Cyber Mission Specialist
E-5 (Sergeant) · Coast Guard
At CMS2 you are the watch-floor backbone. The CMS3s on your section are calibrating their technical judgment and their watch habits to your standard — what you log and how you log it, how you work the alert queue, how you escalate during an active incident. In a rating this new, the norms you enforce now are the norms the rating carries forward. Your IAT Level III cert (CISSP, CASP+, or equivalent) is the next credentialing gate — verify the current ALCGPSC advancement message for the required cert tier rather than assuming any particular exam is the right one. And your EER inputs on the CMS3s below you matter more than you think: the chief board for a young rating reads evaluation records hard to determine whether the community produces real leaders or just cert-holders.
- 01CMS2 crow pinned via SWE at the current CGPSC cutting score. Watch floor experience as the senior incident monitor or CPT mission operator.
- 02IAT Level III baseline certification (CISSP, CASP+, or equivalent per the current ALCGPSC message) in active pursuit — exam scheduled and study plan running.
- 03ICS-200 (Basic ICS) certificate current — cyber incident response at Sector and DHS levels runs on the ICS framework; verify current availability via FEMA's online training portal.
- 04Senior watchstander on the primary network defense watch position; qualified to manage the watch section without CMS1 present on routine shifts.
- 05SWE for CMS1 preparation underway — bibliography from the Coast Guard Institute, study schedule built. Verify the current CMS SWE cycle against the most recent ALCGPSC message.
- 06EER inputs for CMS3s and non-rates submitted on time and accurately — observable behavior, measurable output, no inflation. The chief board for a young rating reads evaluation records critically.
- 07Broadening assignment conversation active with CMS1 and CGCYBER chain of command — DHS CISA liaison, joint cyber tour, CGCYBER staff billet, or District cyber advisor assignment to build competitive CMSC record.
- ×Making a containment or eradication call during an active incident without notifying the watch officer. Uncoordinated containment can destroy forensic evidence, alert the adversary to detection, and generate a system availability incident. The watch officer holds the authority; the CMS2 holds the technical expertise. Getting those confused is how a technical recommendation becomes an unauthorized operational decision.
- ×Running the SWE study cycle from a certification prep book rather than the actual CMS rating bibliography from the Coast Guard Institute. They overlap but they are not the same; the SWE pulls from the rating knowledge the CG Institute publishes, not from the cert domain objectives.
- ×Writing EER inputs for CMS3s that are technically accurate but generically worded — 'performed watch duties effectively' instead of 'managed the alert queue during a 4-hour watch with X confirmed IOCs, escalated Y within threshold, maintained contemporaneous log entries.' Generic bullets on a young rating's evaluation record are identified and discounted by the chief board.
- ×Clearance maintenance failure — debt accumulation, unreported foreign contact, conduct issue that triggers a reportable event. The CMS rating is clearance-dependent. One reportable event at CMS2 puts the entire career path at risk, and in a small rating the community manager knows about it before the next duty assignment.
- ×Assuming that CGCYBER's classified mission exempts the normal CG advancement processes. The SWE, the EER, the chief board process, and the physical fitness standard run the same way for CMS as for OS and BM. The CMS2 who thinks 'we do different work' and stops doing the administrative blocking-and-tackling is the CMS2 who does not make CMS1.
A Day in the Life
- 0530-0600Wake up; check personal devices before entering any classified space. Coffee. Badge and clearance documentation confirmed. On watch-transition days this block starts earlier.
- 0600Morning quarters. Watch turnover brief — CMS2 receives the full section status from the outgoing watch supervisor: open incidents, alert queue disposition summary, any pending escalations, and cert tracking items requiring attention.
- 0600-0700Unit PT. Same CG shore-command schedule as any other unit — the CMS2 is not exempt from the formation.
- 0700-0800Hygiene, breakfast, uniform. Brief the CMS3s on the day's watch schedule and training events before assuming the console.
- 0800-1200Primary watch block as the senior watch petty officer. Manage the alert queue, review the CMS3s' first-level dispositions before they close alerts, write the section-level log entries for any escalated events, and maintain the end-of-watch summary in real time throughout the four-hour block. If a CPT assessment is running, this block may include analysis tasks under the CMS1 or team lead's direction.
- 1200-1300Watch handover and lunch. Brief the incoming watch supervisor completely — current open incidents, disposition summary, items requiring action. The handover brief takes as long as it needs to; do not rush it.
- 1300-1430EER input work or tabletop scenario preparation. The tabletop is the CMS2 training deliverable; scenario development happens here, in the quiet middle of the afternoon, not the morning of the event.
- 1430-1600CISSP or CASP+ study session. 60-75 minutes with focused reading and practice questions. The IAT Level III cert study plan is 90-120 days of consistent daily work; the afternoon session is where that happens.
- 1600End of day section debrief. CMS2 covers any notable events from the day's watch. Brief the CMSC on training status for the section if the CMSC attends the debrief.
- 1600-1800Administrative block: PQS tracking for CMS3s updated, training records current, SWE study schedule reviewed against plan. Any EER inputs due this week drafted.
- 1800-2100Personal time or continued cert study depending on schedule. If the exam is within 30 days, this block is dedicated to practice exams and domain review — not casual reading.
- 2100Lights-equivalent. Security documentation secured.
Weekly Cadence
Key Skills — How to Drill Each
- 01Lead a network defense watch section as the senior petty officer — manage the alert queue, direct CMS3s on first-level dispositions, escalate confirmed IOCs to the watch officer, and produce the end-of-watch summary the incoming section uses.The end-of-watch summary is the product that tests watch leadership. It should include: current open incidents with case numbers and disposition status, alert queue statistics for the watch period (alerts reviewed, disposed as false positive with documented rationale, escalated with timestamp and action), any notable anomalies that were worked and closed, and any items requiring immediate attention by the incoming section. Draft it in writing throughout the watch — not in the last ten minutes before relief. The incoming CMS2 who does not have to ask follow-up questions because the summary is complete is the standard.
- 02Execute a CPT assessment mission task — host-based forensics, network traffic analysis, or vulnerability identification — under the team lead's direction, document findings to CGCYBER report standards, and brief results to a non-technical watch officer without losing accuracy.The brief to the non-technical watch officer is the skill that separates the CMS2 who understands what they found from the one who only knows how to run the tool. Prepare two versions of every significant finding: the technical version (system, CVE or indicator, CVSS score, evidence chain, recommended remediation) and the plain-English version that answers 'what does this mean for operations and what needs to happen in the next 24 hours.' The watch officer is briefing up from your language; make their brief accurate.
- 03Apply NIST SP 800-61 incident response phases operationally — identify where the current event sits in the IR cycle without prompting from the CMS1.The four-phase framework (preparation, detection/analysis, containment/eradication/recovery, post-incident activity) is not a checklist to recite — it is a situational awareness structure. Before the CMS1 asks 'where are we?' in an active incident, you should be able to state: which phase the current event is in, what has been completed, what the next decision point is, and what the escalation threshold looks like. The CMS2 who waits to be asked is behind the incident; the CMS2 who briefs the phase status unprompted is running it.
- 04Write defensible EER inputs on the CMS3s below you — observable behavior, measurable output, no inflation.Build a simple running log for each CMS3 on your section: notable events by date, watch log quality notes, cert status updates, tabletop performance. Review it before the EER input cycle, not the week the inputs are due. The standard for a defensible EER input is: if the CGCYBER chief board reads this bullet and asks 'how do you know?' there is a documented answer. 'Performed at the highest level' is not defensible. 'Managed the primary alert queue for 23 watch shifts, maintained zero time-of-detection gaps exceeding 15 minutes' is defensible.
- 05Study the DoD 8140 IAT Level III certification baseline (CASP+, CISSP, or equivalent) — verify which cert the current ALCGPSC advancement message specifies as competitive for the CMS1 SWE.The CISSP requires five years of professional experience in two or more CISSP CBK domains (security and risk management; asset security; security architecture and engineering; communication and network security; identity and access management; security assessment and testing; security operations; software development security). If your total qualifying experience does not yet reach five years, CASP+ is the common interim credential — it does not have the experience requirement and covers enterprise-level technical security. Verify the approved cert list against the current DoD 8570.01-M tables before committing to either exam.
- 06Run a section-level tabletop exercise — scenario development, facilitation, hot wash, after-action with specific findings.A useful tabletop scenario starts with a realistic IOC — something the SIEM at your unit might actually surface, drawn from DHS CISA advisories or the CGCYBER threat intelligence products, not from a textbook. The scenario should have at least two decision points that require the section to discuss escalation logic and IR phase identification. The hot wash runs for 20-30 minutes after the scenario; your job as facilitator is to draw out the specific steps people would have taken, not to lecture. The after-action has to name the specific process gap — 'escalation threshold was unclear for this indicator category' — with a recommended fix, not just 'good exercise, team.'
Manuals & References — What Chapters Matter
- DoDD 8140.01 and DoD 8570.01-M — IAT Level III certification tables and work-role frameworkAt CMS2 you are pursuing the IAT Level III baseline and verifying which cert the rating's advancement structure rewards. The approved cert list is updated periodically by the DoD CIO; verify the current list against both documents and against the most recent ALCGPSC advancement message for CMS before scheduling any exam. The 8570.01-M tables are still the operational reference even as 8140.01 supersedes portions.
- NIST SP 800-61 — Computer Security Incident Handling GuideAt CMS2 you apply this framework operationally — you identify where the active incident sits in the IR cycle and use the phase structure to organize the watch section's response. Read Part II (Organizing a Computer Security Incident Response Capability) for the organizational context and Part III (Handling an Incident) for the operational procedures. This is a public NIST document at csrc.nist.gov.
- NIST SP 800-115 — Technical Guide to Information Security Testing and AssessmentThe federal reference framework for vulnerability assessment and penetration testing methodology that your CPT work is built on. At CMS2 you are executing assessment tasks under the team lead; 800-115 is the technical standard your findings documentation is measured against. Read the sections on examination techniques (review, identify, analyze) and testing techniques (discovery, attack) to understand the documentation standard for each activity type.
- COMDTINST M1000-series — Personnel Manual (advancement, EER, SWE sections)At CMS2 you are writing EER inputs for CMS3s and non-rates. Read the EER policy sections carefully — the mark structure, the narrative requirements, and the supervisor responsibilities. The CIM 1610-series (Enlisted Employee Review) governs the EER system; verify the current revision against the CG Directives System.
- CIM 1610-series — Enlisted Employee Review (EER)You are now writing evaluation inputs on the CMS3s below you. Understanding how the EER mark structure works — how the mark feeds the final multiple, what the supervisor narrative can and cannot say, how the CGPSC reads the trend across multiple rating periods — matters when you are writing the bullets that affect someone else's advancement. The good CMS2 reads the EER instruction thoroughly before writing their first input, not after.
- DHS CISA Cybersecurity Advisory (CSA) archive and current CGCYBER threat intelligence productsThe operational context that makes your SIEM work consequential. DHS CISA publishes current threat actor TTPs (tactics, techniques, and procedures), active vulnerability disclosures, and sector-specific threat advisories. At CMS2 you use these to build realistic tabletop scenarios and to frame SIEM alert categories for the CMS3s on your section. The CISA CSA archive is public at cisa.gov; the CGCYBER threat intelligence products are available through unit channels.
Standards — How to Hit Each
- DoD 8570.01-M IAT Level II current; IAT Level III or specialty cert (CISSP, CASP+, or equivalent per the current ALCGPSC advancement message) in active pursuit.The IAT Level III cert is the credential the CMS1 SWE final multiple rewards. Build the study plan before the SWE registration opens — not when it opens. Verify which cert the current ALCGPSC advancement message specifies as competitive; the approved cert list changes and 'the cert that was competitive for the last cycle' is not a reliable planning assumption.
- Qualified watch supervisor on the primary network defense or CPT support watch position; able to manage the watch section without CMS1 present on routine shifts.The watch supervisor qualification is the test of whether you have actually absorbed the watch-position procedures or just observed them. Run through the watchstation procedures with the CMS1 until you can execute without reference material — the active incident scenario is not the time to be reading the SOP for the first time. The CMS1 signs the watch supervisor qual recommendation; your contemporaneous incident log entries over the past several months are the evidence the recommendation is built from.
- ICS-200 (Basic Incident Command System) certificate current; ICS-300 completed or in progress.Cyber incident response at the Sector and DHS multi-agency level runs on the ICS framework. The free FEMA online courses (IS-100, IS-200, IS-300) are the standard path; verify current availability and completion requirements at the FEMA Emergency Management Institute online training portal. ICS-200 is the floor at CMS2; ICS-300 is the credential that makes you operationally useful in a multi-agency cyber incident at Sector.
- EER marks at or near the unit average; SWE preparation in motion with a bibliography-driven study plan, not a certification-prep-book study plan.Pull the CMS rating bibliography from the Coast Guard Institute and build the study schedule from that list. Supplement with military requirements and leadership topics. The SWE is a CG rating exam; the cert prep book covers the same domain but from a different angle and will leave gaps in the rating-specific knowledge the SWE tests.
- Section tabletop exercise facilitated monthly; after-action with specific findings produced and briefed to the watch officer.Monthly tabletops are the training deliverable the CGCYBER chain of command expects from the CMS2. Build a tabletop schedule at the start of each quarter — four scenarios, each built around a realistic IOC category from the current DHS CISA advisory feed. Run each tabletop to time, produce the after-action within 48 hours, and brief the specific process gap and fix to the watch officer before the next scheduled event.
Technical Mistakes — Concrete Consequences
- Treating a CPT assessment finding as preliminary and not documenting it contemporaneously because 'we'll write it up in the final report.'The final report is built from contemporaneous notes, not from memory. The specific detail that mattered — the exact log entry timestamp, the parameter value that indicated privilege escalation, the network path the lateral movement followed — is the detail that is inaccurate or missing in the final brief when it was not documented at the time. The CGCYBER gaining unit that receives the CPT assessment report and asks 'can you reproduce this finding?' is testing whether the documentation is real.
- Making a containment or eradication call during an active incident without notifying the watch officer.Uncoordinated containment during an active cyber incident can destroy forensic evidence, alert the adversary that they have been detected (changing adversary behavior and reducing intelligence collection value), and create a system availability incident on top of the security event. The watch officer holds the authority for containment and eradication decisions; the CMS2's job is to identify the options, articulate the trade-offs, and wait for the decision. Executing the decision before the authority authorizes it is an unauthorized operational action.
- Letting EER inputs for the CMS3s below you default to generic language because the watch week was heavy.The chief board evaluating the CMS rating's enlisted leadership pipeline reads evaluation records critically. Generic EER bullets on a young rating's CMS3 personnel file — 'performed all assigned duties in a professional manner,' 'solid team player' — signal that the CMS2 either does not understand the EER system or does not take the training responsibility seriously. Either reading is a negative indicator for the CMS2's own advancement. The EER inputs you write on CMS3s are visible to the CMSC board when they evaluate your competitive posture as a CMS1.
- Running the SWE study cycle from a certification prep book instead of the CMS rating bibliography.The SWE is a CG rating examination built from the bibliography the Coast Guard Institute publishes for the CMS rating. Certification prep books cover the same cybersecurity domain but from the exam-domain angle, not the CG rating-knowledge angle. The CMS2 who passes the CISSP but misses the CMS rating-specific SWE questions because their study material did not cover the rating bibliography is the one who does not make the advancement list.
- Assuming that because CGCYBER's mission is classified, the normal SWE, EER, and physical fitness standards work differently than they do for OS or BM.They do not. The Servicewide Examination, the EER mark structure, the PFT cycle, and the body composition standards are identical for CMS as for every other CG rating. The CMS2 who stops doing PFT prep because 'we do cyber work' fails the PFT in front of the CGCYBER chain of command in a small technical unit where one failed PFT is remembered by everyone in the rating community.
Career Decisions at This Rank
- Pursue CISSP versus CASP+ as the IAT Level III credentialing path for the CMS1 SWE.The CISSP requires five years of professional experience in two or more of the eight CISSP CBK domains — which means a CMS2 with two to three years in the rating may not yet qualify for the CISSP exam. The CASP+ (CompTIA Advanced Security Practitioner) has no experience requirement, covers enterprise-level technical security, and is on the current DoD 8570.01-M IAT Level III approved cert list. If you are CISSP-eligible (five years qualifying experience), the CISSP is the credential the federal civilian and contractor markets pay a premium for — $120K-$180K+ in cleared cyber roles — and it is worth pursuing. If you are not yet eligible, CASP+ is the right interim credential rather than waiting. Verify which cert the current ALCGPSC advancement message specifies as competitive for the CMS rating before committing to either path; do not pick based on what another rating's advancement message said or on what looks most impressive on a civilian resume.
- Seek a broadening assignment (DHS CISA liaison, joint cyber tour, CGCYBER staff billet) versus staying on the CGCYBER watch floor to build depth.The honest answer is that both the depth path and the broadening path are legitimate, and the decision depends on what your CMSC board competitive posture actually looks like. The CMS2 who has excellent watch depth — primary and secondary watch quals, a full IAT Level III cert, defensible EER inputs — but no broadening exposure is a technically strong candidate but a narrow record. The CMS2 who went broad early (joint tour, CISA liaison) but does not have strong watch qualifications or an IAT Level III cert is a broad record without the technical depth the small cyber rating needs. The right move is to talk honestly with the CMS1 and the CMSC about what your specific record needs — the broadening assignment they know is coming available, or the depth year that solidifies the technical base before the assignment. Do not make this decision by guessing.
- Reenlistment decision — stay in CMS through CMSC board competitiveness, lateral to IT or another rating, or plan a deliberate ETS with the credential set built.The compelling argument to stay through CMS1 or CMSC: an operational CPT record, an active clearance, CISSP or CASP+ plus CySA+ plus Security+ stacked, and EER blocks that show supervisory competence is a credential combination the federal civilian and cleared contractor market pays $120K-$180K+ for in DHS, NSA-adjacent, FBI Cyber Division, or defense contractor roles. The CMS member who builds this profile and separates at ten to twelve years of service is often better positioned financially than the member who stayed to twenty in a small rating with narrow billet options. The compelling argument for lateral transfer: if the shore-based cyber watch mission is not engaging you and you want shipboard IT operations, a broader billet set, or a rating with more predictable advancement patterns, the IT rating is the natural lateral. The compelling argument for staying CMS all the way: if the CGCYBER mission engages you and you want the senior enlisted leadership of a young, technically elite community, the CMSC and CMSCS pipeline in a maturing rating is a distinctive career. Make the decision based on honest assessment of which career you want, not on SRB figures.
- Begin the ICS-300 / ICS-400 certification path now versus waiting until CMS1.Start it now. Multi-agency cyber incident response at Sector and DHS levels runs on the ICS framework, and the CMS2 who cannot participate fluently in an ICS-structured incident management structure is a liability in a joint response. ICS-200 is the baseline; ICS-300 (Intermediate Incident Command) makes you useful as a participant; ICS-400 (Advanced Incident Command for Command and General Staff) is where the CMS1 conversation starts. The FEMA online courses are free and the certificates are recognized. A CMS2 who shows up to the CMS1 SWE cycle with ICS-300 done is demonstrating the broadened leadership portfolio the advancement structure rewards.
How the Seat Varies by Unit Type
- CGCYBER watch floor (Hampton Roads, VA) — primary assignmentThe highest-density peer and leadership environment available in the CMS rating. Multiple CMS1s and CMSCs on the floor, a CPT element running assessments, classified operational tempo, and the institutional norms that are still being built in real time. The CMS2 at CGCYBER is at the center of the rating's professional development conversation — which means the best mentoring, the most direct feedback, and also the most visible performance environment. Your watch log entries, your tabletop after-actions, and your CMS3 EER inputs are visible to the CMSC and to the CGCYBER senior enlisted network.
- District or Area cyber elementSmaller team, more autonomous operations, often a single CMS2 on the section with no CMS1 immediately present during routine watches. The District billet accelerates watch leadership experience — when the CMS2 is the most senior enlisted person on the floor, they own every decision that does not require the watch officer — but it also means more self-directed professional development. The tabletop program, the cert tracking, and the SWE study plan are driven by the CMS2's own discipline rather than by the CGCYBER peer environment. The CMS2 who thrives here is self-managed and honest with themselves about whether the week's professional development plan actually happened.
- DHS CISA liaison or joint cyber tourA broadening assignment available at limited billets, typically at CMS1 or competitive CMS2. At a CISA liaison billet the CMS petty officer works within a federal civilian and interagency environment — the pace, the bureaucratic structure, and the organizational culture are materially different from CGCYBER. The credential benefit is real: joint or interagency experience in a cyber operations environment plus an active clearance is a competitive combination at separation. The challenge: operating effectively outside the CG structure requires more self-direction than most shore billets, and the CGCYBER chain of command is less immediately present when a professional development question comes up.
What Good Looks Like at This Rank
Preview — The Next Rank
CMS E5 — Frequently Asked Questions
Q01What does a E5 CMS (Cyber Mission Specialist) actually do?
Q02What's the most important thing to know as a E5 CMS?
Q03What does a typical day look like for a E5 CMS?
Q04What mistakes get E5 CMS soldiers fired or relieved?
Q05What career decisions matter most at the E5 CMS rank tier?
Q06What's next after E5 for a CMS (Cyber Mission Specialist) in the Coast Guard?
Q07What manuals and regulations does a E5 CMS need to know cold?
This playbook has no tips yet. Be the first to share what you know.