| | |
|---|---|
| **Document ID** | CERG-GOV-JD-ADJUNCT-002 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

---

# Lead Investigator

**Job Family:** JF-ADJUNCT — Incident Response & Investigation
**Job Level Range:** L1-L4 (CERG Grade S2-S4/M4)
**CERG Canonical Role:** Lead Investigator ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1)

---

## 1. Role Summary

> **ADJACENT ROLE — Not a CERG position.** This role belongs to the standing Incident Response team, not to CERG. Per [OM-001 §3.4](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md), Incident Commander and Lead Investigator are IR team roles included in CERG documentation for cross-functional clarity only. CERG provides a liaison to the IR team.

**Role Summary (CERG-facing):** The risk-side technical lead during an active incident. The Lead Investigator conducts forensic analysis, traces adversary activity, and identifies the scope of compromise. CERG supplies a qualified practitioner into this role when the IR team calls for one.

---

## 2. NICE Workforce Framework Mapping

| Mapping Level | NICE Work Role | NICE Work Role ID | NICE Work Role Category |
|---------------|----------------|-------------------|-------------------------|
| Primary | Cyber Defense Incident Responder | PR-CIR-001 | PR |

**NICE Work Role Definition:** See [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

## 3. Job Family & Level Placement

| Family | JF-ADJUNCT — Incident Response & Investigation |
|--------|---------------------------|
| Level Range | L1 through L4 |
| CERG Grade Range | S2-S4/M4 |
| Terminal Grade | S4/M4 — see [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) for details |
| Track | SME / Dual-track |

## 4. Key Responsibilities

### 4.1 Core Responsibilities (All Grades)

- Lead the forensic investigation of cybersecurity incidents: collect and preserve digital evidence, trace adversary activity, determine scope of compromise, and produce a documented timeline of events
- Perform forensic analysis of systems, networks, and applications using industry-standard tools and methodologies
- Collect forensically sound images of affected systems, maintaining chain of custody throughout the investigation
- Analyze malware, network artifacts, logs, and memory dumps to determine the root cause and tactics, techniques, and procedures (TTPs) of the adversary
- Produce detailed investigative reports suitable for legal, regulatory, and executive audiences
- Support the Incident Commander with technical findings during active incidents to inform containment and eradication decisions
- Coordinate with law enforcement as a technical expert when criminal activity is identified
- Maintain the organization's forensic tooling, forensic workstation environment, and analysis methodologies
- Stay current on adversary TTPs, forensic techniques, and anti-forensic countermeasures
- Testify or provide written expert evidence in legal proceedings as required

### 4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §4-5. Behavioral anchors at each grade are in [CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md).

## 5. Required Knowledge, Skills, and Abilities (KSAs)

### 5.1 Domain Expertise

- Digital forensics: disk forensics, memory forensics, network forensics, mobile device forensics, cloud forensics
- Malware analysis: static analysis, dynamic analysis, reverse engineering, sandboxing
- Evidence handling: forensic imaging, chain of custody, evidence preservation, documentation standards
- Operating system internals: Windows, Linux, macOS — file systems, registry, logs, artifacts, persistence mechanisms
- Network analysis: packet capture (PCAP) analysis, network flow analysis, proxy and firewall log analysis
- Log analysis: SIEM platforms, centralized logging, log correlation, timestamp normalization
- Legal and regulatory frameworks: rules of evidence, e-discovery, witness testimony, data privacy laws

### 5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md).

### 5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in [OM-001 §6](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) (Canonical Role Roster) and [RAC-001 §7](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

## 6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [PD-WRL-003 — Lead Investigator primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

| NICE TKS Type | Statement ID | Statement Summary | Relevance to This Role |
|---------------|-------------|-------------------|------------------------|
| Task | T0164 | Perform cyber defense trend analysis and reporting | Core work activity for this NICE Work Role |
| Task | T1256 | Perform forensically sound image collection | Core work activity for this NICE Work Role |
| Task | T1372 | Advise law enforcement personnel as technical expert | Core work activity for this NICE Work Role |
| Task | T0262 | Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, securi... | Core work activity for this NICE Work Role |
| Task | T0510 | Coordinate incident response functions | Core work activity for this NICE Work Role |
| Knowledge | K0857 | Knowledge of malware analysis tools and techniques | Foundational knowledge for this role |
| Knowledge | K0916 | Knowledge of malware analysis principles and practices | Foundational knowledge for this role |
| Knowledge | K0924 | Knowledge of network analysis tools and techniques | Foundational knowledge for this role |
| Knowledge | K0686 | Knowledge of authentication and authorization tools and techniques | Foundational knowledge for this role |
| Knowledge | K0725 | Knowledge of incident response tools and techniques | Foundational knowledge for this role |
| Skill | S0651 | Skill in performing malware analysis | Core capability for this role |
| Skill | S0550 | Skill in reporting malware | Core capability for this role |
| Skill | S0688 | Skill in performing network data analysis | Core capability for this role |
| Skill | S0854 | Skill in performing data analysis | Core capability for this role |
| Skill | S0866 | Skill in performing log file analysis | Core capability for this role |

> **Full TKS Reference:** The complete TKS statement set for the primary NICE Work Role (PR-CIR-001 → PD-WRL-003) is in the NICE Framework Components v2.2.0 dataset ([download](https://csrc.nist.gov/csrc/media/Projects/cprt/documents/nice/v2-2-0_nf_components.json)). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

## 7. Typical Qualifications

### 7.1 Education

- 5-15+ years in cybersecurity, with at least 3 years in digital forensics or incident response investigation
- Bachelor's degree in cybersecurity, computer science, or equivalent experience
- Relevant certifications: GCFA, GCFE, GNFA, GREM, EnCE, or equivalent
- Experience producing expert reports and providing testimony in legal proceedings preferred

### 7.2 Certifications

Certifications for this role are defined in [TRN-001 §3](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

### 7.3 Experience

Typical experience ranges by grade are defined in [JA-001 §4-5](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md). See §7.1 (Education) above for education requirements.

## 8. Key Performance Indicators (KPIs)

KPIs for this role are defined in [MTR-001](../../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in [PERF-001](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md). Each role's evaluation criteria are embedded in the per-role JD document structure defined by [JF-001](../CERG-GOV-JF-001_Job_Families_Overview.md).

## 9. Competency Expectations by Grade

The two Adjacent Incident Response roles are out of scope for the CERG Competency Model ([CERG-GOV-CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) §1). Behavioral anchors for these roles follow the Incident Response team's competency framework. For reference, the eight CERG competency domains are listed below; contact the Incident Response team for domain-specific anchors.

| Competency Domain (CMP-001) | L1 Expectation | L2 Expectation | L3 Expectation | L4 Expectation |
|-----------------------------|----------------|----------------|----------------|----------------|
| Technical Depth | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Cross-Pillar Fluency | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Risk Judgment | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Communication | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Operational Discipline | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Influence and Mentorship | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Compliance and Regulatory Literacy | See IR team framework | See IR team framework | See IR team framework | See IR team framework |
| Continuous Learning | See IR team framework | See IR team framework | See IR team framework | See IR team framework |

> **Note:** CMP-001 competency domains provide the organizing structure; actual anchor text must be sourced from the Incident Response team's competency framework per [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §3.4.

## 10. Success Profile

A Lead Investigator is successful when every investigation produces defensible findings that stand up to legal and regulatory scrutiny. Key indicators: evidence is collected and preserved with a complete chain of custody; the investigation timeline is documented and repeatable; findings are specific enough that the organization can act on them; post-incident reports are structured, complete, and filed within SLA. The investigator's work ensures that the organization can explain exactly what happened, when, and why — to a regulator, a court, or the board.

## 11. Career Path

### 11.1 Within-Family Progression

Progression within the Incident Response & Investigation family follows the standard four-tier structure. See [JF-001 §8](../CERG-GOV-JF-001_Job_Families_Overview.md) for standard progression gates.

### 11.2 Cross-Family Movement

Cross-family movement options are defined in the [Family-to-Family Career Lattice (JF-001 §4)](../CERG-GOV-JF-001_Job_Families_Overview.md#4-family-to-family-career-lattice). The Left-Right Knowledge Model ([FRM-001 §9.2](../../governance/CERG-GOV-FRM-001_CERG_Framework.md)) and cross-training expectations ([OM-001 §10.4](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md)) operationalize cross-family career movement.

### 11.3 Management Track Option

Management track progression for Adjacent roles follows the Incident Response team's career framework, not CERG's. See [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §3.4 for the Adjacent Function boundary definition. CERG's Management track is documented in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §5 (Management Progression: Grade Definitions) and §8.1 (SME to Management Transition).

## 12. Related CERG Documents

| Document | ID | Relevance |
|----------|-----|-----------|
| Operating Model | [`CERG-GOV-OM-001`](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) | Canonical role name; pillar structure |
| RACI Instrument | [`CERG-GOV-RAC-001`](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) | This role's accountability assignments |
| Job Architecture | [`CERG-GOV-JA-001`](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) | Grade definitions; progression criteria |
| Competency Model | [`CERG-GOV-CMP-001`](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) | Full behavioral anchors |
| Performance Framework | [`CERG-GOV-PERF-001`](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md) | Performance review cadence and calibration |
| Training Framework | [`CERG-GOV-TRN-001`](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) | Certification matrix |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |

---

## 13. Document Control

| Field | Value |
|---|---|
| **Document ID** | CERG-GOV-JD-ADJUNCT-002 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Effective Date** | 2026-06-11 |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Approved By** | CISO |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Next Scheduled Review** | 2027-06-11 |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

### Revision History

| **Version** | **Date** | **Author** | **Change Summary** |
|---|---|---|---|
| 1.0 | 2026-06-11 | Governance Pillar Leader | Initial release. Extracted from monolithic JD-001 into enhanced per-role format with NICE mapping, KPI sections, and competency anchor sections. |

### Review Triggers

- Change to this role's definition in [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1
- Change to this role's NICE Work Role mapping in JF-002
- Change to this role's grade range in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §7
- Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

### Related Documents

| **Document** | **ID** | **Relationship** |
|---|---|---|
| Cybersecurity Policy | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) | Parent policy |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |