of the corresponding industry tools 4. Log data analytics and the use of the corresponding industry tools 5. Incident categories, incident responses, and timelines for responses 6. Cyber incident response and handling methodologies 7. Intrusion detection methodologies and techniques for detecting host- and network-based intrusions 8. Network protocols and directory services 9. Network traffic analysis methods 10. Packet-level analysis 11. System and application security, network attacks as related to threats and vulnerabilities 12. Cybersecurity event correlation tools 13. Computer network defense (CND) policies, procedures, and regulations 14. Different classes of cyber attacks 15. Different operational cyber threat environments 16. Malware analysis and handling, network protection against malware 17. Basic system administration, network, and operating system hardening techniques 18. General cyber-attack stages 19. Attack source profiling techniques 20. Network security architecture concepts, including topology, protocols, components, and principles 21. Preserving evidence integrity according to standard operating procedures or national standards 22. Securing network communications 23. Recognizing and categorizing types of vulnerabilities and associated attacks 24. Performing damage assessments 25. Writing technical reports about exploitation and mitigation AHJ-documented and validated experience demonstrated in the following areas: 1. Evidence recovery techniques and the use of the corresponding industry tools 2. Correlating incident data to identify specific vulnerabilities 3. Determining attack attribution and electronic data collection 4. Monitoring external data sources to maintain currency of the CND threat condition and determine which security issues may have an impact on the enterprise 5. Performing analysis of log files from a variety of sources to identify possible threats to network security 6. Performing CND incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation 7. Performing initial, forensically sound collection of images, logs, and other critical components in order to discern possible mitigation/remediation on enterprise systems 8. Performing real-time CND incident handling tasks as a member of or in support of deployable Incident Response Teams (IRT) 9. Receiving and analyzing network alerts from various sources within the enterprise and determine possible causes of such alerts 10. Tracking and documenting CND incidents from initial detection through final resolution 11. Analyzing collected information to identify vulnerabilities and potential for exploitation 12. Identify weak wireless access points

Physical/Medical Fitness

The NIMS Guideline for the National Qualification System (NQS) defines Physical/Medical Fitness levels for NIMS positions.

Component Types
Type	Criteria
Type 1	Same as Type 2
Type 2	Light

Currency

Provider must carry out and use any background checks as applicable law specifies. This may include a background check completed within past 12 months; sex-offender registry check; and a local, state, and a local, state, and national criminal history.

Component Types
Type	Criteria
Type 1	Same as Type 2
Type 2	1. Functions in this position during an operational incident, planned event, exercise, drill, or simulation at least once every year 2. Background checks as applicable law permits and requires

Professional and Technical Licenses and Certifications

Not Specified

Component Types
Type	Criteria
Type 1	Same as Type 2, PLUS: 1. Compliance in one of the following: a. Certified Digital Forensic Examiner (CDFE) b. Certified Computer Crime Investigator (CCCI) 2. Information Assurance Certification 3. Certified Incident Handler
Type 2	1. Technical qualifications equivalent to Department of Defense Directive (DoDD) 8570 Level 2 (Technical) and compliance in Certified Digital Media Collector (CDMC) 2. Certification in Cyber Forensics

Composition and Ordering Specifications
Specification
Discuss logistics for deploying this position, such as working conditions, length of deployment, security, lodging, transportation, and meals, prior to deployment

1082

Notes

References
Reference
FEMA, NIMS 508: Cyber Incident Response Team
FEMA, National Incident Management System (NIMS), October 2017
FEMA, NIMS Guideline for NQS, November 2017
FEMA, National Response Framework, June 2016
U.S. Department of Homeland Security, National Initiative for Cybersecurity Education, National Cybersecurity Workforce Framework, v.2, May 2014
Department of Defense Directive (DoDD), 8570 and Global Information Assurance Certification (GAIC), January 2014

Version	Publish Date	Document Type
Published Versions
1.3	12/2/2019 4:31:34 PM	PDF
1.2	11/28/2018 5:33:59 PM	PDF
1.1	9/28/2018 5:15:04 PM	PDF
1.0	11/7/2017 3:50:08 PM	PDF