Skip to Content
Computer Network Defense Analyst
12/2/2019 4:20:22 PM
Resource Category
Primary Core Capability
Secondary Core Capability
Resource Kind
Overall Function
The Computer Network Defense Analyst protects information, information systems, and networks from threats
Single resource
In conjunction with a NIMS typed team
NIMS Typed Team
Cyber Incident Response Team
In conjunction with a NIMS typed unit
NIMS Typed Unit
Description Notes
Not Specified
Supporting Core Capabilities
Type Description
Type 1The Computer Network Defense (CND) Analyst: 1. Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or may possibly occur within the network 2. Protects information, information systems, and networks from threats
Component Notes  
EducationNot Specified
Component Types
Type Criteria
Type 1Not Specified
TrainingNot Specified
Component Types
Type Criteria
Type 1Completion of the following: 1. IS-100: Introduction to Incident Command System, ICS-100 2. IS-200: Basic Incident Command System for Initial Response, ICS-200 3. IS-700: National Incident Management System, An Introduction 4. IS-800: National Response Framework, An Introduction 5. Computer defense in prevention, detection, and response training as the Agency Having Jurisdiction (AHJ) determines
ExperienceThe knowledge, skills, and abilities align with the National Initiative for Cyber Education (NICE), National Cybersecurity Workforce Framework.
Component Types
Type Criteria
Type 1AHJ-validated knowledge, skills, and abilities demonstrated in the following areas: 1. CND in-depth principles 2. CND and vulnerability assessment tools, including open source tools, and their capabilities 3. Encryption 4. Data backup, types of backups, and recovery concepts and tools 5. Host and network access controls 6. Intrusion Detection System (IDS) tools and applications 7. Incident response and handling methodologies 8. Information assurance (IA) principles and organizational needs that are relevant to confidentiality, integrity, availability, authentication, and non-repudiation 9. Intrusion detection methodologies and techniques for detecting host- and network-based intrusions via intrusion detection technologies 10. Network protocols 11. Network traffic analysis methods 12. New and emerging information technology (IT) and information security technologies 13. Traffic flow patterns across the network 14. Penetration testing principles, tools, and techniques 15. Policy-based and risk adaptive access controls 16. Programming language structures and logic for current production platforms 17. System and application security threats and vulnerabilities 18. Security management 19. Content development 20. CND service provider reporting structure and processes 21. Virtual Private Network (VPN) security 22. Network attack and the relationship to both threats and vulnerabilities 23. Common adversary tactics, techniques, and procedures (TTP) in assigned area of responsibility 24. Common network tools 25. Defense-in-depth principles and network security architecture 26. Different types of network communication 27. File extensions 28. Common operating systems command lines 29. Collection management processes, capabilities, and limitations 30. Front-end collection systems, including network traffic collection, filtering, and selection 31. CND policies, procedures, and regulation 32. Common cyber-attack vectors on the network layer 33. Different classes of cyber attacks 34. Different operational threat environments 35. Troubleshooting basic systems and identifying operating systems-related issues 36. Basic system administration, network, and operating system hardening techniques 37. Applicable laws relevant to work performed 38. General cyber-attack stages 39. Network security architecture concepts, including topology, protocols, components, and principles 40. Encryption methodologies 41. Signature implementation impact for viruses, malware, and attacks 42. Operating system ports and services 43. Various IDS technologies such as host-based network passive IDS, network active IDS, unified threat management, and web application firewalls 44. Network firewalls and firewalling techniques 45. Reading and interpreting signatures for viruses, malware, and attacks 46. Utilizing virtual networks for testing 47. Identifying common encoding techniques 48. Reading hexadecimal data 49. Data reduction 50. Configuring and utilizing network protection components 51. Using network analysis tools to identify vulnerabilities 52. Recognizing and categorizing types of vulnerabilities and associated attack 53. Collecting data from a variety of CND resources 54. Sub-netting tools 55. Protocol analyzers 56. Incident handling methodologies 57. Performing packet-level analysis using appropriate tools 58. Network mapping and recreating network topologies 59. Detecting host and network-based intrusions via intrusion detection technologies 60. Developing and deploying signatures 61. Conducting open source research for troubleshooting novel client-level problems 62. Conducting vulnerability scans and recognizing vulnerabilities in security systems 63. Interpreting and incorporating data from multiple tool sources 64. Integrating and managing network firewall technologies 65. Integrating and managing other computer defense tools and techniques to including intrusion detection, prevention, data loss prevention, white and blacklisting, correlation, and alerting 66. Integrating the collection of network and other sensor logs for use with log analysis tools AHJ-documented and validated experience demonstrated in the following areas: 1. Developing content for CND tools 2. Characterizing and analyzing network traffic to identify anomalous activity and potential threats to network resources 3. Coordinating with enterprise-wide CND staff to validate network alerts 4. Monitoring external data sources to maintain currency of CND threat condition and determine which security issues may have an impact on the enterprise 5. Documenting and escalating incidents that may cause ongoing and immediate impact to the environment 6. Performing CND trend analysis and reporting 7. Performing event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack 8. Providing daily summary reports of network events and activity relevant to CND practices 9. Receiving and analyzing network alerts from various sources within the enterprise and determining possible causes of such alerts 10. Providing timely detection, identification, and alerts of possible attacks and intrusions, anomalous activities, and misuse activities, and distinguishing these incidents and events from benign activities 11. Using CND tools for continual monitoring and analysis of system activity to identify malicious activity 12. Analyzing identified malicious activity to determine weaknesses exploited, exploitation methods, and effects on system and information 13. Employing approved defense-in-depth principles and practices 14. Determining appropriate course of action in response to identified and analyzed anomalous network activity conducting tests of IA safeguards in accordance with established test plans and procedures 15. Determining TTP for intrusion sets 16. Examining network topologies to understand data flows through the network 17. Recommending computing environment vulnerability corrections 18. Identifying and analyzing anomalies in network traffic using metadata 19. Conducting research, analysis, and correlation across a wide variety of all source data sets 20. Validating IDS alerts against network traffic using packet analysis tools 21. Triaging malware 22. Identifying applications and operating systems of a network device based on network traffic 23. Reconstructing a malicious attack or activity based on network traffic 24. Identifying network mapping and operating system fingerprinting activities
Physical/Medical FitnessThe NIMS Guideline for the National Qualification System (NQS) defines Physical/Medical Fitness levels for NIMS positions.
Component Types
Type Criteria
Type 1Light
CurrencyProvider must carry out and use any background checks as applicable law specifies. This may include a background check completed within past 12 months; sex-offender registry check; and a local, state, and a local, state, and national criminal history.
Component Types
Type Criteria
Type 11. Functions in this position during an operational incident, planned event, exercise, drill, or simulation at least once every year 2. Background checks as applicable law permits and requires 3. Active security clearance
Professional and Technical Licenses and CertificationsNot Specified
Component Types
Type Criteria
Type 11. Technical qualifications equivalent to Department of Defense Directive (DoDD) 8570 Level 2 2. Information Assurance Certification 3. Intrusion Analyst Certification 4. Computer Network Defense
Composition and Ordering Specifications
Discuss logistics for deploying this position, such as working conditions, length of deployment, security, lodging, transportation, and meals, prior to deployment
FEMA, NIMS 508: Cyber Incident Response Team
FEMA, National Incident Management System (NIMS), October 2017
FEMA, NIMS Guideline for NQS, November 2017
FEMA, National Response Framework, June 2016
National Initiative for Cybersecurity Education, National Cybersecurity Workforce Framework, v.2, May 2014
Department of Defense Directive (DoDD), 8570 and Global Information Assurance Certification (GAIC), January 2014