Risk Management Framework Subject Matter Expert- CSLA

Semper Valens Solutions•Sierra Vista, AZ

3d•Onsite

About The Position

Performs functions of a qualified Information Assurance Manager at Level II, such as a pre-deployment Information Systems Security Officer/Manager (IASO/IAM), Information Assurance Technical (IAT) Level II or Computer Network Defense - Auditor (CND-AU) consistent with performance standards and duties outlined in DoD 8570.01-M that is mandated by the DFARS. Personnel in an information assurance management role are responsible for the information assurance (IA) program of an Information System (IS) or major mission application within the Network Environment (NE). Incumbents in these positions perform a variety of security related tasks, including the development and implementation of system information security standards and procedures. They ensure that IS are functional and secure within the Network Environment (NE). Personnel performing senior technical work in this category focus on the enclave environment and support, monitor, test, and troubleshoot hardware and software Information Assurance (IA) problems pertaining to the Computing Environment (CE), Network Environments (NE), and enclave environments. IAT Level III personnel have mastery of the functions of both the IAT Level I and Level II positions. They collect data from a variety of Computer Network Defense (CND) tools (including data from approved information assurance (IA) tools to include intrusion detection system alerts, firewall and network traffic logs, and host system logs) to analyze events that occur within their environment. Then they apply their analytical skills to this data and all compliance with relevant non-technical controls, such as physical security and configuration management, to perform an audit function for the Agent of the Certification Authority (ACA) or other government Information Assurance (IA) Manager for mitigation of risks and reporting to include report generation for certification and accreditation packages or Certification of Net worthiness efforts. When in the Computer Network Defense - Auditor role (CND-AU) personnel perform assessments of systems and networks within the Network Environment (NE) or enclave and identify where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance audits) and active evaluations (penetration tests and/or vulnerability assessments). DoD 8570.01-M spells out the tasks and duties in detail and the DFARS stipulates compliance with the DoD 8570.01-M. Must have a working knowledge of the functions spelled out in DoD 8570.01-M for their role of either IA Management Level II, CND-AU or IAT III.

Requirements

BS in Computer Science or equivalent or an additional 4 years of directly related experience and education.
Must have 7 years' experience with the Army IA process including the application of STIGs and supporting / implementing the A&A process or 11 years without a qualifying degree.
IAT Level II certification or higher (Sec+, CISSP or CASP)

Responsibilities

Draft, modify and provide input for documentation and Technical Deliverables, such as white papers, diagrams, draft executive summaries, integration plan, Service Improvement Plan (SIP), System Design Plan (SDP), EIP, Information System Support Plan (ISSP), Change Management Plan (CMP), users' guides, System Security Plan (SSP), Enterprise Technical Procedures (ETPs), test plans, implementation guides and plans, Lists of Materials, Assess Only packages.
Develop artifacts in support of information systems RMF Assess Only and Assess and Authorize accreditation packages.
Participate in security vulnerability assessments and risk mitigation activities for Enterprise systems/initiatives.
Draft a risk management plan for Government approval and assist the Government in implementing it.
Review and provide comments to the POA&Ms provided by Army Functional and NETCOM Subordinate Units for issues such as non-applied IAVMs, hot fixes, patches, and System Center updates.
Assist the Government in performing the technical tasks associated with the role of Information Systems Security Officer (ISSO).
Assist the Government in performing and documenting the annually required Federal Information Security Management Act (FISMA) IAW the governing Organizations policies and procedures within the Risk Management Framework (RMF).
Assist the Government in developing and providing the documentation and verbal input required for a mission application or information system to be assessed or authorized to operate consistent with the guidance provided by the Government IMO based on policy under the RMF
As required, create, prepare, disseminate, and maintain plans, instructions, and standing operating procedures (SOPs) concerning cybersecurity.
Review the RMF authorization packages, and system fielding, operations, or upgrades requirements