Security Controls Assessor Job Listing at SPA in Chantilly, VA (Job ID 2024-18398)

Description

Qualifications

Required Skills:

• Expert knowledge and hands-on experience with Risk Managed Framework (RMF) NIST 800-series guidelines, FIPS, Security Assessment & Authorization (SA&A) requirements and processes, Continuous Monitoring Framework experience and its tools, Plan of Action & Milestones (POA&M) policies, and vulnerability/patch management.
• Experience with SAP/SCI systems a to include Platform IT (PIT).
• Proficient understanding of vulnerability and scanning tools and well-versed in interpreting risk posture resulting from assessment reports.
• Experience in project management and tracking, and the Microsoft suite of office products.
• Experience with assessing cloud-based security authorizations (FedRamp, AWS & Azure) as well as the NIST control responsibilities.
• Experience with SCI/DCID, SAP/JSIG, and other special enclave DOD and Intelligence community standards and guidelines.
• Expert in documenting and or reviewing of security materials such as system security plans (SSP), Security Assessment Report (SAR), and Security Assessment Plan (SAP), and other documents per NIST 800 guidelines.
• Experience creating Security Assessment Plans, Security Assessment Reports, and Executive-level briefings (to include risk analysis reports, analysis of alternatives, and decision briefs.)

Qualifications:

• Master's degree or higher with experience in classified program IT support strongly preferred. Can be substituted for Batchelor's degree with 10+ years of relevant experience or Associates with 10+ years relevant experience.
• DOD 8140 IAM Level I, with advancement to Level II (CAP, CASP, CISM, CISSP, GSLC, CCISO), may be substituted for Masters and experience.
• Top-Secret Clearance with SCI eligibility is required.
• Performing work onsite is required. Occasional travel is required to performer sites for evaluations, test events, site visits, etc.
• Must be (or achieve within six months) DOD 8140 IAM Level III (CISM, CISSP, GSLC consistent with current guidance in DOD 8140.)

This position is a senior Security Control Assessor role for an OSD organization and includes higher level program and IT analysis skills and experience.  The title SCA doesn't cover the depth or breath of the position, but serves as a common reference.  This position serves as information technology subject matter expert specializing as an information security system analyst, program security support, and architecture/control assessor.  Responsible for all levels of classification up to and including TS//SAR/SCI, applicable to all internal and external (performer built) networks and IT services. The position has a large range of expectations, and is responsible for supporting the Principle Authorizing Official (PAO), CIO, and CISO  in all phases of the assessment and authorization process.

Duties include:

• Support the development, implementation, and monitoring of a strategic information security and IT risk management program.
• Serves as representative of Principle Authorizing Official (PAO), CIO and CISO when interacting with system owners, system integrators, and ISSM/Os.
• Advising the PAO on risk determinations and Approval to Operate.
• Propose technical and non-technical methods to meet RMF requirements and decrease overall system risk and mission impact.
• Enhance the cybersecurity program of the customer and its constituent organizations through technical thought leadership and mentoring of junior staff.
• Advise the Information System Owner (ISO) concerning the impact levels for Confidentiality, Integrity, and Availability for the information on systems.
• Serve as a cybersecurity technical advisor to the CISO and AO under their purview.
• Identifies areas to reduce IT risk while maintaining mission effectiveness.
• Researches and executes security management solutions – assist in defining the organizational cybersecurity roadmap.
• Support the early stages of organization's programs, to include identification of overall cybersecurity risk associated with project missions, analysis of project cybersecurity needs, determination of anticipated project performer cybersecurity requirements, advising GPM on courses of action that appropriately balance mission and cybersecurity risk, assists project in aligning with CIO / ITX best practices and procedures.
• Execution: Assisting GPM and performers on establishing appropriate Risk Management Framework (RMF) governance for the project, advising CIO / AO on security control assessment workloads associated with projects, makes recommendations for cybersecurity reciprocity in project buy vs. build analyses, reviews and advises on Interconnection Security Agreements, serves as independent reviewer of performer activities associated with RMF stages, advises CIO / AO / ISO / SCAs on system security categorization and control selection appropriate to level of project risk.
• Transition: Serves as organization's primary POC for transition of system Authorization To Operate (ATO) to transition partner AOs, analyzes transition partner organizational risk tolerance and recommends courses of action if divergent from organizational risk tolerance, coordinates with transition partner cybersecurity SMEs and SCAs to ensure smooth transition of cybersecurity responsibilities.
• Conducts RMF closeout activities associated with systems employed on projects that are not incorporated within transition package to partners.
• Conduct and document a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by information systems.
• Maintain current knowledge on latest cybersecurity technologies, threats, vulnerabilities, and mitigations.
• Determine the overall control effectiveness through documentation review, inspections, testing, and interviews.
• Assessment package review and feedback which focuses on the Body of Evidence (BoE) documentation submitted to support the various steps of Risk Management Framework (RMF).
• Evaluate security assessment documentation and provide written recommendations for security authorization to the CISO and AO.
• Provide an assessment of the severity of weakness or deficiencies and recommend corrective actions to address identified vulnerabilities. Assessments may include applications, hardware, software, administrative and Platform IT systems and components.
• Initiate a Plan of Actions and Milestones (POA&M) with identified weaknesses and suspense dates for each IS where needed based on findings and recommendations from the SAR.
• Integral to the development of the monitoring strategy. The system-level continuous monitoring strategy must conform to all applicable published DoD enterprise-level or DoD Component-level continuous monitoring strategies.
• Provide support to Cybersecurity incidents, investigations, and overall security program of the customer.
• Provide assessment of proposed technology (hardware, software, and firmware) for Cybersecurity vulnerabilities.
• Technical evaluation of the security controls implemented within applications, hardware, operating systems, and network devices across a broad spectrum of commercial and government-developed technologies.
• Assess proposed changes to Information Systems, their operational environment and mission needs within the scope of system authorization.
• Preparing Security Assessment Reports which focuses on the assessment of an information system in support of the authorization determination.
• Interface with other cybersecurity organizations, both within and external to the federal government.
• Support cybersecurity incident response as necessary at the direction of the AO.
• Assess proposed changes to Information Systems, their environment of operation, and mission needs that could affect system authorization.
• Determine and document in the SAR a risk level for every noncompliant security control in the system baseline.
• Determine and document in the SAR an aggregate level of risk to the system and identify the key drivers for the assessment. The SCA's risk assessment considers threats, vulnerabilities, and potential impacts as well as existing and planned risk mitigation.
• Develop the continuous monitoring plan specific to the information system.
• Standardize IT security control and risk decisions across administrative and program IT investments.
• Implement and oversee security processes and policies.
• Leads cybersecurity incident response and coordinates between program, department, and law enforcement personnel.