| | |
|---|---|
| **Document ID** | CERG-GOV-JD-ADJUNCT-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

---

# Incident Commander

**Job Family:** JF-ADJUNCT — Incident Response & Investigation
**Job Level Range:** L1-L4 (CERG Grade S2-S4/M4)
**CERG Canonical Role:** Incident Commander ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1)

---

## 1. Role Summary

> **ADJACENT ROLE — Not a CERG position.** This role belongs to the standing Incident Response team, not to CERG. Per [OM-001 §3.4](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md), Incident Commander and Lead Investigator are IR team roles included in CERG documentation for cross-functional clarity only. CERG provides a liaison to the IR team.

**Role Summary (CERG-facing):** Single-decision authority during an active incident. The Incident Commander owns the incident response, makes time-critical containment and recovery decisions, and coordinates the response team. CERG provides the Engineering Lead, Lead Investigator, and Governance Lead roles when the Incident Commander calls for them.

## 2. NICE Workforce Framework Mapping

| Mapping Level | NICE Work Role | NICE Work Role ID | NICE Work Role Category |
|---------------|----------------|-------------------|-------------------------|
| Primary | Cyber Defense Incident Responder | PR-CIR-001 | PR |

**NICE Work Role Definition:** See [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

## 3. Job Family & Level Placement

| Family | JF-ADJUNCT — Incident Response & Investigation |
|--------|---------------------------|
| Level Range | L1 through L4 |
| CERG Grade Range | S2-S4/M4 |
| Terminal Grade | S4/M4 — see [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) for details |
| Track | SME / Dual-track |

## 4. Key Responsibilities

### 4.1 Core Responsibilities (All Grades)

- Own the incident response command structure during active cybersecurity incidents: establish command, assign roles, manage the bridge, and coordinate response actions across technical, legal, communications, and business continuity teams
- Make containment, eradication, and recovery decisions under time pressure with incomplete information, documenting the rationale for post-incident review
- Communicate incident status to stakeholders at all levels: technical team (actionable direction), management (business impact), legal (regulatory obligations), and executive leadership (strategic decisions)
- Triage incoming incidents to determine severity, scope, and appropriate response tier per the Incident Response Plan
- Coordinate with external parties: law enforcement, regulators, incident response retainers, PR/crisis communications, and affected third parties
- Lead post-incident reviews (PIRs) and ensure action items are tracked to closure
- Maintain incident response readiness: tabletop exercises, playbook reviews, contact list validation, and tooling readiness checks
- Contribute to the Incident Response Plan and playbook set as a subject matter expert
- Serve as the primary CERG liaison during incidents requiring cross-pillar coordination

### 4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §4-5. Behavioral anchors at each grade are in [CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md).

## 5. Required Knowledge, Skills, and Abilities (KSAs)

### 5.1 Domain Expertise

- Incident response command and coordination: bridge management, decision-making under uncertainty, escalation management
- Incident handling lifecycle: preparation, detection & analysis, containment, eradication, recovery, post-incident activity
- Cybersecurity fundamentals: network security, endpoint security, identity and access management, threat detection
- Crisis management and emergency communications
- Business continuity and disaster recovery principles
- Regulatory incident notification requirements (breach notification laws, NERC-CIP, CMMC, SOX reporting)
- Legal and evidentiary requirements for incident documentation

### 5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md).

### 5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in [OM-001 §6](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) (Canonical Role Roster) and [RAC-001 §7](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

## 6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [PD-WRL-003 — Incident Commander primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

| NICE TKS Type | Statement ID | Statement Summary | Relevance to This Role |
|---------------|-------------|-------------------|------------------------|
| Task | T0510 | Coordinate incident response functions | Core work activity for this NICE Work Role |
| Task | T1250 | Perform cyber defense incident triage | Core work activity for this NICE Work Role |
| Task | T1109 | Resolve cyber defense incidents | Core work activity for this NICE Work Role |
| Task | T1251 | Recommend incident remediation strategies | Core work activity for this NICE Work Role |
| Task | T1252 | Determine the scope, urgency, and impact of cyber defense incidents | Core work activity for this NICE Work Role |
| Knowledge | K0724 | Knowledge of incident response principles and practices | Foundational knowledge for this role |
| Knowledge | K0725 | Knowledge of incident response tools and techniques | Foundational knowledge for this role |
| Knowledge | K0701 | Knowledge of data backup and recovery policies and procedures | Foundational knowledge for this role |
| Knowledge | K0709 | Knowledge of business continuity and disaster recovery (BCDR) policies and procedures | Foundational knowledge for this role |
| Knowledge | K0718 | Knowledge of network communications principles and practices | Foundational knowledge for this role |
| Skill | S0805 | Skill in designing incident responses | Core capability for this role |
| Skill | S0806 | Skill in performing incident responses | Core capability for this role |
| Skill | S0077 | Skill in securing network communications | Core capability for this role |
| Skill | S0483 | Skill in identifying software communications vulnerabilities | Core capability for this role |
| Skill | S0080 | Skill in performing damage assessments | Core capability for this role |

> **Full TKS Reference:** The complete TKS statement set for the primary NICE Work Role (PR-CIR-001 → PD-WRL-003) is in the NICE Framework Components v2.2.0 dataset ([download](https://csrc.nist.gov/csrc/media/Projects/cprt/documents/nice/v2-2-0_nf_components.json)). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

## 7. Typical Qualifications

### 7.1 Education

- 5-15+ years in cybersecurity, with at least 3 years in incident response leadership or security operations management
- Bachelor's degree in cybersecurity, information technology, or equivalent experience
- Relevant certifications: CISSP, GCIH, GCFE, GCFA, CISM, or equivalent
- Demonstrated experience leading multi-team incident response efforts (tabletop or real-world)

### 7.2 Certifications

Certifications for this role are defined in [TRN-001 §3](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

### 7.3 Experience

Typical experience ranges by grade are defined in [JA-001 §4-5](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md). See §7.1 (Education) above for education requirements.

## 8. Key Performance Indicators (KPIs)

KPIs for this role are defined in [MTR-001](../../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in [PERF-001](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md). Each role's evaluation criteria are embedded in the per-role JD document structure defined by [JF-001](../CERG-GOV-JF-001_Job_Families_Overview.md).

## 9. Competency Expectations by Grade

The two Adjacent Incident Response roles are out of scope for the CERG Competency Model ([CERG-GOV-CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) §1). Behavioral anchors for these roles follow the Incident Response team's competency framework. For reference, the eight CERG competency domains are listed below; contact the Incident Response team for domain-specific anchors.

| Competency Domain (CMP-001) | L1 Expectation | L2 Expectation | L3 Expectation | L4 Expectation |
|-----------------------------|----------------|----------------|----------------|----------------|
| Technical Depth | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Cross-Pillar Fluency | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Risk Judgment | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Communication | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Operational Discipline | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Influence and Mentorship | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Compliance and Regulatory Literacy | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Continuous Learning | See IR team framework | See IR team framework | See IR team framework | See IR team framework |

> **Note:** CMP-001 competency domains provide the organizing structure; actual anchor text must be sourced from the Incident Response team's competency framework per [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §3.4.

## 10. Success Profile

An Incident Commander is successful when incidents are managed efficiently, decisively, and with minimal business impact. Key indicators: every incident has a clear commander, a documented timeline, and a post-incident report; containment decisions are made within the SLA for the severity level; communication to stakeholders is regular and accurate; post-incident actions are tracked to closure. The commander keeps the response team focused and effective under pressure, ensuring that the organization learns from every incident.

## 11. Career Path

### 11.1 Within-Family Progression

Progression within the Incident Response & Investigation family follows the standard four-tier structure. See [JF-001 §8](../CERG-GOV-JF-001_Job_Families_Overview.md) for standard progression gates.

### 11.2 Cross-Family Movement

Cross-family movement options are defined in the [Family-to-Family Career Lattice (JF-001 §4)](../CERG-GOV-JF-001_Job_Families_Overview.md#4-family-to-family-career-lattice). The Left-Right Knowledge Model ([FRM-001 §9.2](../../governance/CERG-GOV-FRM-001_CERG_Framework.md)) and cross-training expectations ([OM-001 §10.4](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md)) operationalize cross-family career movement.

### 11.3 Management Track Option

Management track progression for Adjacent roles follows the Incident Response team's career framework, not CERG's. See [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §3.4 for the Adjacent Function boundary definition. CERG's Management track is documented in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §5 (Management Progression: Grade Definitions) and §8.1 (SME to Management Transition).

## 12. Related CERG Documents

| Document | ID | Relevance |
|----------|-----|-----------|
| Operating Model | [`CERG-GOV-OM-001`](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) | Canonical role name; pillar structure |
| RACI Instrument | [`CERG-GOV-RAC-001`](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) | This role's accountability assignments |
| Job Architecture | [`CERG-GOV-JA-001`](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) | Grade definitions; progression criteria |
| Competency Model | [`CERG-GOV-CMP-001`](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) | Full behavioral anchors |
| Performance Framework | [`CERG-GOV-PERF-001`](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md) | Performance review cadence and calibration |
| Training Framework | [`CERG-GOV-TRN-001`](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) | Certification matrix |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |

---

## 13. Document Control

| Field | Value |
|---|---|
| **Document ID** | CERG-GOV-JD-ADJUNCT-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Effective Date** | 2026-06-11 |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Approved By** | CISO |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Next Scheduled Review** | 2027-06-11 |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

### Revision History

| **Version** | **Date** | **Author** | **Change Summary** |
|---|---|---|---|
| 1.0 | 2026-06-11 | Governance Pillar Leader | Initial release. Extracted from monolithic JD-001 into enhanced per-role format with NICE mapping, KPI sections, and competency anchor sections. |

### Review Triggers

- Change to this role's definition in [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1
- Change to this role's NICE Work Role mapping in JF-002
- Change to this role's grade range in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §7
- Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

### Related Documents

| **Document** | **ID** | **Relationship** |
|---|---|---|
| Cybersecurity Policy | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) | Parent policy |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |