MW
MoxyWolf · STIG Viewer
Roles & occupations span every framework — read the journey either direction
Reference Poster · v2 (3-column) 2026-06-18 · Tabloid 11 × 17 in
The Multi-Lensatic Compliance Journey
Every framework hop has an owner. NICE Work Roles run down the left, O*NET Occupations run down the right, and the framework spine — Regulation → SCF → NIST 800-53 → CCI → STIG — runs through the middle. Read it from the top to scope the fix, or from the bottom to claim the credit.
Walk it forward. Start at a regulation. End at the technical check and the sysadmin who owns the fix.
↑ ↓ BOTH WAYS
Walk it in reverse. Fix one STIG finding, and surface every regulation that finding helps you satisfy.
Worked Example
GLBA Safeguards Rule § 314.4(c)
Accountable for the workNICE Work Role
Framework spineRegulation → STIG
The labor-market viewO*NET Occupation
NICE Oversight & Governance
OG-WRL-001
Cybersecurity Management
Executive accountability for the program. Reads the regulation, scopes the obligation, owns the policy that lands underneath it.
1 RegGenome · Regulatory document
GLBA Safeguards Rule — 16 CFR Part 314
FTC · Final Rule · cyber relevance 88 · 0f3c…-glba-314
O*NET Management Occupations
11-9199.02
Compliance Managers
Plan, direct, or coordinate the organization's compliance program for regulations such as GLBA.
NICE Oversight & Governance
OG-WRL-002
Program Management
Translates the regulatory obligation into a controlled program of work — projects, owners, deadlines.
2 RegGenome · Actionable item
§ 314.4(c) — Design and implement safeguards
“Design and implement safeguards to control the risks identified through risk assessment.” · action_id 412
O*NET Management Occupations
11-3021.00
Computer & Information Systems Managers
Plan and direct activities such as electronic data processing, information systems, and systems analysis.
NICE Design & Development
DD-WRL-001
Cybersecurity Architecture
Owns the mapping from obligation to control — the architecture decision that ties one to the other.
3 SCF · Cross-mapping spine 1 of 6 controls
CRY-05 — Encryption of Data at Rest
Domain: Cryptographic Protections · STRM Equal To (10) · SKOR Exact Match · One thread of a 6-control fan-out for this clause.
O*NET Computer Occupations
15-1241.00
Computer Network Architects
Designs and implements computer and information networks, including security architectures.
A note on the simplification — § 314.4(c) actually fans out to 6 SCF controls
Drawn 1 of 6 for clarity
CRY-05shown above
SEA-01.1also satisfies
SEA-01also satisfies
CPL-01also satisfies
GOV-01also satisfies
GOV-02also satisfies
A granular requirement maps one-to-one; a high-level intent statement maps one-to-many. The older and more loosely-worded the regulation, the wider the fan-out. HIPAA, GLBA, and SOX — all 20–30+ years old — are dense with this pattern: a single clause needs multiple SCF controls layered together for a reasonable person to call it satisfied. Every fan-out thread runs through the same six-stage spine shown above; we draw one to keep the picture legible.
“‘Design and implement safeguards to control risks identified through risk assessment’ is a perfect example of immense subjectivity — what evidence of due diligence and due care would withstand external scrutiny?” — Tom Cornelius, founder · Secure Controls Framework
NICE Design & Development
DD-WRL-004
Security Control Assessment
Selects the baseline and assesses control effectiveness against the federal catalog.
4 NIST 800-53 Rev 5 · Federal control catalog
SC-28 — Protection of Information at Rest
Family: System and Communications Protection · resolved via the RegGenome 800-53 catalog (control_id 2767 → SC-28).
O*NET Computer Occupations
15-1212.00
Information Security Analysts
Plan, implement, upgrade, or monitor security measures for the protection of computer networks and information.
NICE Protection & Defense
PD-WRL-001
Cybersecurity Analysis
Maps controls to the concrete evidence DISA expects — the CCIs that turn a control statement into testable findings.
5 DISA · Control Correlation Identifiers
CCI-001199 · CCI-002475 · CCI-002476
The CCIs DISA assigns to SC-28 — the bridge between an abstract control and the concrete checks every STIG runs.
O*NET Computer Occupations
15-1212.00
Information Security Analysts
Conduct security audits, document deficiencies, and recommend mitigations against measurable evidence.
NICE Implementation & Operation
IO-WRL-005
Systems Administration
Tier: Primary · the role that physically remediates the finding on the box.
6 DISA STIG · The technical check
V-254498 — Windows Server 2022
“Information at rest must be encrypted using FIPS 140-2/3 validated cryptographic modules.” · CAT II · V1R3 · SC-28 resolves to ~130 checks across 89 STIGs.
O*NET Computer Occupations
15-1244.00
Network & Computer Systems Administrators
Install, configure, and support an organization's local-area network, wide-area network, and Internet system.
Why SCF is the load-bearing hop
Without SCF there is no path from “GLBA” to “NIST 800-53.” With it, the rest of the chain — which we already operate, all the way to the accountable role — does the rest.
Your lens · jump to your seat in the stack
Regulatory RegGenome Stage 1 — Regulation → Workforce NICE NICE Work Role column → Certification CREST Future Forward → Integration Strike Graph Stage 6 — STIG check →
↗ Future Forward — extending the journey past the role
Partnerships in flight
CREST certifies each role; EC-Council trains it. Every upgrade is a certification moment, and every certification moment routes a candidate to you.
CREST
CREST Certifies the role
Once we know the NICE work role accountable for the fix, CREST tells us which professional certification certifies that role — closing the loop from regulation to credentialed practitioner.
EC-
Council
EC-Council Trains the role
Each accountable role maps to an EC-Council training pathway, so a gap in coverage (or an upgrade in scope) becomes a candidate pipeline back to your team — already routed to the curriculum that prepares them.
Source & methodology: Cross-mappings provided by the Secure Controls Framework (SCF) v2026.1.1 — © SCF Council, LLC. Resold under license by MoxyWolf. The NICE Workforce Framework and the NICE ↔ O*NET crosswalk are MoxyWolf's production data. NIST 800-53 codes and CCI references are public DISA / NIST authoritative content. Learn more at securecontrolsframework.com.