Cyber Operations Specialist

You are the schoolhouse output. The Cyber Mission Force is paying for your seat right now, and you have to convert that investment into a teammate the work role lead can actually plug into a CPT/NMT/CMT/CST mission element.

You are still in or just out of the 17C pipeline at Fort Eisenhower's Cyber Center of Excellence — months of foundational IT, networking, and operating systems before you ever touch the offensive or defensive tool track. When you reach the line at ARCYBER, the 780th MI Brigade, or the Cyber Protection Brigade, you are a tool operator under a team lead: you read logs, you run queries the senior analyst writes for you, you build out a fresh forensic workstation off the team's gold image, and you re-rack a server when the cyber tools admin says re-rack the server. You will spend a lot of weeks studying for the certifications you need to actually hold a billet, and a lot of nights asking the SSG-tier operator next to you what a particular alert in Splunk actually means in this environment.

• 01Read a packet capture in Wireshark well enough to identify protocol, source/destination, and obvious anomalies without anyone walking you through it.
• 02Operate a Linux command line — bash, grep, awk, sed, find, basic scripting — at the comfort level the schoolhouse expects on day one in the team room.
• 03Query a SIEM (Splunk / Elastic) using filters and basic search syntax the senior analyst hands you, and read the output back without guessing.
• 04Image, harden, and lock down a Windows or Linux workstation per the relevant DISA STIG before it goes onto an operational network.
• 05Document everything you touched — host, time, command, output — in the team's case management or ticketing system the way a court exhibit would read.
• 06Run TS/SCI security hygiene without prompting: SCIF discipline, no personal electronics, classified-vs-unclassified separation, courier procedures.

• —ATP 3-12 — Cyberspace Operations (the Army's top-of-the-stack doctrine; read it once even if you never quote it).
• —JP 3-12 — Cyberspace Operations (the joint context every CMF team operates inside).
• —AR 25-2 — Army Cybersecurity (the policy floor your team posture is measured against).
• —AR 380-67 — Personnel Security Program (your TS/SCI is a privilege; this is the reg behind it).
• —DoDM 8140 — Cyberspace Workforce Qualification (the chart that gates which billet you are allowed to sit).
• —DISA STIGs and the public.cyber.mil reading list — the engineering standards the team holds you to.

• —CompTIA Security+ certification — IAT-II floor and the baseline DoDM 8140 expectation for an entry 17C billet.
• —Network+ and A+ as the unspoken floor before you arrive at the unit — Army Credentialing Assistance will pay if you do not have them.
• —On-the-job qualification (work role evaluation) for your team's assigned CMF work role under DoDM 8140 — until that's signed, you are not on mission.
• —TS/SCI clearance maintained without incident — financial, foreign-contact, drug, or social-media issue ends the MOS, not just the assignment.
• —Zero deviations from the team's SOP on operational networks. The CWO and the team lead notice the soldier who freelances.

• —Running an unauthorized tool or script on an operational network because you "wanted to test it." That is an incident report, an inquiry, and possibly a security violation under AR 380-5.
• —Plugging personal media (USB, phone, smartwatch) anywhere near a classified system. Best case it ends your shift; worst case it ends the clearance.
• —Logging into a tool with a teammate's credentials, even once. Every action is audited and shared-account use is exactly the kind of finding the team chief gets fired over.
• —Closing a ticket or marking a finding "no impact" without the senior analyst eyeballing it. The miss surfaces at the next read-out and the team lead is the one who has to brief it.
• —Talking about work specifics outside the SCIF — bar, family, social media, group chat. There is no version of this conversation that does not end at the SSO's desk.

The good 17C cherry is the soldier the senior operator hands a complex log set on a Tuesday and gets a clean, documented finding back by Thursday — no ego, no shortcuts, no freelancing. By their first re-enlistment window they have Sec+ and CCNA in hand, a CySA+ or GSEC packet open, and the team lead is fighting to keep them on the same work role for the next rotation instead of letting them rotate to the schoolhouse.

You are the operator the team lead plugs into the seat that has to actually produce — a CPT crew slot, an NMT collection role, a CMT analyst billet — not just the trainee getting carried.

You sit a real billet on a Cyber Protection Team, National Mission Team, Combat Mission Team, or Cyber Support Team under ARCYBER, the 780th MI Brigade, the Cyber Protection Brigade, or a Joint Force Headquarters-Cyber element. You run the SIEM queries you wrote yourself, you triage alerts inside the team's standing playbook, you carry a piece of the team's tool stack as a designated tool admin, and you write up findings the team chief or warrant officer can hand a customer without rewriting. You will spend large blocks of the week on certification study, work-role qualification under DoDM 8140, and TTP-rep drills the team chief runs. The contractor sitting next to you is doing the same job for three times the pay and already asking your ETS date.

• 01Write a SIEM query (Splunk SPL, Elastic KQL/Lucene) that returns the right answer with reasonable performance — not the copy-paste from the senior analyst's notes.
• 02Map an observed behavior to a MITRE ATT&CK technique by ID, not by vibes — and defend the mapping at the team read-out.
• 03Operate at least one piece of the team's real tool stack as the designated tool admin — endpoint EDR, full-packet capture, host-forensic suite — with the configs documented.
• 04Run host-side triage to NIST SP 800-61 incident handling phases — preparation, detection, containment, eradication, recovery, lessons learned — in writing.
• 05Build a simple Python or PowerShell script that does one useful thing well: parse a log, enrich an indicator, automate a report. Not copied. Yours.
• 06Brief a finding to the team chief in three minutes without sounding either junior or arrogant. The work role lead notices both ends.

• —ATP 3-12 — Cyberspace Operations (re-read it now that the abstractions match a real seat).
• —NIST SP 800-61 — Computer Security Incident Handling Guide (the IR playbook every CPT execution maps to).
• —MITRE ATT&CK — the framework the entire CMF speaks; learn the matrix, not just the buzzword list.
• —DoDM 8140 — Cyberspace Workforce Qualification (read your assigned work role's tasks line by line; that is the bar).
• —DoDI 8530.01 — Cybersecurity Activities Support to DoD Information Network Operations.
• —CompTIA CySA+, GIAC GSEC / GCIH / GCIA exam objectives — the credential ladder your work role probably already requires.

• —IAT-II maintained without lapse (Sec+ CE or equivalent); the team chief audits this and you do not want to be the lapse.
• —CCNA before the E-5 board; CySA+ and one GIAC (typically GCIH or GCIA) on the wall by your second year on the team.
• —Fully qualified on at least one DoDM 8140 work role under your CMF team's mission set — signed off by the work role lead.
• —BLC graduate; promotion points stacked through cert credit, college (CLEP/DSST/TA), and DLC.
• —Team-internal ranking — when the team chief lists who he'd take into a contested operation first, you are in the top half.

• —Coasting on Sec+. The work role is the standard, not the cert. Operators who do not push into CySA+ / GCIH end up at the bottom of the team's rank-ordered list.
• —Sloppy notes. Your work product is evidence in an incident report and your reputation in one document — the team lead reads every line.
• —Running an experimental tool against an operational target without the team chief's and warrant's sign-off. That is a JAG conversation, not a counseling.
• —OPSEC slips on social media — LinkedIn job title, unit name, deployment hints, badge selfies. The 780th and the CPB are explicit on this and the SSO is watching.
• —Treating the BLC slot as optional because "I am a cyber guy." 17C is still an Army MOS; the SFC board reads NCO development the same way as 11B.

The good Specialist 17C is the operator the team chief tasks with the alert that nobody else wants because he produces a clean ATT&CK-mapped write-up by close of business and a working detection rule by the next morning. He has CySA+ and one GIAC on the wall, he is the designated admin for at least one real tool, and the warrant officer has already mentioned the 170A / 170B packet to him by name.

You are an NCO on a CMF team. Operators look to you for the technical call; the team chief looks to you for the truth about how the work is actually going.

You lead a 3-5 operator element inside a Cyber Protection Team, National Mission Team, Combat Mission Team, or Cyber Support Team — a crew, a work role slice, or a defensive sub-team. You write counselings on the 14th, you sign off junior operators against their DoDM 8140 work role tasks, you run the daily standup and the after-mission read-out, and you brief the team chief and the warrant officer in language they can pass up without translation. You will sit pre-mission planning with the work role lead and a contractor analyst at the same table, and your crew's product has to read like the senior name on it.

• 01Run a crew-level mission element through the full NIST 800-61 cycle on a contested host or network — detection through lessons-learned — with a usable timeline at the end.
• 02Lead a Cyber Protection Team sub-element through a survey, secure, protect mission to the team's SOP — including handoff to the supported network owner.
• 03Build and defend an ATT&CK-mapped detection set — Sigma rules, Splunk correlation searches, Elastic detections — that produces actionable alerts and not noise.
• 04Write a clean DA 4856 counseling with a Plan of Action that names the certification, work role, or behavior gap and the steps to close it.
• 05Brief a CMF mission read-out — what the team did, what it found, what it recommends — in five slides without the team chief rewriting them.
• 06Mentor junior operators into their next certification and work role qualification on a schedule that the work role lead can sign off.

• —ATP 3-12 — Cyberspace Operations; JP 3-12 — Cyberspace Operations.
• —NIST SP 800-61 — Incident Handling; NIST CSF — the language the supported customer's CISO will use back at you.
• —NIST SP 800-53 / 800-171 — Controls (you assess against them on protect missions).
• —DoDI 8530.01 — Cybersecurity Activities Support; DoDI 8500.01 — Cybersecurity.
• —DoDM 8140 — Cyberspace Workforce Qualification (you are signing soldiers off against this now).
• —AR 600-20 — Army Command Policy; AR 623-3 — Evaluation Reporting (you are an NCO in an Army MOS, not just a cyber operator).

• —BLC graduate; ALC packet built and visible to your platoon sergeant.
• —IAT-III or comparable (CCNP-Security, CASP+, GIAC family) maintained; at least one offensive or defensive specialty cert appropriate to your work role (GCIH, GCIA, GCFA, GPEN, OSCP) on the wall.
• —Fully qualified on the DoDM 8140 work role you lead, and signing off at least two junior operators per cycle.
• —Crew throughput and detection quality measurable in the team's metrics — not "demonstrated outstanding performance" filler on the NCOER.
• —ACFT 540+. Cyber is still an Army MOS; your CSM reads the slide the same way for 17C as for 11B.

• —Verbal counseling. If it is not in writing, the soldier did not know, the company commander cannot defend you, and the work role lead loses confidence in your bench.
• —Letting a junior operator sit a billet they are not 8140-qualified for, "just for this op." The next inspection or inquiry finds it; you sign the gap.
• —Treating mission write-ups as paperwork. The customer reads them, ARCYBER and USCYBERCOM staff read them, and they are how your team is judged outside the SCIF.
• —Hiding a real OPSEC, SHARP, EO, or insider-threat indicator from the chain. CMF teams live or die on trust; one buried indicator surfaces at the worst possible time.
• —Skipping the BLC / ALC slot because the unit "needs you on mission." The board does not care; the SFC list will not have you on it.

The good SGT 17C runs a crew the team chief and warrant officer name in the slide when they brief readiness — DoDM 8140 work-role qualifications green, detection set producing real alerts, juniors on a real cert plan, mission write-ups going out without rework. He is BLC done with ALC pending, he has a 170A packet on the warrant's table if he wants it, and the contractor next to him already has a job number waiting at ETS.

You are the senior enlisted technical voice on a CMF team element. The team chief and the 170A warrant trust your call on whether the work is real; the customer hears your finding through the warrant's mouth.

You run a section of a CPT, NMT, CMT, or CST — 8-15 operators, multiple work roles, often split across a deployed and a garrison footprint. You build the section's training and certification plan, you own the section's tool stack at the configuration-baseline level, and you sit at planning tables with the team OIC, the 170A/170B warrant, and supported-customer leadership. You are also the senior NCO the team's 1SG calls when there is a counseling, a UCMJ packet, or a clearance issue brewing — because cyber problems do not exempt soldiers from Army problems.

• 01Design and defend a section-level training plan that produces qualified operators against the DoDM 8140 work roles the team actually owns, on a schedule the team OIC can brief.
• 02Run a Cyber Protection Team mission as the senior enlisted element — survey, secure, protect, sustain — alongside a 170A and a customer technical lead.
• 03Own the section's detection engineering at an architecture level — what rules exist, what they cover under ATT&CK, what false-positive rate the team accepts, what gaps still need to close.
• 04Translate cyber risk to a non-technical supported commander or CISO in language they will repeat correctly to a one-star.
• 05Mentor two SGT crew leads into SSG-board-ready candidates without losing your own SLC and warrant-officer-mentor lane.
• 06Operate inside a JFHQ-Cyber, USCYBERCOM, or NSA detail without making the team look like it sent the wrong NCO.

• —ATP 3-12, JP 3-12 — Cyberspace Operations.
• —NIST SP 800-37 — Risk Management Framework; 800-53 — Controls; 800-171 — CUI; 800-61 — Incident Handling.
• —DoDI 8500.01 — Cybersecurity; DoDI 8510.01 — RMF for DoD IT; DoDI 8530.01 — Cybersecurity Activities Support.
• —DoDM 8140 — Cyberspace Workforce Qualification (you are auditing your section against it, not just signing).
• —MITRE ATT&CK and the team's mapping playbook — you are the senior enlisted voice on what coverage looks like.
• —AR 25-2 — Army Cybersecurity; AR 380-67 — Personnel Security; AR 600-20 — Command Policy.

• —ALC graduate; SLC packet built — required for E-7 board competitiveness in 17C.
• —CASP+ or CISSP plus at least one senior offensive or defensive specialty (GCIH, GCFA, GREM, GPEN, OSCP) on the wall; consider Cyber Center of Excellence senior NCO courses.
• —Section DoDM 8140 work-role qualification rate at or above the team's mission demand — green on the team OIC's slide.
• —Section CMF-team readiness metrics (training, certifications, mission rehearsals) in the upper third of the brigade.
• —NCOER bullets matching real measurable outcomes — qualified operators produced, detections deployed, missions led — not filler.

• —Confusing being a strong individual operator with being a strong section NCOIC. The section needs you to build the bench, not to be the bench.
• —Letting one crew lead carry the section because he is "your guy." The other crew leads notice and your NCOER profile shows it at the next board.
• —Skipping the warrant officer mentorship conversation. The 170A / 170B accession is one of the highest-leverage moves in the entire Army; you are expected to be honest about who should and should not pack.
• —Confusing operational cyber expertise with workforce-policy expertise. DoDM 8140 audits are how senior NCOs get their teams reviewed — own the policy floor.
• —Talking shop outside cleared spaces, on personal devices, or on social media. At this rank the consequence is not just career — it is the team's mission and the soldiers' clearances.

The good SSG 17C runs a section the team OIC and the senior warrant officer name without thinking — work-role-qualified across the mission set, detection engineering green, juniors on a cert and warrant path, NCOERs going up that the senior rater can defend at brigade. He has CASP+ or CISSP on the wall, a 170A warrant packet either submitted or actively mentored to a candidate, and the contractor next to him has already opened a billet that pays double — which he will turn down because he wants 1SG.

You are the senior NCO on a Cyber Mission Force team — CPT, NMT, CMT, or CST. The team OIC commands; the 170A/170B warrants engineer; you make sure the soldiers, the readiness posture, and the work product are real.

You sit at team senior-leader level inside ARCYBER, the 780th MI Brigade, the Cyber Protection Brigade, a Joint Force Headquarters-Cyber, USCYBERCOM, or an NSA detail. You build the team's enlisted training and certification pipeline, you own the unit's DoDM 8140 readiness rollup, and you write four-to-five senior NCOERs per period that will pick the next SSGs and SFCs on the brigade slate. You mentor warrant officer candidates through 170A/170B packets, you screen junior enlisted into the right CMF work role, and you sit alongside the team OIC and the senior warrant when the team briefs USCYBERCOM, a joint partner, or a supported combatant command.

• 01Build and defend a team-level training, certification, and work-role qualification plan to the brigade and CMF readiness standard — green across DoDM 8140 work roles, certifications, and mission rehearsals.
• 02Run a Cyber Mission Force team rotation through a real mission or major exercise (Cyber Flag, Cyber Guard, JRTC cyber injects, supported combatant command operation) as the senior NCO.
• 03Mentor a warrant officer candidate (170A / 170B / 255S) from interest through packet through selection board.
• 04Lead the senior enlisted side of a brigade-level after-action review — what the team learned, what doctrine and SOPs need to change, what the SGM needs to hear.
• 05Translate Army Cyber, USCYBERCOM, and CIO/G-6 strategy into enlisted talent decisions — reclass, reassignment, school slates, retention.
• 06Hold the line on Army NCO basics in a deeply technical unit — fitness, professional development, counseling discipline, family readiness — without sounding like the angry conventional sergeant.

• —ATP 3-12, JP 3-12 — Cyberspace Operations.
• —NIST SP 800-37, 800-53, 800-171, 800-61 — the RMF and incident-handling backbone every accreditation and team rides on.
• —DoDI 8500.01, 8510.01, 8530.01 — DoD cybersecurity policy stack.
• —DoDM 8140 — Cyberspace Workforce Qualification (you sign the rollup at this rank).
• —ARCYBER, INSCOM, and CIO/G-6 published FRAGOs and ALARACTs; Army Cyber strategy documents.
• —AR 350-1 — Training; AR 623-3 — Evaluations; AR 600-8-19 — Promotions; AR 600-20 — Command Policy.

• —SLC graduate; MLC packet built; USASMA fellowship considered if SGM-track.
• —IAT-III or equivalent maintained; CASP+ / CISSP plus one senior specialty cert (GCFA, GREM, GPEN, OSCP, or equivalent GIAC) appropriate to the team's mission.
• —Team DoDM 8140 readiness rollup green across the work roles the team owns, sustained across the rating period.
• —Warrant officer accession pipeline producing at least one selected candidate per year out of your team.
• —NCOER profile defensible at brigade — your rated NCOs are being selected for SSG and SFC at a rate matching the bullets you wrote.

• —Hiding a DoDM 8140 work-role qualification gap to make the team's readiness slide look green. The next inspection or rotation surfaces it and the relief is at brigade level.
• —Letting subordinate NCOs run the certification pipeline without your sign-off. You sign the unit readiness report; you own the gap.
• —Pretending to be the technical SME at a level you no longer hold. Senior NCOs in 17C lose authority by faking depth instead of empowering the warrant officers and the junior operators who are sharper than they are.
• —Skipping the SHARP, EO, suicide-prevention, and command-climate piece because "we are a technical team." CMF teams are not exempt from AR 600-20.
• —Confusing access (SCI, special programs) with importance. Senior NCOs who treat clearance level as identity get watched, then walked out.

The good SFC 17C is the team senior NCO ARCYBER, the 780th, or the CPB names when the slate gets read out — DoDM 8140 readiness sustained green, junior operators getting Sec+ to CySA+ to GCIH on a real timeline, warrant officer pipeline producing 170A/170B candidates, NCOER profile picking the next SSG / SFC board slate. He is on the short list for First Sergeant of a cyber company or HHC before he sits MLC.

You are the senior enlisted voice on a cyber formation — a company, a CMF team-of-teams, a brigade, or an echelon-above-brigade staff. The Army Cyber strategy conversation is now happening in rooms you sit in.

As 1SG you run a cyber company, an HHC, or a CMF team-of-teams element of 80-130 soldiers under the 780th MI Brigade, the Cyber Protection Brigade, ARCYBER, or a JFHQ-Cyber. As SGM/CSM on a brigade or higher staff, you set the standard for the enlisted cyber workforce — DoDM 8140 readiness, certification pipeline, warrant officer accession, reclass into and out of 17C, retention against the contractor market that is paying double for the same talent. You sit at strategy tables alongside O-5s and O-6s, you advise the BCT / brigade / division CG on enlisted cyber talent, and you are accountable for the difference between what the readiness slide claims and what the formation can actually do on day one of contact.

• 01Run a cyber company / CMF element command climate that produces work-role-qualified, certification-current, mission-ready operators at a rate above the Army average — and sustains it.
• 02Mentor a senior warrant officer slate (170A / 170B / 255S) at the brigade or higher staff level — accession, development, and retention conversations.
• 03Brief BCT / division / ARCYBER CG on enlisted cyber readiness in language the CG can defend at the next higher echelon.
• 04Lead the senior enlisted side of a CMF team-of-teams response during a real contested-cyber event — alongside the team OICs, the senior warrants, and joint partners.
• 05Translate Army Cyber, USCYBERCOM, and joint cyberspace strategy into enlisted-talent decisions at echelon — reclass, retention, slate, reclassification out.
• 06Hold the formation to AR 600-20, fitness, professional development, and family-readiness standards in a community where the contractor next door is offering the same soldier double the pay and no PT.

• —AR 600-20 — Army Command Policy; AR 27-10 — Military Justice (you are in the room when these matter).
• —AR 380-67 — Personnel Security Program; AR 25-2 — Army Cybersecurity (you sign the unit's posture).
• —DoDM 8140 — Cyberspace Workforce Qualification (you are accountable at the unit-roll-up level).
• —NIST SP 800-37, 800-53, 800-171 — the RMF triangle every accreditation rides on.
• —ARCYBER, USCYBERCOM, INSCOM, and CIO/G-6 strategy and policy documents; Army Cyberspace operational FRAGOs and ALARACTs.
• —The 1SG Course / USASMA / SGM-A reading list — you are expected to teach doctrine and Army Cyber strategy, not just consume it.

• —USASMA / SGM-A completion before competing for command CSM slate in a cyber formation.
• —DoDM 8140 readiness rollup green across the formation's assigned work roles, sustained across your tenure.
• —170A / 170B / 255S accession pipeline producing selected candidates from your unit on a sustained basis.
• —NCOER profile defensible at brigade and division — your rated NCOs are picking up first sergeant and SGM slates on schedule.
• —Zero senior-NCO-level integrity, financial, foreign-contact, social-media, or clearance incidents. At this rank in this MOS, one ends it permanently — the clearance, the career, and the access.

• —Letting the readiness slide go green while the formation knows it is not. The team OICs, the senior warrants, and the soldiers all know the truth — the CG will find out from one of them.
• —Treating senior enlisted leadership as a technical role. At this rank you are running a formation; you are not the senior operator. Empower the warrants and the senior NCOs who are sharper than you, and pick the soldiers who can actually carry the work.
• —Confusing seniority with access. The clearances and program reads at this rank are tools; soldiers and the formation are the job.
• —Going public — internally or externally — with disagreement over a CO's or CG's cyber-risk call. Take it in the office. Walk out aligned. The formation watches.
• —Treating the retention conversation as transactional when the contractor market is paying double. The soldiers you want to keep are the ones who need an honest senior NCO conversation about what staying actually buys them, not a slogan.

The good 17C 1SG / SGM / CSM is the senior NCO ARCYBER, the 780th, the CPB, and the BCT / division CG name in the slide when cyber readiness is briefed. His formation's DoDM 8140 rollup is sustained green, the warrant officer accession rate is in the upper third of the Army, his rated NCOs are picking up 1SG and SGM chevrons on schedule, and the retention rate is competitive against a contractor market that is actively trying to take every operator he has. When the formation has a hard rotation, the re-enlistment line still forms.