Lead Investigator

Job Family: JF-ADJUNCT — Incident Response & Investigation Job Level Range: L1-L4 (CERG Grade S2-S4/M4) CERG Canonical Role: Lead Investigator (CERG-GOV-OM-001 §6.1)

1. Role Summary

ADJACENT ROLE — Not a CERG position. This role belongs to the standing Incident Response team, not to CERG. Per OM-001 §3.4, Incident Commander and Lead Investigator are IR team roles included in CERG documentation for cross-functional clarity only. CERG provides a liaison to the IR team.

Role Summary (CERG-facing): The risk-side technical lead during an active incident. The Lead Investigator conducts forensic analysis, traces adversary activity, and identifies the scope of compromise. CERG supplies a qualified practitioner into this role when the IR team calls for one.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Lead the forensic investigation of cybersecurity incidents: collect and preserve digital evidence, trace adversary activity, determine scope of compromise, and produce a documented timeline of events
• Perform forensic analysis of systems, networks, and applications using industry-standard tools and methodologies
• Collect forensically sound images of affected systems, maintaining chain of custody throughout the investigation
• Analyze malware, network artifacts, logs, and memory dumps to determine the root cause and tactics, techniques, and procedures (TTPs) of the adversary
• Produce detailed investigative reports suitable for legal, regulatory, and executive audiences
• Support the Incident Commander with technical findings during active incidents to inform containment and eradication decisions
• Coordinate with law enforcement as a technical expert when criminal activity is identified
• Maintain the organization’s forensic tooling, forensic workstation environment, and analysis methodologies
• Stay current on adversary TTPs, forensic techniques, and anti-forensic countermeasures
• Testify or provide written expert evidence in legal proceedings as required

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Digital forensics: disk forensics, memory forensics, network forensics, mobile device forensics, cloud forensics
• Malware analysis: static analysis, dynamic analysis, reverse engineering, sandboxing
• Evidence handling: forensic imaging, chain of custody, evidence preservation, documentation standards
• Operating system internals: Windows, Linux, macOS — file systems, registry, logs, artifacts, persistence mechanisms
• Network analysis: packet capture (PCAP) analysis, network flow analysis, proxy and firewall log analysis
• Log analysis: SIEM platforms, centralized logging, log correlation, timestamp normalization
• Legal and regulatory frameworks: rules of evidence, e-discovery, witness testimony, data privacy laws

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [PD-WRL-003 — Lead Investigator primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (PR-CIR-001 → PD-WRL-003) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• 5-15+ years in cybersecurity, with at least 3 years in digital forensics or incident response investigation
• Bachelor’s degree in cybersecurity, computer science, or equivalent experience
• Relevant certifications: GCFA, GCFE, GNFA, GREM, EnCE, or equivalent
• Experience producing expert reports and providing testimony in legal proceedings preferred

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

The two Adjacent Incident Response roles are out of scope for the CERG Competency Model (CERG-GOV-CMP-001 §1). Behavioral anchors for these roles follow the Incident Response team’s competency framework. For reference, the eight CERG competency domains are listed below; contact the Incident Response team for domain-specific anchors.

Note: CMP-001 competency domains provide the organizing structure; actual anchor text must be sourced from the Incident Response team’s competency framework per CERG-GOV-OM-001 §3.4.

10. Success Profile

A Lead Investigator is successful when every investigation produces defensible findings that stand up to legal and regulatory scrutiny. Key indicators: evidence is collected and preserved with a complete chain of custody; the investigation timeline is documented and repeatable; findings are specific enough that the organization can act on them; post-incident reports are structured, complete, and filed within SLA. The investigator’s work ensures that the organization can explain exactly what happened, when, and why — to a regulator, a court, or the board.

11. Career Path

11.1 Within-Family Progression

Progression within the Incident Response & Investigation family follows the standard four-tier structure. See JF-001 §8 for standard progression gates.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

Management track progression for Adjacent roles follows the Incident Response team’s career framework, not CERG’s. See CERG-GOV-OM-001 §3.4 for the Adjacent Function boundary definition. CERG’s Management track is documented in CERG-GOV-JA-001 §5 (Management Progression: Grade Definitions) and §8.1 (SME to Management Transition).

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-adjunct/CERG-GOV-JD-ADJUNCT-002_Lead_Investigator.md · Download .md · View on GitHub