Navy Qualified Validator

Dutch Ridge Consulting Group•Norfolk, VA

18h•Onsite

About The Position

Navy Qualified Validator Contingent Upon Contract Award Company Overview: Dutch Ridge Consulting Group, LLC (DRCG), a United States (US) Small Business Administration (SBA) Certified Service-Disabled Veteran-Owned Small Business (SDVOSB) and ISO 9001:2015 Certified Company was established in 2016. DRCG is 100% US owned, has over 50 employees, and provides high-quality support staff at ten client locations throughout the US, with corporate offices in Ashburn, VA and Beaver, PA. DRCG delivers expertise in Cybersecurity Engineering and Operations; Cyber Threat Intelligence; Insider Threat Prevention and Detection; Information Technology Solutioning; Systems Integration; Program Management; Policy, Planning, Communications, and Compliance Support; Workflow Solutioning; Risk Management; Business Process Reengineering; and Professional Business Consulting Services. DRCG's technical approach optimizes client investments by leveraging expertise in managing growth and transformation of existing IT environments. Conduct independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls. Provide independent cybersecurity support, analysis, documentation, and validation services for IT systems. Serves independently as a Navy Qualified Validator (NQV), performing validation activities under 13 the RMF process using Navy Security Control Assessor approved processes and applies knowledge of DoD or DoN network architectures and policy toward assessment and identification of vulnerabilities as a means of improving operational security posture in accordance with the Risk Management Framework Process Guide series. Apply Navy Assessment & Authorization (A&A) guidance and policy to achieving/maintaining program objectives on time/schedule and guidance regarding vulnerability remediation and determination of risk posture.

Requirements

Knowledge of cyber defense and vulnerability assessment tools, including open-source tools, and their capabilities.
Knowledge of organization's evaluation and validation requirements.
Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.
Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
Knowledge of IT security principles and methods (e.g., firewalls, demilitarized zones, encryption).
Knowledge of current industry methods for evaluating, implementing, and disseminating IT security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts.
Knowledge of risk management processes and methods for assessing and mitigating risk.
Skill in determining how a security system should work, including its resilience and dependability capabilities.
Skill in discerning protection needs (i.e., security controls) of information systems and networks.
Draft statements of preliminary or residual security risks for system operation.
Maintain information systems assurance and accreditation materials.
Monitor and evaluate a system's compliance with IT security, resilience, and dependability requirements.
Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., defense-in-depth).
Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
Knowledge of cryptography and cryptographic key management concepts.
Knowledge of embedded systems.
Knowledge of security risk assessments and authorization per RMF processes.
Knowledge of new and emerging IT and cybersecurity technologies.
Knowledge of structured analysis principles and methods.
Knowledge of systems diagnostic tools and fault identification techniques.
Knowledge of the organization's enterprise IT goals and objectives.
Skill in applying confidentiality, integrity, and availability principles.
Skill in identifying measures or indicators of system performance and actions needed to improve performance.
Perform validation steps, comparing actual results with expected results to identify impact and risks.
Provide technical evaluations of software applications, systems, or networks, documenting security posture, capabilities, and vulnerabilities.
Recommend new or revised security, resilience, and dependability measures based on review results.
Review security and privacy assessment plans.
Review authorization and assurance documents to ensure risk is within acceptable limits.
Verify implementation of security postures as stated, document deviations, and recommend corrective actions.
Verify currency of software application/network/system accreditation and assurance documentation.
Develop security compliance processes and/or audits for external services (e.g., cloud service providers).
Knowledge of core business/mission processes.
Knowledge of PII data security standards.
Knowledge of applicable laws and regulations relevant to security and privacy.
Knowledge of local specialized system requirements for critical infrastructure/control systems.
Knowledge of an organization's information classification program and procedures for information compromise.
Minimum 8 years' experience as an NQV.
Proficiency in Enterprise Mission Assurance Support Service (eMASS) and familiarity with DoD Application and Database Management System (DADMS), along with a thorough understanding of National Institute of Standards and Technology (NIST) controls.
TS/SCI clearance

Responsibilities

Responsible for conducting Validation and Risk Assessment (RA) activities in support of the customer (Validation Security Assessment Testing, System Risk Documentation, System Audits, Security Hardware and Software Testing).
Responsible for creating and providing all RMF appropriate artifacts and documentation necessary to plan and execute a thorough test of systems, document the system risks and report on the identified risks as necessary.
Produces complete and accurate risk assessments ISO RMF efforts.
Actively work with the designated (OPTEVFOR) Information Systems Security Manager (ISSM) to provide final security assessment support and guidance.
Required to engage with the system Information Systems Security Engineer (ISSE) and ISSE support staff throughout the RMF process.
Responsible for validation events for all OPTEVFOR, cyber OT&E infrastructure, and toolsets.
Maintain thorough and current knowledge of RMF and A&A processes and standards.
Work closely with system owners, technical leads, cybersecurity staff, and other stakeholders to manage cybersecurity requirements.
Execute and conduct analysis of network and system Assured Compliance Assessment Solution (ACAS) vulnerability scans (or other DoD approved tools) to validate appropriate implementation of security controls in accordance with NIST, DoD and DoN publications.
Participate in technical meetings and topics, to assist and identify objectives in support of package development.
Exercise strong customer service and excellent communication skills in a fast-paced environment.
Adhere to guidance outlined in RMF Process Guide and Risk Assessment Guide.