Security Control Assessor

Role: Security Control Assessor
Location: Arlington, VA (5 days onsite) Duration: Contract to Hire
Active TS/SCI Security clearance is must

Top skills

Hands on controls/SCA experience, conducting security assessments of systems, deep RMF and NIST knowledge

Client Original Job Description
Advise the Information System Owner (ISO) concerning the impact levels for Confidentiality, Integrity, and Availability for the information on systems.

• Ensure security assessments are completed for each IS.
• Initiate a POA&M with identified weaknesses and suspense dates for each IS based on findings and recommendations from the SAR.
• Evaluate security assessment documentation and provide written recommendations for security authorization to the CISO and AO.
• Assess proposed changes to Information Systems, their environment of operation, and mission needs that could affect system authorization.
• Serve as a cybersecurity technical advisor to the CISO and AO under their purview.
• Be integral to the development of the monitoring strategy. The system-level continuous monitoring strategy must conform to all applicable published DoD enterprise-level or DoD Component-level continuous monitoring strategies.
• Determine and document in the SAR a risk level for every noncompliant security control in the system baseline.
• Determine and document in the SAR an aggregate level of risk to the system and identify the key drivers for the assessment. The SCA's risk assessment considers threats, vulnerabilities, and potential impacts as well as existing and planned risk mitigation.
• Develop the continuous monitoring plan specific to the information system

My role as a SCA at DARPA:

• Schedule and coordinate assessments of security controls and potential vulnerabilities.
• Ensure that assessments cover all required aspects, including confidentiality, integrity, and availability (CIA).
• Ensure that proper tools and methodologies are applied during the assessment.
• Identify and document weaknesses or vulnerabilities found during the security assessment.
• Create a POA&M that includes corrective actions, owners, and suspense dates.
• Ensure the POA&M is actively managed and updated with progress on remediation actions.
• Work with system owners to track and resolve identified issues.
• Review the SAR, which details the results of the security assessment.
• Evaluate whether the findings support system authorization and whether vulnerabilities have been adequately addressed.
• Provide written recommendations to the CISO (Chief Information Security Officer) and AO (Authorizing Official) for security authorization decisions (e.g., whether the system should be authorized to operate).
• Ensure compliance with relevant risk management frameworks (e.g., RMF, FISMA, NIST SP 800-53).
• Review and assess changes (e.g., system modifications, patches, or environment changes) that might affect security controls or system authorization.
• Evaluate the potential security risks introduced by changes to the system or its operating environment.
• Determine if the changes necessitate a new authorization or re-assessment process.
• Work with system owners to ensure any necessary adjustments are made to maintain security compliance.
• Provide expert advice on technical security issues related to the system s compliance, vulnerabilities, and risk management.
• Assist the CISO and AO with interpreting security assessment findings and making informed decisions about system authorization.
• Advise on security best practices, standards, and methodologies relevant to system security and risk management.
• Support the CISO and AO in prioritizing security improvements and mitigations.
• Work with the system owner and other stakeholders to define a continuous monitoring approach for the system.
• Ensure the monitoring strategy is comprehensive and includes mechanisms for detecting and responding to security threats in real-time.
• Ensure compliance with DoD-level or component-level continuous monitoring strategies.
• Help identify key performance indicators (KPIs) and metrics to assess the system s security continuously.
• Identify any noncompliant security controls and evaluate their potential risks to the system.
• Document the severity and potential impact of these weaknesses in the SAR.
• Assign a risk level to each noncompliant control, using a standard risk assessment methodology (e.g., likelihood, impact, and potential mitigation).
• Provide clear documentation to support the AO's decision regarding system authorization.
• Aggregate individual security control risks into a comprehensive risk assessment for the entire system.
• Document key risk drivers, such as specific vulnerabilities, system weaknesses, or external threats.
• Consider existing and planned risk mitigations when documenting the aggregate risk level in the SAR.
• Present the risk analysis clearly so that decision-makers can understand the overall security posture of the system.
• Develop a continuous monitoring plan that defines the processes for ongoing security assessments, threat detection, and risk mitigation.
• Ensure that the plan is aligned with the system s security requirements, objectives, and the broader enterprise or organizational strategy.
• Identify which controls and assets need to be monitored and specify how monitoring will be conducted.
• Establish incident response protocols and escalation procedures for any detected vulnerabilities or incidents.
• Coordinate with stakeholders to ensure the continuous monitoring plan is implemented effectively and adjustments are made as necessary.
• Identifying potential risks across the supply chain, including supplier risks, operational risks, financial risks, geopolitical risks, natural disasters, regulatory changes, and cybersecurity threats.
• Conducting risk assessments and monitoring external and internal factors that could affect the supply chain.
• Continuously monitoring supply chain activities, including supplier performance and external factors that may trigger risks.
• Reporting risk findings to senior management and other key stakeholders regularly.
• Engaging with external stakeholders, such as government agencies, industry associations, and insurance companies, to stay informed and prepared for potential risks.
• Continuously improving risk management processes and tools.
• Staying up-to-date with emerging risks and best practices in risk management.
• Learning from past disruptions and refining strategies for better future preparedness.
• Analyze the results of vulnerability scans, which could be from tools like Nessus, Qualys, or OpenVAS. Understanding the severity, impact, and exploitability of each identified vulnerability is essential.
• Based on the potential impact to the organization, prioritize the vulnerabilities that need to be addressed first. Critical vulnerabilities that expose sensitive data or are easily exploitable should be handled immediately