Information Security/Cloud Compliance Analyst (Hybrid/Remote)

Macro Pros is seeking an Operational Technology (OT) Security Engineer for a long-term engagement (contract or contract-to-hire) supporting a federal agency in Bethesda, MD. The work schedule is Monday on-site in Bethesda (required) with Tuesday through Friday remote.
Responsibilities:

• Access Controls and assessment experience - dealing with challenges when an assessment of that control and/or ability to remediate a POA&M for that control & assessing or closing out the findings.
• Advising on and helping establish sound information security processes and controls for the project according to federal information security policies, practices, and standard operating procedures (SOP), and engaging with the implementation teams to ensure that the solutions designed, built, deployed, and operated and maintained adhere to the same information security requirements.
• Able to talk through security controls and what it means to the specific type of system.
• Verify that the information security controls implemented by and in connection with the enterprise technology solutions deployed are operated as designed.
• Experience supporting Operational Technology (OT) systems and understanding the differences between IT and OT systems from an A&A perspective.
• The individual will liaise with the assessment and authorization (A&A) team at the client to ensure control requirements are understood and addressed and coordinate responses to A&A assessments in connection with the authority to operate (ATO) for new solutions deployed.
• Experience taking a system that has a cloud component to it and taking it through the ATO process.
• Our client has systems they want to bring on that leverage cloud in different aspects (infrastructure, SaaS, etc.). As a security specialist, you must have experience doing assessments and security documentation.
• Organize and conduct information security control assessments to validate ATO and audit readiness of the project and the enterprise technology solutions to be deployed. They will engage project management, project team leads, and client stakeholders as appropriate in conducting assessments, sharing results, and validating remediation of control weaknesses.
• Information Security Compliance Analyst will provide Cyber Security and Information System Security Management Services to internal and external customers in support of network and information security systems
• Advise on and help establish sound information security processes and controls for the project according to federal information security policies, practices, and standard operating procedures (SOP), and engaging with the implementation teams to ensure that the solutions designed, built, deployed, and operated and maintained adhere to the same information security requirements.
• Verify that the information security controls implemented by and in connection with the enterprise technology solutions deployed are operated as designed.
• Organize and conduct information security control assessments to validate ATO and audit readiness of the project and the enterprise technology solutions to be deployed. They will engage project management, project team leads, and client stakeholders as appropriate in conducting assessments, sharing results, and validating remediation of control weaknesses.
• Assess information system risks and controls and identifying information system control design and operation weaknesses
• Perform process and system evaluations (assessments) to ensure compliance with established policies, processes, procedures, and applicable standards
• Validate security control assessments results
• Perform a variety of technical and administrative activities related to the function of QA (auditing), including, but not limited to, scheduling, checklist development, report writing, facilitating root cause/lessons learned analysis, and internal/external presentations
• Provides assessment and authorization (A&A) management support by guiding the development of all documentation necessary to complete the A&A process to include system security plans, contingency plans, and other associated documentation
• Conducts complex vulnerability assessments to include development of risk mitigation strategies with the customer; adjudicating based on assessing the vulnerabilities, threats, and risk associated with assessment
• Review system configurations and scan tool results to determine system compliance and report results.
• Compile, analyze, and report on findings of non-compliance and providing recommendations for improvement
• Capture and maintain plans of action and milestones POA&M) on findings of non-compliance
• Track and escalate unresolved non-compliance issues and corrective and preventative action plans to closure
• Validate cyber security tests and assessments are conducted in accordance with established policies and procedures
• Experience with NIST SP 800-82 Rev. 2 & 3, Risk Management Framework (RMF), and security assessment tools
• Review documentation from information obtained from customer using accepted guidelines such as RMF (Risk Management Framework).
• Knowledge and/or experience with Operating System, Virtualization, and Networking technologies

Qualifications:

• Minimum of 8 years of cyber security experience
• Minimum of 4 years of experience consulting to the US Federal government, evaluating the security posture of information systems in accordance with federal information security requirements and industry leading guidance and providing risk-based observations and recommendations for information systems security, controls, and operation in connection with conducting A&As for ATOs.
• Strong Security Controls Assessment documentation required.
• Experience dealing with contingency plans, business impact analysis, and incident response plans.
• Understanding of risk assessment as an assessor compared to a risk assessment done by a system owner/team; able to change or adjust the approach based on the level of experience of the stakeholder you're working with.
• Demonstrated experience working with information system stakeholders in aiding them to understand information security requirements related to federal and industry standards, i.e., NIST, DHS 4300A, CNSS, and design and operate information security controls.
• Demonstrated experience assessing information system risks and controls and identifying information system control design and operation weaknesses.
• Experience with High Value Assets.
• Experience with CSAM
• Experience with NIST 800-82 Rev. 3 is required.
• Experience with Operational Technology/Industrial Control Systems (OT/ICS) is required.
• Experience applying OT overlay in for any SCADA systems or OT systems.
• Must have excellent communication skills. This is a customer facing role. Must be 100% comfortable working and communicating with a diverse team.

Additional Information:

• Bachelor's degree in computer science, Information Systems, Engineering, Business, or other related scientific/technical discipline.
• Certified Information Systems Auditor (CISA) certification.
• Must live in metro Washington, DC and work on-site in Bethesda every Monday (required).

#Dice