CISA Authorizing Official

This is a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).

Personnel performing this role may unofficially or alternatively be called:

  • Certifying Official
  • Compliance Manager
  • Designated Accrediting Authority
  • Information Assurance (IA) Officer

Category: Protect and Defend
Specialty Area: Risk Management


Core Tasks

  • Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. (T0145)
  • Establish acceptable limits for the software application, network, or system. (T0221)
  • Manage Accreditation Packages (e.g., ISO/IEC 15026-2). (T0371)
  • Manage and approve Accreditation Packages (e.g., ISO/IEC 15026-2). (T0495)

Core Competencies

  • Data Privacy and Protection
  • Information Assurance
  • Information Systems/Network Security
  • Legal, Government, and Jurisprudence
  • Risk Management

Core Knowledge, Skills, Abilities (KSAs)

  • Knowledge of Personally Identifiable Information (PII) data security standards. (K0260)
  • Knowledge of organization's enterprise information security architecture. (K0027)
  • Knowledge of Security Assessment and Authorization process. (K0037)
  • Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data. (K0038)
  • Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
  • Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. (K0054)
  • Knowledge of confidentiality, integrity, and availability principles. (K0295)
  • Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). (K0179)
  • Skill in discerning the protection needs (i.e., security controls) of information systems and networks. (S0034)
  • Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures. (K0267)
  • Knowledge of Risk Management Framework (RMF) requirements. (K0048)
  • Knowledge of structured analysis principles and methods. (K0084)
  • Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. (K0169)
  • Knowledge of new and emerging information technology (IT) and cybersecurity technologies. (K0059)


How to Apply

To apply for this work role, submit an application to one or more of CISA's vacancy announcements. Please ensure your resume has been updated to reflect your demonstrated experience performing the above tasks and describe your exposure to the listed competencies.

  1. Assign the appropriate Task ID and/or Core KSA ID to each experience statement in your resume. Task and KSA IDs are listed in parenthesis at the end of each bullet above.
  2. You must also include demonstrated experience on the four required competencies:
  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

Was this webpage helpful?  Yes  |  Somewhat  |  No