Cloud Service Provider Common Control Analyst

About The Position

Requirements

• Ten (10+) years experience in the cybersecurity field.
• Three (3+) years plus experience performing security control assessments in FedRAMP cloud environment.
• Experience in planning assessments and be a senior member in a team of security control assessors 
• Experience in presenting control requirements and deficiencies to both technical and non-technical audiences.
• Experience performing detailed, full-scope technical security control testing for each of the component types, including development of security and privacy assessment plans is required.
• Ability to analyze information system configurations and technical specifications against NIST SP 800-53 and other overlays 
• Possesses a strong understanding of the NIST Special Publication 800-53 security and privacy controls, the NIST Cybersecurity Framework and other information security and privacy laws and regulations.
• Experience with development and writing of risk-based documentation.
• Experience with Step 4 of RMF process- Assessing Security Controls 
• Strong written and verbal communication skills.
• Strong communication ability across all levels of management.
• Bachelor’s degree or higher in Computer Science’s, MIS/IT, Engineering, Information Security/IA, or related discipline to work requirement 
• ACTIVE  Secret Clearance

Responsibilities

• Review and update existing information security policy, standards, and procedures based on federal and departmental regulations.
• Perform independent security and privacy control assessments in support of Security Assessment & Authorization (SA&A).
• Conduct assessments of existing and new FISMA systems, including subsystems in the respective system boundary, and communicate the results and potential implications of identified control weaknesses.
• Reviews and analyze, Assessment & Authorization (A&A) packages to include System Security Plans (SSP), Risk Assessments, Information System Contingency Plans (ISCP), Back-up Standard Operating Procedures (SOP), Incident Response Plans (IRP), Configuration Management Plans, (CMP), Hardware/Software lists, Network Diagrams, Data Flows, System Change Requests/Proposals, Vulnerability scan reports, test reports, and Plan of Actions & Milestones (POA&Ms) for completeness, accuracy, and document effectiveness of controls, plans and procedures implementation.
• Create and maintain test cases for security assessment testing and perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.).
• Develop and execute a security and privacy assessment plan in accordance with NIST SP 800-53A, as amended, requirements, for each security assessment project. SA&A activities shall include support for RMF steps 4-6 
• Document and provide findings and recommendations that are concise, system-specific, and actionable.
• Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings.