Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
Back to 17A Cyber Warfare Officer — overview, pay, training, civilian translation, reviews
17AO1-O2

Cyber Warfare Officer

O-1 to O-2 (Junior Officer) · Army

HEADS UP

Cyber Branch is still young enough that the Army is building the doctrine around your career, not the other way around. Your first-assignment unit — ARCYBER, JFHQ-DODIN, or a CMF element under USCYBERCOM — operates at a classification level where you will be unsure what you can say and to whom. Get the DCWF credential for your billet coded before the gaining unit asks, and get comfortable with ambiguity: the authorities, the command relationships, and the targeting timeline are not as clean as the CBOLC slides made them look.

The Honest MOS Read
Cyber Basic Officer Leader Course (CBOLC) at the Army Cyber School, Fort Eisenhower runs roughly 5-6 months and lives at the Cyber Center of Excellence — the same compound that houses ARCYBER, the Signal School, the 780th MI Brigade (Cyber) components, and the institutional memory of the Army's entry into the cyberspace warfighting domain. CBOLC covers the foundational technical and doctrinal stack: defensive cyberspace operations, offensive cyberspace operations, DODIN-A fundamentals, vulnerability assessment methodology, the joint planning process as it applies to cyber effects, and the command relationships that govern how the Cyber Mission Force (CMF) operates under USCYBERCOM authority. You will leave CBOLC with a vocabulary that is new enough that most of the Army still does not share it. From CBOLC, first-assignment tracks split three ways. The largest is a CMF team at ARCYBER or a subordinate element — you are part of the joint CMF construct under USCYBERCOM, running on one of the three CMF team types: National Mission Teams (focused on defending the nation from significant cyberattacks), Combat Mission Teams (planning and executing cyber operations in support of combatant commanders), or Protection Teams (defending priority DoD networks and systems). The second track is a Defensive Cyber Operations – Internal Defensive Measures (DCO-IDM) element at an Army echelon — a corps or division G-6 cyber cell, or an ASCC DCO cell responsible for defending the Army network at the operational command level. The third is a joint billet at JFHQ-DODIN (Joint Force Headquarters – DoD Information Network) at Fort Meade, which is the operational arm of DODIN defense and the highest-visibility DCO assignment in the joint force. The daily reality at a first-assignment CMF or DCO billet is different from every other Army branch. There is no platoon of 35 soldiers standing by for PT formation. There is a small team — typically 10-20 personnel at the mission-element level — that includes 17C Cyber Operations Specialists (the enlisted operator backbone), 17E Electronic Warfare Officers, and a mix of civilian and contractor technical depth. You brief commanders who have never taken a cybersecurity course. You translate CVSS scores and STIG findings into risk language a brigade commander can act on. You sit in targeting boards where the JAG reads Title 10 versus Title 50 authorities into the record before the effects request can proceed. You learn that the timeline for gaining approval to execute an offensive cyber effect is longer than anyone briefed you in CBOLC, and that the operational-legal-policy seam is where most requests get slowed or stopped. Garrison tempo at Fort Eisenhower or Fort Meade is steady, not violent. The base — Fort Eisenhower since 2023, renamed from Fort Gordon — is in Augusta, Georgia. The post is home to the Army Cyber Center of Excellence, the 780th MI Brigade (Cyber), and a growing intelligence-community footprint that has expanded since the DoD designated Fort Eisenhower as the hub for Army cyber operations. Fort Meade, Maryland, hosts the JFHQ-DODIN and USCYBERCOM, the NSA, and a concentration of cleared technical workforce that is unlike any other Army installation. If you wind up at Meade for your first assignment, you are working alongside civilians and contractors who have been doing this job for a decade longer than you have been an officer — build the relationship early or you will be briefing slides that the room already knows are wrong. The fundamentals that determine whether you become a competitive 17A captain are set in the first 18 months: the DCWF credential for your billet, the first OER from a senior rater who can write a defending bullet, the relationship with the team NCO backbone that makes the mission execution actually work, and the joint-planning muscle memory that separates a cyber officer who can operate at the staff level from one who only works the technical tools. The branch is small. The Army generates fewer than 200 17A officers per year. The senior officers know the new lieutenants by name in a way that does not happen in the infantry. Use that.
Career Arc
  • 01CBOLC at Fort Eisenhower — ~5-6 months; foundational DCO/OCO/DODIN-A/targeting doctrine.
  • 02First-assignment track: CMF element at ARCYBER (Fort Eisenhower), DCO-IDM at an Army echelon, or JFHQ-DODIN (Fort Meade).
  • 03DCWF credential for billet role — IAT-II minimum (Sec+), IAT-III or CSSP roles as billet codes; complete before arrival at first unit.
  • 04First OER cycle — the senior rater's profile and bullet quality set the captain's board baseline; bullets tied to IAVA closure rates, CMF mission execution, vulnerability findings actioned.
  • 05~Month 48: O-3 (CPT) under DOPMA timing; Captains Career Course at Army Cyber School triggers.
  • 06Post-BOLC joint exposure visible to branch manager — first-unit billet at USCYBERCOM-aligned element builds the joint-duty record early.
  • 07TS/SCI maintenance — every clearance reinvestigation that happens on your watch is a risk to the career timeline; own the continuous-evaluation lifecycle for yourself and your team.
Common Screwups
  • ×OPSEC breach — the cyber community has a sharper OPSEC surface than any other Army branch. A LinkedIn post about government cyber work, a screenshot of a NIPR or SIPR screen on a personal device, a conference presentation that implies current mission capability — all get flagged, all go to the commander's desk, and the cleared-access career is harder to rebuild than it sounds.
  • ×Clearance reinvestigation failure — a DUI, unreported foreign contact, undisclosed financial issue, or drug-use admission during the periodic review pulls your TS/SCI. A 17A officer without a current TS/SCI is non-deployable, non-assignable to most 17A billets, and faces a career track that requires a restart. The community is small enough that the branch manager knows why your clearance lapsed.
  • ×Article 15 / misconduct — same as every Army branch, but the community is small and the clearance investigation re-opens after any adverse action. A 17A LT who takes an Article 15 is visible to the senior leadership in a way that an 11B LT in a 3,500-soldier brigade is not.
  • ×Fitness failure — ACFT failure or repeated waivers at the LT tier marks the OER in a community where the physical standard is achievable and the excuse inventory is slim. The Army Cyber School PT standard is enforced; units do not carry LTs who cannot pass the test.
  • ×Hiding a CAT-I vulnerability finding or a team readiness shortfall from the chain of command. In a domain where the senior rater is often a civilian SES or a GS-15 who reads the readiness dashboard directly, the gap between the reported posture and the actual posture surfaces fast — and the relief conversation happens at a command level that is very visible in a small branch.

A Day in the Life

  • 0530-0630PT formation — unit PT at the cyber element or CMF team level. Fort Eisenhower runs unit PT at battalion level; Fort Meade-assigned elements run PT within smaller team formations. Cardio days anchor Monday and Wednesday; strength days Thursday; team choice Friday. No suppression on PT standards for the technical track.
  • 0700-0730Shower, uniform, chow — on-post DFAC or personal choice. Fort Eisenhower has standard Army DFAC infrastructure; Fort Meade has a mix of DFAC and civilian food options on post.
  • 0730-0800Pre-mission / workday open. Check overnight alerts — IAVA notifications, ARCYBER G-3 FRAGORD drops, team member DCWF credential flags. Any overnight CAT-I or incident report that requires a commander notification gets drafted before the morning stand-up.
  • 0800-0830Element or team morning stand-up. 15-20 minute battle rhythm check — open taskings, personnel status, upcoming milestones. The element OIC runs it; you are presenting the network status slide or the targeting-action status depending on the day.
  • 0830-1200Primary mission work block — the content varies by assignment. CMF billets: technical training, tool proficiency work, platform exercise prep, mission planning for upcoming CPX or real-world event. DCO-IDM billets: STIG remediation tracking, IAVA compliance cycle work, threat-hunting activity in the assigned network, coordination calls with the supported command's G-6. Planning billets: CONOP drafting, staff synchronization with fires cell / JAG / IO cell, OPORD annex development for cyber effects integration.
  • 1200-1300Lunch — the workday continues at 1300 on most days. Higher-tempo periods collapse the lunch block to 30 minutes.
  • 1300-1600Secondary mission block. Admin: DCWF credential tracking for the team, NCOER counseling prep for the 17C NCOs you are responsible for, property-accountability checks on equipment. Training: classified lab time for technical skill maintenance, After-Action Reviews from recent exercises or live events. Planning: coordination calls with higher HQ, legal review follow-up for pending effects requests.
  • 1600-1700End-of-day sync. Review open actions against the suspense list. Any CAT-I closure that was promised by COB goes to the G-6 / J-6 inbox before you leave the building. Commander update if anything changed since the morning stand-up.
  • 1700-1800Admin and professional development. DCWF study material — active certification prep, reading FM 3-12 chapters relevant to the current mission set, reviewing JP 3-12 guidance on a pending effects request.
  • Evening (classified days)When on classified mission support — CPX, live event, or persistent access maintenance cycle — the schedule shifts and the 1700 hard stop disappears. The team works in shifts; the LT coordinates the shift transition, not the technical work. Planning-night marathons before a major exercise are real.

Weekly Cadence

Monday and Tuesday are the production days at most 17A billets. The weekly battle rhythm brief hits the command element on Tuesday or Wednesday morning, and the 17A team's network-status and ongoing-action update needs to be accurate and defensible before that brief happens. Sunday evening or Monday morning, the LT reviews the open-actions list, updates the IAVA compliance tracker, and confirms there are no overnight alerts that changed the risk picture. The worst version of Monday morning is arriving at the command element stand-up with a network posture slide that does not match the actual posture as of 0700 that day. Mid-week is the coordination-intensive window. JP 3-12 effects requests move through a targeting cycle that runs roughly weekly; Wednesday through Friday is when the fires cell, JAG, and cyber planning cell are trading inputs for the upcoming week's targeting board. The 17A LT who is in those meetings — not sending slide updates and waiting to be called on — is the one who understands the deconfliction problem before it becomes an escalation. A LT who treats the targeting cycle as a slide-drop process rather than a live coordination rhythm misses most of what actually determines whether an effects request succeeds or gets disapproved. Friday afternoon at most garrison-based cyber billets is the administrative anchor: counseling sessions with the 17C NCOs, DCWF credential status review, property-accountability checks. When there is a major exercise or an upcoming deployment window, the Friday administrative rhythm compresses and the week's end blurs into the pre-mission preparation period. The garrison-versus-field split in this branch is different from combat arms — 'field' often means a CPX at a SCIF at another installation, not a live-fire event in the woods — but the pre-mission preparation and the post-event AAR demand the same rigor.

Key Skills — How to Drill Each

  1. 01
    Plan and brief a DCO-IDM operation — threat hunting, network analysis, STIG remediation, anomaly detection — to the standard where the G-6 or J-6 senior does not have to clean up the slide before it goes to the commander.
    The DCO-IDM planning cycle runs on a vulnerability-to-action sequence: pull the IAVA list, tier the findings by CVSS score and network exposure, build the remediation timeline, and brief the risk delta before and after actions taken. Practice the five-slide update format before you brief a live commander — one slide for network posture, one for open CAT-Is with closure timeline, one for ongoing threat activity, one for remediation progress, one for the decision the commander needs to make right now. The commander does not want to learn cybersecurity; he wants to know whether the network is the problem or not. Your brief should answer that in slide one.
  2. 02
    Execute vulnerability assessments using DoD-approved toolsets and translate raw findings into a prioritized risk register the supported command can act on.
    The scan is the easy part — the translation is the job. A CVSS 9.8 finding on a system that is air-gapped and physically secured is not the same risk as a CVSS 7.1 finding on an internet-facing authentication service. Build a risk register that applies exposure, impact, and mitigating controls to the raw score before it lands on the commander's desk. Units that brief CVSS scores without context train their commanders to ignore cybersecurity briefs. The LT who builds a clear triage methodology — CAT-I open: fix in 30 days or brief the risk acceptance; CAT-II open: 90-day plan with milestone check; CAT-III: track — earns credibility fast.
  3. 03
    Integrate cyber effects requests into the joint targeting cycle per JP 3-12 — understand the coordination with the fires cell, the legal review for Title 10 / Title 50 distinctions, and the time-sensitive targeting timeline.
    Read JP 3-60 (Joint Targeting) alongside JP 3-12 before your first targeting board appearance. The cycle — commander's objectives, target development, capabilities analysis, commander's decision, mission planning, execution, assessment — is the same cycle the fires cell uses; cyber effects requests enter the same queue and compete for the same approval chain. The JAG owns the legal review at every step. Know the Title 10 / Title 50 distinction cold — offensive cyber effects that cross the intelligence-collection line require authorities above the CCDR level, and a LT who frames an effects request without understanding the legal seam will have it returned before the targeting board adjourns.
  4. 04
    Operate under USCYBERCOM / ARCYBER command relationships — understand the CMF construct, your team's mission set, and how authorities flow under Title 10 USC Chapter 18.
    The CMF construct has three team types with distinct missions: National Mission Teams operate under CNMF and defend the nation from significant cyberattacks; Combat Mission Teams plan and execute cyber operations for combatant commanders; Cyber Protection Teams defend priority DoD networks and systems. Title 10 USC § 394 establishes the conduct-of-cyberspace-operations authority for the DoD; USCYBERCOM executes under SECDEF delegated authority. Know where your team sits in the construct, what authority chain governs your team's mission execution, and what the escalation path is when the mission exceeds your team's delegated authority. A LT who treats every tasking as equivalent in authority level is a LT who will produce an incorrect legal review on a mission that matters.
  5. 05
    Mentor your team's enlisted cyber operators (17C Cyber Operations Specialists) through technical task qualification, DCWF role certifications, and the NCOER counseling calendar.
    The 17C NCO carries the hands-on toolset expertise the LT was briefed on in CBOLC. The mentoring obligation runs two directions: build the 17C's career — DCWF credential timeline, school slate, reenlistment counseling, promotion-points awareness — and build the team's technical depth by clearing roadblocks for the NCO to do the technical work rather than inserting yourself as the technical authority. A LT who out-ranks a 17C on paper but tries to out-skill her on the toolset loses both credibility and the team's performance within a quarter.

Manuals & References — What Chapters Matter

  • FM 3-12 — Cyberspace and Electronic Warfare Operations
    The Army's primary cyberspace doctrine. Chapter 2 defines the cyberspace operations framework (OCO, DCO, DODIN-A operations) and the relationship to EW and information operations. Read it before your first BUB brief — the commander's staff has read it and will expect you to know the terminology.
  • JP 3-12 — Cyberspace Operations
    Joint doctrine that governs everything above the DCO-IDM level. The authorization framework, the command relationships under USCYBERCOM, the OCO/DCO/DODIN operations categories, and the deconfliction logic are here. The chapter on authorities and the legal framework is the one to read twice.
  • AR 25-2 — Army Cybersecurity
    The Army regulation that underpins every IAVA compliance cycle, STIG enforcement action, and CCRI/CORA inspection. Know the commander's cybersecurity program requirements and the incident-reporting timeline before you are in the seat that owns those reports.
  • DoDM 8140.03 — Cyberspace Workforce Qualification and Management Program
    The credential framework behind every DCWF role your billet codes — IAT, IAM, CSSP, KSAT categories. Your billet is coded to a work role; the manual tells you which credential satisfies that role. An officer who does not know her billet's DCWF coding is an officer who does not know whether her clearance-adjacent access is at risk.
  • DA PAM 600-3 — Officer Professional Development and Career Management
    The 17A / Cyber branch chapter describes the KD sequence, the post-command billet landscape, the functional area options, and the joint-duty credit that the Army expects a competitive 17A major to carry. Read it before you arrive at first unit so the branch manager conversation is not your introduction to what the career looks like.

Standards — How to Hit Each

  • DoD 8140 / DCWF credential for your coded billet role — IAT-II minimum (Security+); IAT-III or CSSP roles as the billet codes.
    Get Security+ (CE) done during CBOLC or in the pre-assignment window; do not show up to the gaining unit without it. If your billet codes IAT-III (CASP+) or a CSSP role (CySA+, GCIA, GCIH, CEH — the list is in DoDM 8140.03 Annex 1), identify the required cert before you arrive and build a 90-day study plan. The unit will not slow-roll the mission for a new LT's cert timeline.
  • CBOLC graduation and 17A branch qualification.
    CBOLC academics, labs, and field exercises are the technical baseline. Treat the classified lab environments like the real mission — the technical skills that atrophy fastest are the ones practiced least in CBOLC. Take notes that you can reference on NIPR after graduation; the CBOLC materials are the closest thing to a personal reference library the branch gives you before first unit.
  • ACFT pass at the officer standard.
    The Cyber Center's PT program is daily and real. The mistake is treating Cyber as a waiver-friendly branch for the ACFT — it is not. Build a personal PT program that keeps you above threshold on all six events throughout the year; fitness board review is no easier for a 17A than for an 11A.
  • Successful CMF team or DCO-IDM element integration — team DCWF qualification posture accountable and reportable.
    Build a tracking spreadsheet from day one: every team member, their DCWF role coding, their current credential, and the expiration date. Update it weekly. The quarterly readiness report pulls from this data; a LT who cannot produce an accurate qualification roster on 24-hour notice produces a readiness report that the ARCYBER G-3 has to caveat.

Technical Mistakes — Concrete Consequences

  • Briefing a CAT-I finding 'for awareness' without a closure timeline.
    The ARCYBER G-3 or the JFHQ-DODIN element lead reads 'for awareness' as 'I don't own the fix' — the follow-up task goes to the LT with a 72-hour suspense, and the OER bullet reads 'required corrective action from senior leadership to close a CAT-I finding that had been open for 47 days.'
  • Mixing Title 10 / Title 50 authorities without a legal review in hand for an effects request.
    An offensive cyber effects request that crosses the OCO / intelligence-collection line without the appropriate Title 50 (intelligence community) authority goes immediately to the JAG and then to the CCDR's legal advisor — the mission pauses, the requesting LT is in the legal brief, and the chain of command above the LT has to explain the lapse at the next joint planning session.
  • Letting STIG compliance drift because 'operations tempo is high.'
    The CCRI / CORA inspector does not accept OPTEMPO as a CAT-I mitigation — the finding lands in the inspection report as commander-owned, the OER captures it, and the next incoming CO starts command with a known open finding that the departing CO did not close.
  • Treating 17C NCOs as technicians to be directed rather than technical subject-matter experts to be leveraged.
    A 17C NCO who is not trusted with the technical work stops volunteering the operational insight that makes the mission planning accurate — the LT's targeting brief then contains assumptions that the 17C knew were wrong three days earlier and did not surface because the dynamic did not invite it.
  • Posting any detail about mission, tool, target, or authority on an unclassified platform — LinkedIn, a personal blog, a conference presentation, even a social media bio.
    ARCYBER's OPSEC review process has flagged cleared personnel for less — a single post about 'working on government cyber operations' has triggered a clearance review, and the investigation timeline alone is enough to miss a deployment window or a post-KD billet assignment.

Career Decisions at This Rank

  • CMF operational billet vs. DCO-IDM / staff billet at first assignment
    The CMF track (ARCYBER Combat Mission Teams, National Mission Teams, Cyber Protection Teams under USCYBERCOM tasking) builds the operational credibility that the field-grade billet market in cyber rewards — NSA, USCYBERCOM J-3, COCOM J-39 all value LTs who have executed within the CMF construct. The DCO-IDM / staff track builds the planning and staff-officer muscle earlier and is visible to the supported maneuver command in a way that shapes the first OER. Neither is definitively better; what matters is whether the first-unit OER is written by a senior rater who can defend the bullet at a captain's board, and whether the assignment builds the TS/SCI access and joint exposure that the 17A major's field-grade billet market requires. Be honest about where your technical depth is — officers who are strong planners and weak on the toolset should find the staff track more natural; officers with a strong technical background and weaker staff skills should use the first CMF tour to build the operational record while the technical skills are fresh.
  • Pursuing advanced technical certification vs. focusing on leadership/staff development in LT years
    The 17A officer track is not the 17C enlisted track — the branch needs officers who can lead and plan, not the fastest vulnerability scanner in the formation. DCWF credentials for your billet are non-negotiable and should be done first. Beyond that, pursuit of advanced certifications (CISSP, CISM, GCIA, GREM) during the LT years is valuable for the technical credibility it builds, but should not come at the expense of the OER bullets that the captain's board reads. A LT who is studying for CISSP instead of running the targeting-cycle coordination meeting is optimizing the wrong variable. Build the credentials during study blocks and off-duty time; use the duty day to build the leadership and planning record.
  • Remaining in 17A versus early branch transfer / functional area designation
    The Cyber Corps is young and the senior officer cohort is thin. A LT who is genuinely strong in the 17A operational track has above-average promotion visibility simply because the branch size means senior leaders know the junior-officer cohort by name. The case for staying in 17A through the captain's board is strong for officers who are performing well in the operational or planning billets. The case for an early functional area designation (FA24, FA26, FA40, FA49, FA59) is strongest for officers whose talent is demonstrably more strategic or analytic than operational. The decision is not urgent at the LT tier — it becomes real at the captain-to-major window — but the OER bullets you build as a LT either strengthen or weaken the case for staying in 17A at that decision point.
  • Self-nominating for USCYBERCOM / NSA fellowship or exchange program as a LT
    ARCYBER, USCYBERCOM, and NSA run LT and CPT-level fellowship and exchange programs that give short-term assignments to joint and interagency organizations. These are competitive, require command endorsement, and will not all be available at every unit. The value is real — joint exposure at the LT tier builds the JDAL-eligible assignment record earlier than most tracks allow, and the NSA technical fellowship pipeline specifically creates access to toolsets and expertise not available in Army-only assignments. The downside is that time away from the CMF team or the DCO element is time not building the OER bullets the captain's board reads. Self-nominate if the opportunity is available and the senior rater endorses it; do not chase the fellowship at the cost of the current assignment's OER trajectory.

How the Seat Varies by Unit Type

  • ARCYBER CMF element (Combat Mission Teams / Cyber Protection Teams), Fort Eisenhower
    The heartland of Army cyber operations and the assignment where the CBOLC doctrine maps most directly to daily work. You are at the installation that houses ARCYBER, the Signal School, the institutional memory of the branch, and the leadership who will write your OER and then see you again at the next CBOLC iteration. The technical depth in the building is real — civilian GS-13-15 contractors, NSA liaisons, and 17C NCOs who have been running the toolset since before CBOLC existed. The risk is insularity: Fort Eisenhower can feel like a complete world, and LTs who do not build deliberate joint exposure (targeting cycle coordination with a supported COCOM, CPX participation with a division or corps) miss the staff-officer development that the field-grade billet market demands.
  • DCO-IDM element at a corps / division G-6 cyber cell
    The most visible cyber assignment to the maneuver community. You are the G-6's cyber officer, briefing the ADC-M or the G-3 on network posture at the weekly BUB, coordinating STIG remediation across a formation that probably does not know what a STIG is, and running vulnerability assessments on systems the G-6 sergeant major has been defending with legacy configurations since 2017. The assignment builds staff-officer credibility and maneuver-community relationship faster than any other 17A first-assignment track. The downside: the technical toolset is thinner than at a CMF element, the DCWF peer group is smaller, and the first OER depends on whether the G-6 understands what a 17A LT is actually supposed to do.
  • JFHQ-DODIN, Fort Meade
    The highest-classification and most joint first-assignment track available for a 17A LT. JFHQ-DODIN is the operational arm of DODIN defense and the joint force headquarters that coordinates DoD-wide network defense. You are working alongside NSA civilians, USCYBERCOM staff, and a cleared workforce that is technically deeper than any Army-only installation. The pace is staff-intensive; the outputs are briefings, EXORD coordination, and network defense orders that apply across the joint force. An LT assignment at Meade builds the joint-planning and interagency credibility that is rare at the junior-officer level, and the senior raters at JFHQ-DODIN can write an OER visible to the entire cyber community. The risk: you are staff-heavy from the start, and the hands-on CMF operational experience that builds technical credibility for the captain's career track is harder to accumulate.
  • 780th MI Brigade (Cyber) / INSCOM, Fort Meade
    The intelligence-community-adjacent cyber assignment. The 780th is the Army's primary cyber brigade under INSCOM and includes elements that operate at the SIGINT/cyber seam. The assignment builds intelligence-community access and clearance depth that pays dividends at the post-KD major's field-grade billet at NSA or DIA. The daily work is more intelligence-integrated than a pure CMF billet and requires a stronger understanding of Title 50 authorities and the IC coordination process. First-assignment LTs here are working alongside 35-series MI officers and NSA-affiliated personnel; the cultural adjustment from CBOLC is real.

What Good Looks Like at This Rank

The good 17A lieutenant at a CMF element or DCO billet is the one the team lead puts on the planning cell for the next CPX because the threat-model brief will come back accurate, the IAVA posture will be defensible, and the supported command's J-3 will leave the planning conference having understood — for once — why cyber integration matters before H-Hour rather than after the first incident. She runs the five-slide update without being asked, closes CAT-Is on schedule, and has never had a team member's DCWF credential expire while she held the role accountability. The observable signature of the good 17A LT is not technical virtuosity — it is translation. She can brief a two-star who has never run a vulnerability scan and explain, without condescension and without simplification, exactly what risk the network currently carries and what the decision is that needs to be made right now. She can then turn around and brief her 17C NCO team on the same problem with the technical language the operator needs to execute the hunt. The LTs who can only do one of those two things are not bad officers — they are incomplete ones. The senior rater who writes the best OER for a 17A LT describes someone who built the team's qualification posture from scratch, executed CMF mission events without a legal finding, closed a known CAT-I that the previous LT had left open, and submitted a post-exercise AAR to the ARCYBER G-7 that the school used in the next CBOLC iteration. That is the observable record of someone who is ready to command.

Preview — The Next Rank

The captain's seat is where 17A becomes a command track, not just a technical track. The Captains Career Course at the Army Cyber School adds the command-climate, legal-framework, and company-level operational management layer that CBOLC skipped. The KD billet — Cyber Company Command at ARCYBER or a DCO Company at an ASCC — is a small formation by Army standards (50-80 personnel), but it is a formation with security clearances, DCWF obligations, and a readiness construct that reports to USCYBERCOM through a different accountability chain than a rifle company reporting to a BCT. The thing that surprises most 17A captains who came from the LT operational track is the administrative load. A CMF company commander is managing DCWF credential expiration for 60-80 people simultaneously. She is running OER counseling cycles, school-slate coordination, and reenlistment recommendations for a 17C enlisted population that is technically specialized and in high demand in the civilian market — retention is a real problem. The technical work does not stop; it becomes the backdrop against which the command-climate and personnel management work happens. The post-KD billet is where the 17A major's field-grade record gets built — USCYBERCOM J-3, NSA, ARCYBER G-3/G-5/G-7, a COCOM J-39 cyber planner, or DIA. The officers who approach the post-command window with joint-tour credit, a clean clearance record, and a KD OER that the senior rater can defend in a small-branch promotion pool are the ones the HRC 17A branch manager recommends for follow-on at the major's board.
FAQ

17A O1-O2 — Frequently Asked Questions

Q01What does a O1-O2 17A (Cyber Warfare Officer) actually do?
Cyber Basic Officer Leader Course (CBOLC) at the Army Cyber School, Fort Eisenhower runs you through the foundational stack: defensive cyberspace operations (DCO), offensive cyberspace operations (OCO), Department of Defense Information Network-Army (DODIN-A) fundamentals, vulnerability assessment methodology, and the joint planning process as it applies to cyberspace effects.
Q02What's the most important thing to know as a O1-O2 17A?
Cyber Branch is still young enough that the Army is building the doctrine around your career, not the other way around.
Q03What does a typical day look like for a O1-O2 17A?
Time-blocked day at the O1-O2 17A rank tier: 0530-0630 PT formation — unit PT at the cyber element or CMF team level. Fort Eisenhower runs unit PT at battalion level; Fort Meade-assigned elements run PT within smaller team formations. Cardio days anchor Monday and Wednesday; strength days Thursday; team choice Friday. No suppression on PT standards for the technical track, 0700-0730 Shower, uniform, chow — on-post DFAC or personal choice. Fort Eisenhower has standard Army DFAC infrastructure; Fort Meade has a mix of DFAC and civilian food options on post,…
Q04What mistakes get O1-O2 17A soldiers fired or relieved?
OPSEC breach — the cyber community has a sharper OPSEC surface than any other Army branch. A LinkedIn post about government cyber work, a screenshot of a NIPR or SIPR screen on a personal device, a conference presentation that implies current mission capability — all get flagged, all go to the commander's desk, and the cleared-access career is harder to rebuild than it sounds; Clearance reinvestigation failure — a DUI, unreported foreign contact, undisclosed financial issue,…
Q05What career decisions matter most at the O1-O2 17A rank tier?
CMF operational billet vs. DCO-IDM / staff billet at first assignment — The CMF track (ARCYBER Combat Mission Teams, National Mission Teams, Cyber Protection Teams under USCYBERCOM tasking) builds the operational credibility that the field-grade billet market in cyber rewards — NSA, USCYBERCOM J-3, COCOM J-39 all value LTs who have executed within the CMF construct. The DCO-IDM / staff track builds the planning and staff-officer muscle earlier and is visible to the supported maneuver command in a way that shapes the first OER. Neither is definitively better;…
Q06What's next after O1-O2 for a 17A (Cyber Warfare Officer) in the Army?
The captain's seat is where 17A becomes a command track, not just a technical track.
Q07What manuals and regulations does a O1-O2 17A need to know cold?
FM 3-12 — Cyberspace and Electronic Warfare Operations (the Army's primary cyberspace doctrine; read it before your first BUB brief).; JP 3-12 — Cyberspace Operations (joint doctrine; the authorization, coordination, and deconfliction logic that governs everything above DCO-IDM).; AR 25-2 — Army Cybersecurity; AR 380-5 — Department of the Army Information Security Program.

This playbook has no tips yet. Be the first to share what you know.

Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards