Govt: Incident Response - US Citizen (11 Positions)
Work Location: N.E. Washington DC
Interview: Phone & Webex / Cam
Certifications: Any security related active cert will work.
Clearance: Public Trust background check with finger-printing and drug screening
skills: ID/IR, incident Handler (IH), SIEM (splunk or Arcsight), Soc or Security Operations, NIST 800-181 OR 800-53
The Contractor shall provide Tier 2 level incident response support by using a variety of tools to investigate incidents and taking immediate action or recommending a course of action to safeguard the U.S. Courts. Incident response tasks include providing incident triage and response support to court units or AO program office Incident Response Teams. Tier 2 level support also includes investigating and documenting incidents from end to end and identifying correlating information to determine incident impact, area of effect, and mitigation requirements for the local court unit and the client overall.
The Contractor shall perform the following tasks to support incident response:
a. Accurately review, annotate, and resolve security incidents tasked by the Intrusion Detection Team, Watch Officer, SOC management or other SOC teams 24 hours a day, 7 days a week.
b. Conduct Incident Triage to prioritize newly identified security incidents for follow-on action. Identify all relevant data sources for initial collection to determine prioritization and resource application based on the criticality of the incident. Conduct immediate actions to evaluate and contain threats as necessary in accordance with the Security Operations Center Incident Response Plan (SOCIRP), Incident Response Operations
Guide, and any other published SOC operations guides and manuals.
c. Provide clear and actionable event notifications to customers. Notifications to customers will be clear and provide sufficient detail for a mid-level system or network administrator to understand what has occurred and what needs to take place to remediate the event.
d. Coordinate and provide direct support to local incident responders at the circuit, local court unit and program office levels. Provide notifications, guidance and end to end incident response support to local incident responders to ensure the appropriate actions are properly taken to detect, contain, eradicate and recover from identified security incidents. Coordinate with various other SOC teams to leverage the appropriate resources to enable local incident responders. Participate in course of action (COA) development and execution as necessary.
e. Document all communications and actions taken in response to assigned incidents in the SOC ticketing system. Ensure tickets are properly updated in a timely manner and all artifacts are included. Escalate any concerns or requests through the Contractor management as necessary.
f. Directly support the Special Tactics and Active Response (STAR) team and provide incident response support for critical security incidents as they arise. STAR staff must be ready to travel anywhere within the United States and its territories within 24 hours of notification, with the necessary tools (provided by the Government) and be able to stay on site until the investigation/mission is complete. Please note that the SOC must continually be staffed at the minimum levels required even during STAR staff travel.
g. Perform appropriate event escalation for events, notifications, and non-responsiveness from customers. Contractors shall track all notifications in the SOC ticketing system and escalate tickets to Watch Officers or SOC management in cases where the customer is non-responsive or requires clarification that is outside the scope of the normal operations. Contractors will be familiar with the SOCIRP escalation and reporting procedures.
h. Continuously review and update the Incident Handlers (IH) Guide and provide recommendations to annual updates for the SOCIRP. All SOPs and Op Guides are federal government property. Contract staff provide recommendations in draft form for federal management review, approval and adoption.
i. Incident Responders must be able to perform the tasks and meet the skills, knowledge and abilities as described in NIST Special Publication 800-181 / 800-53