Security Control Assessor

About The Position

Requirements

• CISSP, CISA, Associate of ISC2, CRISC, CISM, CAP, Security+, or other industry-level cyber certification required.
• Bachelor's Degree in Computer Science, Computer Engineering, Information Systems or related field preferred.
• 3+ years of experience in cybersecurity, of those, at least 2+ years in a GRC role or similar (Technology/IT Audit, Internal Audit, IT Consulting, etc.) supporting the assessment and authorization of systems, including continuous monitoring.
• Demonstrated experience with the A&A lifecycle using the NIST RMF.
• Demonstrated experience and knowledge with assessing CCP Programs.
• Demonstrated experience and knowledge of FedRAMP and Cloud Service Providers (CSP).
• Demonstrated knowledge in the field of risk management and compliance to efficiently work on and apply frameworks including ISO, NIST CSF, NIST SP 800-53, NIST SP 800-171, NIST SP 800-137, NIST 1800 series, etc.
• Demonstrated experience with the evaluation and compliance of security policies to align with OMB, DHS, NIST, CNSS, ICD, Congressional and other cybersecurity mandates, and directives.
• Experience with Application Security Audits and Risk Scoring.
• Experience ensuring controls meet legal, regulatory, privacy, policy, standards, and security requirements.
• Maintains updated knowledge in the field of risk management and compliance to efficiently work on frameworks including NIST CSF, ISO, NIST SP 800-53, NIST SP 800-34 etc.
• Strong critical thinking, verbal, written, and presentation skills a must.

Nice To Haves

• Experience with STIG Viewer, SCAP Compliance Checker, Vulnerator, and/or Qualys vulnerability management preferred.
• Experience with CSAM preferred.
• Bachelor's Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering preferred.

Responsibilities

• Provide independent Security Assessment & Authorization (SA&A) support for agency information systems.
• Conduct security control assessments for information systems in support of the A&A process according to NIST standards.
• Maintain the appropriate degree of independence as required by the Authorizing Official, providing an unbiased and independent assessment of the system to ensure security controls adequately meet applicable requirements.
• Assess the information system based on agency policies and provide recommended corrective actions to reduce risk associated with the system deficiencies and deviations from industry standards.
• Collaborate with system personnel on identified deficiencies, complete the Security Assessment Report (SAR), and provide security authorization recommendations to the Certifying Official or AO.