Pre-production Reviewer

Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Pre-production Reviewer (CERG-GOV-OM-001 §6.1)

1. Role Summary

The Pre-production Reviewer is a rotated Engineering role, not a permanent position. They own the pre-production checklist and sign off on go-live readiness: confirming that pre-production findings are remediated or risk-accepted, that handoff documentation is complete, and that the team inheriting the system knows its security posture. The role rotates among qualified Engineers to ensure cross-training and to prevent any single person from becoming a go-live bottleneck.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Own and maintain the pre-production review checklist, keeping it current with evolving standards and threat landscape - Conduct pre-production reviews for systems approaching go-live: verify that architecture review findings are closed, vulnerability scans are clean or accepted, threat model findings are resolved, and handoff documentation is complete - Sign off on go-live readiness, confirming that the system meets the security bar defined in the Architecture Review Procedure - Escalate unresolved pre-production findings to the Engineering Pillar Leader and the project’s Executive Sponsor - Ensure the post-go-live operations team receives a complete security handoff package: known risks, accepted findings, monitoring requirements, incident response contacts, and configuration documentation - Coordinate with Risk to confirm that pre-production vulnerability scans and adversarial testing results meet the defined bar - Coordinate with Governance to confirm that compliance-required evidence is collected before go-live

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Broad cybersecurity engineering knowledge across multiple domains (cloud, identity, application, endpoint) - Deep familiarity with the CERG Architecture Review Procedure and pre-production review process - Ability to evaluate security findings in context: what is truly blocking versus what can be accepted and tracked - Strong written communication: the pre-production review sign-off is a durable record that may be reviewed by auditors - Sufficient seniority to push back on project pressure to go live with unresolved material findings

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [OG-WRL-012 — Pre-production Reviewer primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (OV-SCA-001 → OG-WRL-012) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• An active CERG Engineer at S2 or above, nominated by the Engineering Pillar Leader - Rotation period: typically 6-12 months - No additional certifications required beyond the engineer’s existing qualifications

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

Competency expectations for this role follow the Engineering pillar behavioral anchors from CERG-GOV-CMP-001. Each cell describes observable behavior demonstrating the competency at that grade. Anchors are cumulative: an L3 expectation includes the L1 and L2 anchors.

Full Reference: See CERG-GOV-CMP-001 for the complete competency model, including the Management Track addendum (§7) and guidance on using the model for hiring, development, and promotion (§8).

10. Success Profile

A Pre-production Reviewer is successful when security issues are identified and resolved before they reach production, not after. Key indicators: architecture reviews are completed before any infrastructure is provisioned; findings are specific enough that project teams can act on them without reinterpretation; the review cycle time does not delay releases; recurring findings trigger standard updates rather than repeated manual reviews. The reviewer is seen as an enabler of secure delivery, not a gate that slows things down.

11. Career Path

11.1 Within-Family Progression

The Pre-production Reviewer is a rotated Engineering function rather than a permanent career destination. Progression occurs through the individual’s home Engineering role under JF-001 §9.1 and JA-001 §7.2. Reviewer qualification is evidence of readiness for higher Engineering levels when the reviewer demonstrates consistent judgment, clear findings, reusable review patterns, and the ability to coach project teams before defects reach production.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

At L3+ (SME track), a Management track option may be available per CERG-GOV-JA-001 §8.1 (SME to Management Transition). Readiness indicators include: consistently sought out for guidance by junior team members, leading cross-functional initiatives without formal authority, and communicating clearly with non-technical stakeholders. The transition is a track change, not a grade promotion — an S3 Advisor moving to M1 Manager carries their technical credibility into the management role. Management competencies are defined in CERG-GOV-CMP-001 §7. See CERG-GOV-JA-001 §5 for Management grade definitions (M1-M4) and §9 (Span of Control and Team Design) for when to create a management role.

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-seceng/CERG-GOV-JD-SECENG-008_Pre-production_Reviewer.md · Download .md · View on GitHub