Security Controls Assessor - Senior

About The Position

Requirements

• This position requires an active ​Public Trust​ clearance or the ability to obtain a ​Public Trust​ clearance to be considered.
• Applicant MUST have prior US Navy or Coastguard Maritime Cyber Security experience
• Bachelor's Degree in Cybersecurity or related IT field may be substituted for 4 years of experience
• Bachelors Degree in an IT Related Field.
• Certified Information Systems Auditor (CISA), Advanced in AI Audit (AAIA), or equivalent certification
• 12 years of related work experience
• Prior experience supporting US Navy or Coast Guard Maritime Cyber Assessments
• Clearance: Must possess or be able to obtain a public Trust.
• Must pass pre-employment qualifications of Cherokee Federal

Nice To Haves

• Prior Department of Transportation experience is a plus.

Responsibilities

• Assess MARAD systems in one of three states: System Authorization: Initial Authorization, Reauthorization, or Continuous Monitoring Assessment (CMA), also known as ongoing authorization. The Independent Assessor must be prepared to support the process within each of these three Authorization states.
• Provide annual assessment support to the NSMV and MARAD CIO programs. NSMV assessment support will involve conducting on-site evaluations at the Philadelphia shipyard and other locations.
• Conduct independent assessments of specified MARAD information systems following the System Authorization process as defined in the current DOT Security Authorization and Continuous Monitoring Performance Guide and associated templates. • Review existing information system core documentation including privacy requirements data to support development of security assessment plans and schedules support authority to operate (ATO) dates. Review and establish Annual Assessment schedule in support of deliverables and artifacts.
• Provides identification of non-compliance of security requirements and possible mitigations to requirements that are not in compliance
• Validates the security requirements of the information system
• Verifies and validates that the system meets the security requirements
• Conduct independent, comprehensive assessments of management, operational, and technical security controls and control enhancements within IT systems to determine overall effectiveness.
• Execute and conduct analysis of network and systems to validate appropriate security control implementation. Documentation
• Develop security assessment plans and assessment reports compliant with latest revisions of NIST Special Publication 800-53A Recommended Security Controls for Federal Information Systems and Organizations and NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems.
• Develop Security Assessment Plan (SAP) detailing assessment scope with clarity, specifying scope exclusions, if necessary, controls being assessed, methods of performing assessment including sampling and “determine if” statements, notional schedule, assessment staff members, inventory of targeted system endpoints/components and software, processes, status of account of system specific, hybrid and inherited controls.
• The Assessor must adhere to the approved SAP while executing security controls assessment against targeted information system(s). Use approved techniques to collect and catalogue evidence of security controls assessment findings i.e. documents, screen captures, scanning report(s), interview session notes to support claims of control implementation status (in – place or other).
• Develop security assessment report (SAR) in accordance with scope and schedule defined in the SAP. SAR must detail assessment findings of controls assessed with supporting evidence substantiating claims.
• Develop / update system qualitative risk assessment reports (RAR) compliant with NIST SP 800-30 Guide for Conducting Risk Assessments.
• Develop recommendation report aiding in Plan of Action and Milestone (POA&M) development. Recommendation report would detail findings and applicable actions and effort to be considered for remediation.
• Develop security assessment executive summary documents including summative presentation further providing an overview of activities, findings, risks and mitigation recommendations.
• Enter assessment data the Cyber Security Assessment and Management (CSAM) database, the ATO system of record used by DOT.
• Provide presentations, reports, evaluations, reviews, meeting minutes and working papers in support of all tasks as requested by the COR.
• Apply MARAD/DOT A&A guidance and policy to achieve the program objectives and enhancing the overall quality of packages for receiving an ATO Stakeholder Collaboration and Guidance
• Actively work with the designated Information Systems Security Manager ISSM
• Performs other job-related duties as assigned

Benefits

• Medical
• Dental
• Vision
• 401K
• other possible benefits as provided. Benefits are subject to change with or without notice.