Information Assurance / Security Specialist Senior Level (Component Assessor)

Overview

On Site
Hybrid
$120,000 - $140,000
Full Time

Skills

management skills
communication skills

Job Details

Information Assurance / Security Specialist Senior Level

Task Area 7: Component Assessor

Certification Required:

 

  • Security+ or CISSP orCISM orCRISC orCSSP

 

Clearance Required:

  • Secret

Required Years of Experience:

  • 8

Education Required:

  • Bachelor’s Degree in Computer Science or related field

Job Location:

  • Remote but located in the Washington DC area or Stennis AFB area

 

Experience: (MUST HAVE)

  • At least 4 years of NIST Security Control Assessor (SCA) experience.
  • Must have led Assessment teams from planning through execution and finalization an of assessment.
  • Capable of performing in a fast-paced environment.
  • Strong communication skills both verbally and in written form.
  • Mastery of control assessment requirements based on the NIST 800-53A.
  • Technical expertise in assessing environments such as but not limited to Applications, Operating Systems, Databases, Appliances, Cloud Environments, and Physical environments to validate a full deployment of a defense in depth strategy.   
  • In depth understanding on how to read Nessus scan reports and identifying security vulnerabilities, configuration settings, and security compliance.    
  • Proficient technical writing skills developing control findings, detailed assessment reports, technical requests for the system engineers, and other security assessment documentation.
  • Extensive experience conducting assessment interviews of system engineers, administrators, and other support personnel including demonstrations to accurately validate system configurations.   
  • Work well within and leading teams with a positive attitude and can solve problems without supervision.
  • Deep knowledge of Security Control testing and validation on both technical and policy areas.
  • CSAM experience
  • Working knowledge of DHS 4300 Policy +

 

Job Description:

TASK AREA 7: Component Services: Cybersecurity Assessments

 

Information Security Assessment

Support in identifying cybersecurity deficiencies in information systems by performing technical assessments of assigned systems and applications to determine the severity of weaknesses; Supports the Security Authorization (SA) and Continuous Monitoring (CM), Risk Management Framework (RMF) process. Results of the assessments will be documented in the MGMT compliance tool, (e.g., IACS, CSAM, etc.), utilizing a standard report format with the results and findings from the assessment, along with recommended mitigations. Results will also be entered into the compliance tool. The contract team perform the following tasks:

 

  • Create, manage, and utilize Assessment Standard Operating Procedures and Testing Templates and ensure that assessments are conducted accurately, efficiently, and consistently.
  • Create, manage, and utilize Assessment Guides and Training Material documents that assist system stakeholders in preparing for upcoming assessments. Includes, but is not limited to Frequently Asked Question guides, workflows, and Training Materials.
  • Create, manage, and utilize Check-Point Reviews to determine the readiness of the system for assessments. Includes the status of POA&Ms for the system, review of control implementations for applicability and the state of the Body of Evidence (BOE) materials to support the assessment
  • Manage Assessment Entrance Conference Briefing, creating agenda and meeting minutes for the system stakeholders on what to expect and when during the upcoming assessments.
  • Draft Security Assessment Report (SAR) for review by the stakeholders to prepare for the Exit Conference.
  • Manage Assessment Exit Conference Briefing, creating agenda and meeting minutes for the system stakeholders on the results of the Exit conference to determine the final SAR.
  • Create Final Security Assessment Report for review by the stakeholders to prepare for the Exit Conference.
  • Develop and maintain an overall Security Assessment Schedule that forecasts system assignments for contractor and stakeholder staff over the period of performance. The Assessment schedule needs to include assessments that meet the requirements of current DHS policy. Systems in Ongoing Authorization (OA) need to be assessed once a year. Systems not in the OA program need to be assessed at a minimum every three years or when a major change occurs. The schedule also needs to support new systems utilizing the Authority to Proceed (ATP) memo. New systems utilizing the ATP process assess the critical controls prior to being placed in production and then require a full assessment within one year after receiving the ATP.
  • Develop testing artifacts for each system to include, as appropriate, the technical assessment plan, the Rules of Engagement (ROE), the Security Requirements Traceability Matrix (SRTM), the Security Assessment Report, and any other necessary documentation.
  • Update and maintain all testing templates and Standard Operating Procedures (SOP) as needed, or on an annual basis per DHS guidelines, to include the utilization of the compliance tool.
  • Create Assessment Guides to assist ISSOs, ISSMs, System Owners and other stakeholders to prepare for upcoming assessments. This includes but is not limited to Frequently Asked Questions (FAQs) guides, and Training Materials.
  • Conduct and/or review vulnerability scans, review device configurations, and review system architecture. The Contractor will utilize vulnerability assessment tools as provided by the government. Test tools used to support the assessment process may include but is not limited to Nessus (Vulnerability Scanner), WebInspect (performs web application security testing and assessment), IACS, CSAM, and AppDetective (database vulnerability scanner). These tools are subject to change.
  • Provide advisement and recommendations to the Government for assessment and security best practices including tools that are used for assessment activities.
  • Arrange for physical access to the system, if applicable, with the specific System Owner and the specific facility manager(s). All contact information will be provided by the system’s Information System Security Officer (ISSO). Alternatives to physical access to the system may be utilized if it does not compromise the assessment of the controls needed to be accomplished.
  • Conduct an Assessment Kick-off meeting according to the Security Assessment Schedule that reviews the MGMT Compliance requirements, process, and artifacts to prepare the stakeholders for the scheduled assessment.
  • Conduct up to two check point reviews after the kickoff, and prior to the planned assessment date to review the status of the artifacts in the compliance tool. Provide the checkpoint information to the assessment division and conduct reviews with the stakeholders as needed. As part of the check point review, the assessor will providedetailed criteria that would result in significant findings on the assessment or prevent the assessors from conducting an accurate assessment.
  • Conduct an assessment entrance conference according to the Security Assessment Schedule that does a final overview of what is expected during the assessment.
  • Execute the assessment through the review of system security documentation, vulnerability scan results, audit logs, configuration guides, and any other additional materials provided by the system and system stakeholders.
  • Document the results of the technical assessments in the draft Security Assessment Report (SAR) with the criteria of the tests, testing methods, findings of the assessment and recommended mitigations. The draft SAR will be sent to the stakeholders one week prior the exit conference as defined in the Security Assessment Schedule.
  • Conduct an assessment exit conference according to the Security Assessment Schedule to review of the findings of the draft SAR and address any final agreed changes.
  • Based on the results of the exit conference, produce the Final SAR within 5 business days
  • of the conference. The Final SAR will document the results of the technical assessments with the criteria of the tests, testing methods, findings of the assessment and recommended mitigations.
  • Collect and securely store all final materials and media submitted by the system test team according to the SOP in the DHS compliance system. Draft systems assessment may use other DHS MGMT owned systems as appropriate.

Additional Support:

 

  • Review material submitted by HQ components prior to inspections and or assessments.
  • Complete inspections and or assessments within the scheduled as determined by the CSP team and Federal Management.
  • Assess CSP and other system capabilities against accreditation criteria.
  • The CSP assessment team will need to work to become as familiar as possible within the given timeframe with capabilities and technologies being assessed to enable them to ask relevant questions and derive results.
  • Generate post-assessment reports for the PMO within 10 days or an alternative time designated based on the inspection and or assessment and mutually agreed by the federal lead.
  • Identify trends and improvement opportunities based on assessments results.
  • Provide feedback to the PMO on process improvements and recommendations for future changes to the CSP and or assessment criteria.
  • Ensure Compliance with all NIST RMF and DHS Cybersecurity policy and accreditation requirements using auditing tools such as ACAS, STIGS, etc.
  • Prepare documents such as charters, agendas, presentations, and memorandum.
  • Maintain distribution groups, points of contact lists, and group membership listings
  • Publish messages and notifications to the DHS community
  • Coordinate with the CISOD Business Offices to route and track communications with executives and HQ components.
  • Create and maintain forms, document templates and a register for CISOD forms and templates which support cybersecurity activities throughout the department.
  • Prepare, track, and provide status reports on data calls
  • Develop, maintain, and update Standard Operating Procedures (SOPs), handbooks, ConOps and instructions for all internal processes.
  • Keep up to date internal SOP/documentations of all processes at a location specified by the Federal Lead (SharePoint, Shared Folder, Knowledgebase, etc.).
  • Generate meetings minutes as requested
  • Follow and leverage the internal DHS processes to perform their duties.
  • Create and deploy custom reports and dashboards, working with the government points of contact, to provide specific content to the government on a need by basis and as otherwise specified by the Federal Leads on a set frequency.
  • Provide weekly and ad hoc reports summarizing the adherence to agreed-upon schedules.
  • The report shall include detailed summaries of:
  • length and number of delays
  • recommendations for “get-well” plans
  • Additionally, the reports shall summarize the work completed and milestones met to include metrics.
  • Generate trending and ad-hoc reports as requested. Reporting includes extracting data from the CISOD databases, designing, developing, and implementing automated reports. Data being reported may represent subsets of the overall Performance reporting or new/unique data sets based on entire compliance data stored within the supporting tools
  • Engage and support in planning and coordinating the various Working Group Meetings
  • Provide guidance and recommendations to Federal SMEs on processes and projects.
  • Provide customer service support to DHS Enterprise by responding and resolving DHS Helpdesk tickets.
  • Support modernization of all Cybersecurity processes and methodologies to be employed across the Enterprise and MGMT
  • Collaborate and coordinate successfully with other contract vendors and Government personnel.
  • Respond to component questions via helpdesk tickets, Microsoft Teams messages, emails, and phone calls.
  • Provide recommendations and feedback on the DHS policies
  • Provide, develop, maintain, update, store, and distribute weekly/monthly/quarterly/ad-hoc reports, meeting minutes, user feedback as requested by the Federal Lead.
  • Propose process improvements accordingly to Federal Lead.
  • Support Cybersecurity process innovation and automation to support the new Cybersecurity processes and methodologies that will be developed in automated tools.
  • Develop, update, maintain and provide training materials and resources to provide guidance to DHS Enterprise and MGMT on subject areas.
  • Develop, maintain, update, store, and distribute Standard Operating Procedures for all routine activities to ensure standardization of activities and enable the transition of activities across members of the team
  • Develop metrics and recommend improvements for tracking progress on cybersecurity subject areas and programs.
  • Develop and maintain weekly Executive reports and PMR reports.
  • Attend Working Groups, meetings and discussions and provide feedback and ideas for improvements.
  • Develop unique Cybersecurity training materials and resources to provide guidance regarding process, documentation and understanding of responsibilities. This can be provided in-person, online or on a training platform like the Performance and Learning Management System (PALMS) or the Federal Virtual Training Environment (FedVTE).
  • Develop trainings for users across HQ components based on the new changes recommended by DHS Management for this FY
  • Develop and maintain Key Performance Indicators (KPI) and metrics to evaluate the performance and identify key areas of improvements in the subject areas or programs. Recommend changes to improve the quality and reduce the level of effort and elapsed time required for approved metrics weekly to the Federal Lead.
  • Develop metric reports to evaluate Cybersecurity Risk management and
  • Scorecard progress on weekly/monthly basis.
  • Collaborate with other teams to ensure that Cybersecurity processes are effectively maintained and tracked.
  • Work with DHS Enterprise to identify, develop, and implement Cybersecurity programs best practices, and general guidance for use across the federal government.
  • Support current and future enhancements and transition of DHS CISOD tools and requirements.