Data Security Analyst

About the Role

Secure Division Support
The Global Cyber Center (GCC) provides Cybersecurity Service Provider (CSSP) functions and conducts Department of Defense Information Network (DODIN) Operations and Defensive Cyberspace Operations – Internal Defensive Measures (DCO-IDM) in alignment with DoDM 8530.01 and DoD Cybersecurity Services Evaluator Scoring Metrics (ESM). These responsibilities are divided across five key CSSP functions: Identify, Protect, Detect, Respond, and Recover.

GCC supports both classified and unclassified segments of the DODIN by providing:

• Network protection, monitoring, analysis, and detection

• Response services to prevent, mitigate, and investigate unauthorized activity

• Defensive capabilities against disruption, denial, degradation, or destruction of information systems

• Sensor management, including oversight of NIPS/NIDS sensors across CONUS DoDIN-A NIPRNet and SIPRNet traffic

• Event analysis to reduce incidents to validated threats and initiate mitigation efforts per leadership direction

In coordination with GCC Operations, the team executes defensive security measures upon detecting attacks and supports CSSP operations on the NIPRNet and SIPRNet in line with Appendix E: Secure Division Workload Assessment. The team also prepares key documentation including TTPs, SOPs, Executive Summaries, trip reports, and white papers, as well as contributes to the development of MOUs, MOAs, and SLAs.

Cyber Defense Operations (CDO) Support
Provide onsite personnel, as per PWS 5.4, to work directly with GCC Operations on cyber incident triage and analysis. This includes:

• Reviewing correlated events, logs, and SIEM data

• Initiating cyber response tickets and classifying incidents per CJCSM 6510 guidance

• Reporting incidents to DCO/ARCYBER/HQ per Commander’s Critical Information Requirements (CCIR)

• Maintaining an on-call response capability for after-hours incident handling

Incident Analysis & Mitigation
Support ongoing incident analysis and recommend appropriate mitigations, especially in response to APTs, malware, or exploit attempts on Army networks. Responsibilities include:

• Blocking or limiting access to malicious IPs, ports, or applications

• Coordinating actions with operations teams when direct control is not available

• Providing justifications for IDM approvals to Configuration Control Boards or Authorizing Officials

• Coordinating damage assessments or Cyber Defense Assistance Program (CDAP) missions when necessary

Monitor all GCC-managed security sensors and agents, keeping the triage database updated in real time and within 72 hours post-incident. Ensure proper triage, ticket handling, and event processing per established TTPs.

Law Enforcement & Counterintelligence (LE/CI) Coordination
Provide initial incident reports and requested data to LE/CI agencies, maintaining an up-to-date POC list. When active investigations are launched, ensure proper documentation is shared, including case numbers and analysis reports in line with official protocols.

Maintain a Master Station Log (MSL) to document and track significant cyber incidents (e.g., CAT1s, named operations), DCO topics, inter-shift communications, and other relevant instructions. This log must be readily available for government inspection at all times.

Qualifications

Minimum Requirements:

• Education & Experience:

  • 2+ years with a BS/BA

  • 0 years with MS/MA

  • 6+ years without a degree

• Security Clearance: Secret

• Certifications:

  • DCWF Code 422 Intermediate (TBD)

• Experience Requirements:

  • 2–6 years of experience in information security or related fields

  • Proven experience developing data security standards