Incident Commander

Job Family: JF-ADJUNCT — Incident Response & Investigation Job Level Range: L1-L4 (CERG Grade S2-S4/M4) CERG Canonical Role: Incident Commander (CERG-GOV-OM-001 §6.1)

1. Role Summary

ADJACENT ROLE — Not a CERG position. This role belongs to the standing Incident Response team, not to CERG. Per OM-001 §3.4, Incident Commander and Lead Investigator are IR team roles included in CERG documentation for cross-functional clarity only. CERG provides a liaison to the IR team.

Role Summary (CERG-facing): Single-decision authority during an active incident. The Incident Commander owns the incident response, makes time-critical containment and recovery decisions, and coordinates the response team. CERG provides the Engineering Lead, Lead Investigator, and Governance Lead roles when the Incident Commander calls for them.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Own the incident response command structure during active cybersecurity incidents: establish command, assign roles, manage the bridge, and coordinate response actions across technical, legal, communications, and business continuity teams
• Make containment, eradication, and recovery decisions under time pressure with incomplete information, documenting the rationale for post-incident review
• Communicate incident status to stakeholders at all levels: technical team (actionable direction), management (business impact), legal (regulatory obligations), and executive leadership (strategic decisions)
• Triage incoming incidents to determine severity, scope, and appropriate response tier per the Incident Response Plan
• Coordinate with external parties: law enforcement, regulators, incident response retainers, PR/crisis communications, and affected third parties
• Lead post-incident reviews (PIRs) and ensure action items are tracked to closure
• Maintain incident response readiness: tabletop exercises, playbook reviews, contact list validation, and tooling readiness checks
• Contribute to the Incident Response Plan and playbook set as a subject matter expert
• Serve as the primary CERG liaison during incidents requiring cross-pillar coordination

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Incident response command and coordination: bridge management, decision-making under uncertainty, escalation management
• Incident handling lifecycle: preparation, detection & analysis, containment, eradication, recovery, post-incident activity
• Cybersecurity fundamentals: network security, endpoint security, identity and access management, threat detection
• Crisis management and emergency communications
• Business continuity and disaster recovery principles
• Regulatory incident notification requirements (breach notification laws, NERC-CIP, CMMC, SOX reporting)
• Legal and evidentiary requirements for incident documentation

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [PD-WRL-003 — Incident Commander primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (PR-CIR-001 → PD-WRL-003) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• 5-15+ years in cybersecurity, with at least 3 years in incident response leadership or security operations management
• Bachelor’s degree in cybersecurity, information technology, or equivalent experience
• Relevant certifications: CISSP, GCIH, GCFE, GCFA, CISM, or equivalent
• Demonstrated experience leading multi-team incident response efforts (tabletop or real-world)

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

The two Adjacent Incident Response roles are out of scope for the CERG Competency Model (CERG-GOV-CMP-001 §1). Behavioral anchors for these roles follow the Incident Response team’s competency framework. For reference, the eight CERG competency domains are listed below; contact the Incident Response team for domain-specific anchors.

Note: CMP-001 competency domains provide the organizing structure; actual anchor text must be sourced from the Incident Response team’s competency framework per CERG-GOV-OM-001 §3.4.

10. Success Profile

An Incident Commander is successful when incidents are managed efficiently, decisively, and with minimal business impact. Key indicators: every incident has a clear commander, a documented timeline, and a post-incident report; containment decisions are made within the SLA for the severity level; communication to stakeholders is regular and accurate; post-incident actions are tracked to closure. The commander keeps the response team focused and effective under pressure, ensuring that the organization learns from every incident.

11. Career Path

11.1 Within-Family Progression

Progression within the Incident Response & Investigation family follows the standard four-tier structure. See JF-001 §8 for standard progression gates.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

Management track progression for Adjacent roles follows the Incident Response team’s career framework, not CERG’s. See CERG-GOV-OM-001 §3.4 for the Adjacent Function boundary definition. CERG’s Management track is documented in CERG-GOV-JA-001 §5 (Management Progression: Grade Definitions) and §8.1 (SME to Management Transition).

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-adjunct/CERG-GOV-JD-ADJUNCT-001_Incident_Commander.md · Download .md · View on GitHub