Security Controls Assessor

About The Position

Requirements

• One (1)+ year direct or related experience with coordination and collaboration with Federal (GAO and OIG) auditors during assessments, and during the POA&M remediation processes.
• Three (3)+ years’ experience performing security control assessment.
• Experience in planning assessments and be a senior member in a team of security control assessors
• Contingency Plan Development and Testing experience
• Experience in presenting control requirements and deficiencies to both technical and non-technical audiences.
• Experience performing detailed, full-scope technical security control testing for each of the component types, including development of security and privacy assessment plans is required.
• Ability to analyze information system configurations and technical specifications against NIST SP 800-53 and other overlays
• Possesses a strong understanding of the NIST Special Publication 800-53 security and privacy controls, the NIST Cybersecurity Framework and other information security and privacy laws and regulations.
• Experience with development and writing of risk-based documentation.
• Experience with Step 4 of RMF process- Assessing Security Controls
• Strong written and verbal communication skills.
• Strong communication ability across all levels of management
• Bachelor’s degree or higher in Computer Science’s, MIS/IT, Engineering, Information Security/IA, or related discipline to work requirement

Nice To Haves

• One of the following certifications preferred: Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Risk and Information Systems Control (CRISC), or Certified Information Security Auditor (CISA)

Responsibilities

• Participate in a team of Security Control Assessors (SCA) in the accomplishment of required contract SCA deliverables.
• Review and update existing information security policy, standards, and procedures based on federal and departmental regulations.
• Perform independent security and privacy control assessments in support of RMF Assessment & Authorization (A&A).
• Conduct assessments of existing and new FISMA systems, including subsystems in the respective system boundary, and communicate the results and potential implications of identified control weaknesses.
• Review and analyze, Assessment & Authorization (A&A) packages to include System Security Plans (SSP), Risk Assessments, Information System Contingency Plans (ISCP), Back-up Standard Operating Procedures (SOP), Incident Response Plans (IRP), Configuration Management Plans, (CMP), Hardware/Software lists, Network Diagrams, Data Flows, System Change Requests/Proposals, Vulnerability scan reports, test reports, and Plan of Actions & Milestones (POA&Ms) for completeness, accuracy, and document effectiveness of controls, plans and procedures implementation.
• Create and maintain test cases for security assessment testing and perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.).
• Develop and execute a security and privacy assessment plan in accordance with NIST SP 800-53A, as amended, requirements, for each security assessment project. A&A activities shall include support for RMF steps 4-6.
• Document and provide findings and recommendations that are concise, system-specific, and actionable.
• Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings.
• Perform other related duties as assigned