Federal Cyber Defense Skilling Academy – Cyber Defense Forensics Analyst (CDFA) Pathway
Learn the Skills of a Cyber Defense Forensics Analyst
CISA’s Federal Cyber Defense Skilling Academy provides full-time federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program. Those interested in developing foundational cybersecurity skills are encouraged to apply.
The Cyber Defense Forensics Analyst Session Is Now Closed
Continue to check back for future session dates!
The Federal Cyber Defense Skilling Academy - Cyber Defense Forensics Analyst (CDFA) Pathway
- What is the Cyber Defense Forensics Analyst Pathway?
The Skilling Academy’s Cyber Defense Forensics Analyst (CDFA) Pathway helps full-time federal employees develop their cyber defense skills through training in the baseline knowledge, skills, and abilities of a cyber defense forensics analyst.
Cyber defense forensics analysts analyze digital evidence and investigate computer security incidents to derive useful information in support of system and network vulnerability mitigation.
The CDFA Pathway provides students with the skills of a cybercrime investigator during the aftermath of a hack, data breach, or theft of a variety of digital storage devices. The role of a forensics analyst is multifaceted and encompasses a variety of responsibilities. Some of the topics students will be exposed to include the following:
- Recovering Breached, Modified, or Destroyed Data
- Recording and Cataloging Evidence Related to Computer Hacks
- Securing Digital Storage Devices
- Determining How a Hacker Gained Access to a Network
Through the CDFA Pathway, students will begin to develop the skills required to investigate and analyze digital evidence to identify, track, and mitigate cyber threats. It is important to note that these skills serve as a starting point, and additional practice and experience may be necessary for students to fully excel in this work role.
- Who Can Apply?
The Cyber Defense Forensics Analyst (CDFA) Pathway is designed to be an intermediate, fast-paced, three-month course. Applicants from all skill levels can apply; however, the Skilling Academy highly encourages applicants have prior exposure to cybersecurity concepts and practices before participating.
Prospective CDFA Pathway students may strongly benefit from a foundational understanding of the following:
- Basic Cybersecurity Analysis and Operations
- Systems Administration
- Information Security
- Basic Operating System (OS) Application
- Network Fundamentals and Operations
All full-time federal employees, in any job series and any grade or grade equivalent for non-General Schedule (GS) employees, are eligible to apply to CISA's Federal Cyber Defense Skilling Academy. Government contractors are not permitted to participate.
Each session has limited capacity. Applicants should commit to attend, participate, and complete the entire rigorous, three-month session.
Participants must register using a “.gov/.mil” email address.
Visit the National Initiative for Cybersecurity Careers and Studies (NICCS) website for comprehensive information on Digital Forensics.
- Participation Expectations
While in the Skilling Academy, students must abide by the requirements stated below, as agreed to in the Supervisor and Applicant Agreement and Approval Form. There are very limited exceptions to these requirements.
- The applicant is currently a full-time federal employee within the United States government.
- The Skilling Academy will be the student's sole focus for the 40-hour, full-time work week during the entire three-month duration of the course.
- Students will refrain from conducting activities associated with their regular duty assignment, including, but not limited to, meetings, calls, and work deliverables.
- Depending on agency requirements, accepted students may be required to complete an SF-182 to receive approval from their organization to attend the Skilling Academy. Applicants should discuss the requirements of the Skilling Academy with their supervisor to ensure session requirements can be fulfilled. Applicants are responsible for working with their supervisor to confirm compliance with their home agency’s policies, to include any necessary timekeeping to ensure salary payments from their home agency are not interrupted.
- During the Skilling Academy’s instruction periods, students will be required to be on camera and in business casual attire for every class.
- Due to the rigorous and fast-paced cadence of the course, the Skilling Academy strongly advises students against taking scheduled leave during the course. If a student accrues eight unexcused absences or does not finish 20% of the labs in the Skilling Academy, they will be marked as incomplete and will not graduate from the program. Students may, however, apply to future sessions.
- Sick leave and emergency personal leave are permitted; however, it is the student’s responsibility to make up any missed class content as soon as possible.
- To ensure students do not fall behind, missed instruction days and lab work must be made up by accessing class recordings and self-study materials. Class recordings are available for two weeks after each session.
- If a student fails to complete the required work assigned in the allotted class time, the student agrees to complete the required work as soon as possible.
- If a student decides to withdraw from the session after the start date, a formal withdrawal form signed by the student’s supervisor will be required.
- To fully participate in the Skilling Academy, students must have access to the following hardware and software requirements:
Minimum Configuration Requirements
- Personal or GFE laptop* or desktop computer with Windows 10 or newer
- Speakers or headset
- Camera
- Microphone
- Internet bandwidth: 10 Mbps
- CPU: 1.1 GHz, Dual Core
- RAM: 4.0 GB
- Browser: IE, Edge, Chrome, Firefox, Safari
- Apps: MS Teams
- Email: Access to federal government email account
*If you do not have a GFE laptop or desktop, you may be able to access your federal government email account and MS Teams account through another means. Contact your agency’s IT service desk for more information on accessing your federal email through non-GFE devices.
Recommended Configuration Requirements
- Internet bandwidth: 50+ Mbps
- CPU: 2.0 GHz, Quad Core or better
- RAM: 8.0+ GB
- Secondary monitor
- Sample Class Schedule
Below is a sample schedule of a typical day during the Skilling Academy. All students must join virtually Monday through Friday from 8 a.m. to 5 p.m. ET, excluding federal holidays. Students will not be able to maintain their alternative work schedule during the Skilling Academy. Students will return to their regular duty assignment during breaks unless the home agency has approved leave.
Time Event 8:00 AM - 8:10 AM ET Review daily agenda, answer any questions 8:10 AM - 10:00 AM ET Lectures 10:00 AM - 12:00 PM ET Lab time 12:00 PM - 1:00 PM ET Lunch break 1:00 PM - 2:30 PM ET Lectures 2:30 PM - 4:50 PM ET Lab time or self-study 4:50 PM - 5:00 PM ET Wrap up for the day *10-minute breaks will be given approximately every hour.
What Students Learn:
Cyber Defense Forensics Analyst Pathway (CDFA) coursework is mapped to the NICE Workforce Framework for Cybersecurity (NICE Framework) and provides valuable hands-on experience to practice CDFA skills in a lab environment. As an added incentive, students receive EC-Council’s Computer Hacking Forensic Investigator (C|HFI) training and a voucher to take the certification exam. The CDFA Pathway includes the following instructor-led modules:
- FOR101 – Introduction to Forensic Analysis
This module introduces students to digital forensics and all that it encompasses. It addresses both theoretical concepts and common terminology used in the field. Students discover various types of media that could serve as evidentiary value and how it can support investigative goals.
- FOR300 - Basic Digital Media Forensics
An optimal starting point for individuals looking to expand their forensic knowledge, this module outlines several ways to achieve forensic goals while ensuring all processes are completed in a forensically sound manner. Chain of custody and evidence handling is addressed, as well as what to do and what not to do when dealing with “live” evidence.
- FOR400 - Fundamentals of Network Forensics
This module expands on acquired networking knowledge and extends into the computer forensic mindset. Students learn about common devices used in computer networks and where useful data may reside. Students also learn how to collect that data for analysis using hacker methodology. Additionally, this module covers information related to common exploits involved in Windows server systems and common virus exploits. Students learn how to recognize exploit traffic and differentiate between attacks and poor network configuration.
- FOR410 - Mobile Device Forensics
This module introduces mobile devices and their value in forensic investigations. Students learn methods used to store data, as well as the areas of the mobile device where data is stored and how to access it. This module also discusses mobile device removable media and the role it plays with the mobile device. Students learn about network technology as well as three tools specifically designed for mobile device acquisition.
- FOR500 - Forensic Investigations and Evidence Handling
This module covers the investigative aspect of properly handling a variety of digital media. Students gain an understanding of how to implement chain of custody, how to properly process media so that it could be used in a court of law, and how to acquire data that will aid in forensic investigation. This module also focuses on data integrity and how to ensure that no data is altered during an investigation.
- MAL400 - Fundamentals of Malware Analysis
This module introduces students to theoretical knowledge and hands-on techniques for analyzing malware. Students learn how to identify and analyze software that causes harm to users, computers, and networks as part of an overall cyber defense and incident response plan. Understanding how malware works and what it was designed to do is crucial to thwarting future attacks.
- MAL500 - Reverse Engineering Malware
This module is an intermediate course that exposes students to the theoretical knowledge and hands-on techniques needed to analyze malware of greater complexity. Students learn to analyze malicious Windows programs, debug user-mode and kernel-mode malware with WinDbg, and identify common malware functionality, in addition to reversing covert and encoded malware.
- MAL600 - Advanced Malware Analysis
This module is an advanced course that exposes students to the theoretical knowledge and hands-on techniques needed to reverse engineer malware designed to thwart common reverse engineering techniques. Students learn how to identify and analyze the presence of advanced packers, polymorphic malware, encrypted malware, and malicious code that has been armored with cryptors, anti-debugging and anti-reverse engineering. Students discuss and identify emerging malware threats and how to best combat them.
- CYBRScore Final Assessment - Cyber Defense Forensics Analyst
The CYBRScore Cyber Defense Forensics Analyst assessments are designed to assess an individual’s knowledge, skills, and abilities related to analyzing digital evidence and investigating computer security incidents to derive useful information in support of system/network vulnerability mitigation.
- EC Council-CHFI (Computer Hacking Forensic Investigator) Course and Certification
This module provides students with a firm grasp of digital forensics, presenting a detailed and methodological approach to digital forensics and evidence analysis that also pivots around the dark web, internet of things (IoT), and cloud forensics. The tools and techniques covered in this program prepare the learner for conducting digital investigations using groundbreaking digital forensics technologies.
- Working Forensic Case Capture the Flag (CTF)
This CTF module allows students to take what they have learned of real-world scenarios and theoretical concepts to work a simulated forensic investigation from beginning to end. Students use investigative skills learned throughout the program to understand how to properly handle evidence, ensure data integrity, collect evidence in a forensically sound manner, and process data to reach a reasonable conclusion to complete the investigation. Students must provide a comprehensive report on their findings.
How To Apply
Apply for the Skilling Academy in two simple steps:
- Complete the application package - The application package consists of a Federal Resume, Statement of Interest and Supervisor and Applicant Agreement Form.
- Submit the Completed application package - submit your application package through your federal government email address.
Please review the FAQs before applying.
Frequently Asked Questions
Have questions? Learn everything you need to know and more about the Federal Cyber Defense Skilling Academy by reading the FAQs below.
Contact Us
Need more information?
Contact the Skilling Academy Team by emailing SkillingAcademy@cisa.dhs.gov. Emails are typically responded to within three business days.
Federal Cyber Defense Skilling Academy Privacy Act Statement
Authority: 5 U.S.C. § 301, 44 U.S.C. § 3101, and 6 U.S.C. 652(c)(11) authorize the collection of this information.
Purpose: The information gathered will be used to establish the federal applicant's eligibility for the Federal Cyber Defense Skilling Academy, and if selected to participate in the program, create a Cyberworld Institute (CWI) and COMTECH Corp. account, contact students about opportunities for cyber security training, and provide information about the classes offered by the Skilling Academy.
Routine Uses: Information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/All-003 Department of Homeland Security General Training Records, November 25, 2008, 73 FR 71656 and DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), November 27, 2012, 77 FR 70792. If accepted into the program, names and email addresses will be disclosed to Cyberworld Institute (CWI) and COMTECH Corp. to allow access to the learning content.
Disclosure: Providing this information is voluntary. However, failure to provide this information may prevent CISA from deciding applicant eligibility, creating a Cyberworld Institute (CWI) and COMTECH Corp. account if selected to participate in the program and contacting you in the event there are queries about your request or registration.