Federal Cyber Defense Skilling Academy – Cyber Defense Incident Responder (CDIR) Pathway
Learn the Skills of a Cyber Defense Incident Responder
CISA’s Federal Cyber Defense Skilling Academy provides full-time federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program. Those interested in developing foundational cybersecurity skills are encouraged to apply.
The Cyber Defense Incident Responder Session Is Now Closed
Continue to check back for future session dates!
The Federal Cyber Defense Skilling Academy - Cyber Defense Incident Responder (CDIR) Pathway
- What is the Cyber Defense Incident Responder Pathway?
The Skilling Academy’s Cyber Defense Incident Responder (CDIR) Pathway helps full-time federal employees develop their cyber defense skills through training in the baseline knowledge, skills, and abilities of a cyber defense incident responder.
Cyber defense incident responders investigate, analyze, and respond to cyber incidents within the network environment or enclave.
The CDIR Pathway prepares students to respond to crises or urgent situations, enabling them to mitigate immediate and potential threats while investigating and analyzing all relevant response activities. Students are introduced to fundamental concepts of network protocols and traffic analysis through hands-on labs, and they dive into the essential skills necessary to perform day-to-day functions of response and remediation. Some of the topics students will be exposed to include the following:
- Mitigation, Preparedness, and Response to Cyber Incidents
- Introductory Malware Analysis
- Basic Cyber Defense Measures
- Recovery Approaches to Maximize Survival of Life, Preservation of Property, and Information Security
Through the CDIR Pathway, students begin to develop the skills necessary to accurately identify, assess, and mitigate security incidents within a digital environment. It is important to note that these skills serve as a starting point, and additional practice and experience may be necessary for students to fully excel in this work role.
- Who Can Apply?
The Cyber Defense Incident Responder (CDIR) Pathway is an intermediate, fast-paced, three-month course. Applicants from all skill levels can apply; however, the Skilling Academy highly encourages applicants have prior exposure to cybersecurity concepts and practices before participating.
Prospective CDIR Pathway students may strongly benefit from a foundational understanding of the following:
- Basic Cybersecurity Analysis and Operations
- Systems Administration
- Information Security
- Basic Operating System (OS) Application
- Network Fundamentals and Operations
All full-time federal employees, in any job series and any grade or grade equivalent for non-General Schedule (GS) employees, are eligible to apply to CISA's Federal Cyber Defense Skilling Academy. Government contractors are not permitted to participate.
Each session has limited capacity. Applicants should commit to attend, participate, and complete the entire rigorous, three-month session.
Participants must register using a “.gov/.mil” email address.
Visit the National Initiative for Cybersecurity Careers and Studies (NICCS) website for comprehensive information on Incident Response.
- Participation Expectations
While in the Skilling Academy, students must abide by the requirements stated below, as agreed to in the Supervisor and Applicant Agreement and Approval Form. There are very limited exceptions to these requirements.
- The applicant is currently a full-time federal employee within the United States Government.
- The Skilling Academy will be the student's sole focus for the 40-hour, full-time work week during the entire three-month duration of the course.
- Students will refrain from conducting activities associated with their regular duty assignment, including, but not limited to, meetings, calls, and work deliverables.
- Depending on agency requirements, accepted students may be required to complete an SF-182 to receive approval from their organization to attend the Skilling Academy. Applicants should discuss the requirements of the Skilling Academy with their supervisor to ensure session requirements can be fulfilled. Applicants are responsible for working with their supervisor to confirm compliance with their home agency’s policies, to include any necessary timekeeping to ensure salary payments from their home agency are not interrupted.
- During the Skilling Academy’s instruction periods, students will be required to be on camera and in business casual attire for every class.
- Due to the rigorous and fast-paced cadence of the course, the Skilling Academy strongly advises students against taking scheduled leave during the course. If a student accrues eight unexcused absences or does not finish 20% of the labs in the Skilling Academy, they will be marked as incomplete and will not graduate from the program. Students may, however, apply to future sessions.
- Sick leave and emergency personal leave are permitted; however, it is the student’s responsibility to make up any missed class content as soon as possible.
- To ensure students do not fall behind, missed instruction days and lab work must be made up by accessing class recordings and self-study materials. Class recordings are available for two weeks after each session.
- If a student fails to complete the required work assigned in the allotted class time, the student agrees to complete the required work as soon as possible.
- If a student decides to withdraw from the session after the start date, a formal withdrawal form signed by the student’s supervisor will be required.
- To fully participate in the Skilling Academy, students must have access to the following hardware and software requirements:
Minimum Configuration Requirements
- Personal or GFE laptop* or desktop computer with Windows 10 or newer
- Speakers or headset
- Camera
- Microphone
- Internet bandwidth: 10 Mbps
- CPU: 1.1 GHz, Dual Core
- RAM: 4.0 GB
- Browser: IE, Edge, Chrome, Firefox, Safari
- Apps: MS Teams
- Email: Access to federal government email account
*If you do not have a GFE laptop or desktop, you may be able to access your federal government email account and MS Teams account through another means. Contact your agency’s IT service desk for more information on accessing your federal email through non-GFE devices.
Recommended Configuration Requirements- Internet bandwidth: 50+ Mbps
- CPU: 2.0 GHz, Quad Core or better
- RAM: 8.0+ GB
- Secondary monitor
- Sample Class Schedule
Below is a sample schedule of a typical day during the Skilling Academy. All students will be required to join virtually Monday through Friday from 8 a.m. to 5 p.m. ET, excluding federal holidays. Students will not be able to maintain their alternative work schedule during the Skilling Academy. Students will return to their regular duty assignment during breaks unless the home agency has approved leave.
Time Event 8:00 AM - 8:10 AM ET Review daily agenda, answer any questions 8:10 AM - 10:00 AM ET Lectures 10:00 AM - 12:00 PM ET Lab time 12:00 PM - 1:00 PM ET Lunch break 1:00 PM - 2:30 PM ET Lectures 2:30 PM - 4:50 PM ET Lab time or self-study 4:50 PM - 5:00 PM ET Wrap up for the day *10-minute breaks will be given approximately every hour.
What Students Learn:
Cyber Defense Incident Responder (CDIR) Pathway coursework is mapped to the NICE Workforce Framework for Cybersecurity (NICE Framework) and provides valuable hands-on experience to practice CDIR skills in a lab environment. As an added incentive, students receive CompTIA’s Cybersecurity Analyst (CySA+) training and a voucher to take the certification exam. The CDIR Pathway includes the following instructor-led modules:
- IR101 – Introduction to Incident Response
Using real-world case studies, as well as other concepts, this module introduces students to the emerging threat of digital incidents. Students learn incident handling and how to best respond to a multitude of potential incidents. They explore the appropriate steps of the incident response process: preparation, identification, containment, eradication, recovery, and lessons learned.
- IH400 - Incident Detection and Response to an Advanced Persistent Threat (APT)
This module provides training on incident detection, response, and handling basics for tracking malware and malicious activity throughout a network.
- PEN450 - Hacking and Web Exploitation
This module introduces students to the tools and techniques used in hacking and web exploitation, basic penetration testing techniques, basic web application attacks, defensive measures, and cryptographic techniques. At the conclusion of this module, students will understand the basic tools of offensive cybersecurity and which situation each tool is appropriate for. Students will also understand basic defense measures and obtain some practice in counteracting cyber incidents.
- CYP100 - Introduction to Cryptography
This module covers the security of information systems, information entropy, classical cryptographic algorithms, symmetric cryptography, asymmetric/public-key cryptography, hash functions, message authentication codes, digital signatures, key management and distribution, and other fundamental cryptographic primitives and protocols.
- PEN500 - Pentesting and Network Exploitation
This module exposes students to all manner of reconnaissance, scanning, enumeration, exploitation, and pillaging for 802.3 networks. Additionally, the topics expose students to a variety of recon, discovery, scanning, enumeration, exploitation, post-exploitation, pillaging, covering one’s tracks, and persistence.
- FOR300 - Basic Digital Media Forensics
This module is an optimal starting point for individuals looking to expand their forensic knowledge. It outlines several ways to achieve forensic goals while ensuring all processes are completed in a forensically sound manner. The chain of custody and evidence handling is addressed, as well as what to do and what not to do when dealing with “live” evidence.
- FOR400 - Fundamentals of Network Forensics
This module expands on acquired networking knowledge and extends into the computer forensic mindset. Students learn about common devices used in computer networks and where useful data may reside. Students also learn how to collect that data for analysis using hacker methodology. Additionally, the module covers information related to common exploits involved in Windows server systems and common virus exploits. Students learn how to recognize exploit traffic and discern between attacks and poor network configuration.
- FOR500 - Forensic Investigations and Evidence Handling
This module covers the investigative aspect of properly handling and analyzing a variety of digital media. Students gain an understanding of how to implement chain of custody, how to properly process media so that it could be used in a court of law, and how to acquire data that will aid in forensic investigation. Throughout this module, students learn tactics and techniques for effective forensic analysis. This module also focuses on data integrity and how to ensure that no data is altered during the investigation.
- MAL400 - Fundamentals of Malware Analysis
This module introduces students to theoretical knowledge and hands-on techniques for analyzing malware. Students learn how to identify and analyze software that causes harm to users, computers, and networks as part of an overall cyber defense and incident response plan. Understanding how malware works and what it was designed to do is crucial to thwarting future attacks.
- FOR410 - Mobile Device Forensics
This module introduces mobile devices and their value in forensic investigations. Training addresses the methods used to store data, as well as the areas of the mobile device where data is stored and how to access it. The module also discusses mobile device removable media and the role it plays with the mobile device. Students learn about network technology as well as three tools specifically designed for mobile device acquisition.
- CYBRScore Final Assessment - Cyber Defense Incident Responder
The CYBRScore® Cyber Defense Incident Responder assessments are designed to assess an individual’s knowledge, skills, and abilities related to investigating, analyzing, and responding to cyber incidents within the network environment or enclave.
- CompTIA Cybersecurity Analyst (CySA+) Course and Certification
This module introduces tools and tactics to manage cybersecurity risks, identify various types of common threats, evaluate the organization's security, collect, and analyze cybersecurity intelligence, and handle incidents as they occur. The CompTIA Cybersecurity Analyst (CySA+) certification exam is an intermediate-level credential for cybersecurity professionals. The behavioral analytics skills covered by the CompTIA CySA+ certification identify and combat malware and advanced persistent threats (APTs), resulting in better threat visibility across a broad attack surface by focusing on network behavior, including an organization’s interior network.
- Responding to an Incident Capture the Flag (CTF)
In this CTF scenario, students are faced with an incident and need to execute the appropriate response steps. Students need to remember steps learned throughout the course to identify, investigate, and appropriately respond to the incident. Students must provide an investigative conclusion document.
Upcoming Sessions
Information about upcoming courses and schedules will be announced in FY25.
How to Apply
Apply for the Skilling Academy in two simple steps:
- Complete the application package – The application package consists of a Federal Resume, Statement of Interest and Supervisor and Applicant Agreement Form.
- Submit the completed application package – Submit your application package through your federal government email address.
Please review the FAQs before applying.
Frequently Asked Questions
Have questions? Learn everything you need to know and more about the Federal Cyber Defense Skilling Academy by reading the FAQs below.
Contact Us
Need more information?
Contact the Skilling Academy Team by emailing SkillingAcademy@cisa.dhs.gov. Emails are typically responded to within three business days.
Federal Cyber Defense Skilling Academy Privacy Act Statement
Authority: 5 U.S.C. § 301, 44 U.S.C. § 3101, and 6 U.S.C. 652(c)(11) authorize the collection of this information.
Purpose: The information gathered will be used to establish the federal applicant's eligibility for the Federal Cyber Defense Skilling Academy, and if selected to participate in the program, create a Cyberworld Institute (CWI) and COMTECH Corp. account, contact students about opportunities for cyber security training, and provide information about the classes offered by the Skilling Academy.
Routine Uses: Information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/All-003 Department of Homeland Security General Training Records, November 25, 2008, 73 FR 71656 and DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), November 27, 2012, 77 FR 70792. If accepted into the program, names and email addresses will be disclosed to Cyberworld Institute (CWI) and COMTECH Corp. to allow access to the learning content.
Disclosure: Providing this information is voluntary. However, failure to provide this information may prevent CISA from deciding applicant eligibility, creating a Cyberworld Institute (CWI) and COMTECH Corp. account if selected to participate in the program and contacting you in the event there are queries about your request or registration.