VariQ has an exciting opportunity for a highly qualified Senior Security Specialist/HVA and CSF SME
to support a client
in Washington, DC
- Location: Currently Fully remote through due to COVID-19. Federal client offices in North East, Washington, DC with up to 2 days telework post-COVID-19.
- Security Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following background suitability and records check.
- Available: within 30 days of customer approval due to Public Trust investigation
As the Senior Security Specialist for this engagement, the successful candidate will serve as a technical consultant and subject matter expert (SME) regarding federal information and cybersecurity doctrine, including DHS, FISMA and the NIST issuances with a focus on High-Value Assets (HVA) and Cybersecurity Framework (CSF) support.
The successful candidate will:
QualificationsRequired Experience and Abilities:
- Provide expert counsel and guidance to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), Security Plans (SP 800-18), and the NIST Framework for Improving Critical Infrastructure Cybersecurity and other industry-accepted security control frameworks.
- Support overall strategic planning to ensure the HVA Program meets its mission, vision, goals, and objectives. This includes, but not limited to, preparation of executive-level presentations and summary reports.
- Create and manage the clients CSF Implementation Plan, Training Material, Roadmap, Lessons Learned, and Communication Plan.
- Support system security planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5).
- Help develop, track, and implement Corrective Action Plans (CAPs), including those for Plan of Action and Milestone (POA&M) remediation as well as those used to address audit findings.
- Coordinate with auditing entities to convey finding closure memos and evidence of finding closures, and coordinate with stakeholders as CAPs change over time.
- Prepare, analyze and verify monthly audit status reports.
- Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
- Support and coach the more junior team members, perform quality reviews and oversight as needed, and help ensure that the team provides deliverables of impeccable quality.
Years of Experience:
- Mastery of, and fluency in, the NIST SP 800-3X series and SP 800-18, and a solid understanding of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrines.
- Ability to participate as a senior member of a technical team that is performing audit support, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
- Strong understanding of DHS CyberScope reporting, to include how to collect correct data in the most efficient manner, deduce metrics, and meet immovable deadlines for reporting periods.
- Understanding of GRC frameworks, such as that supplied by the RSA Archer™ tool, and use of such tools to support information security objectives. Strong preference is given to candidates with hands-on RSA Archer™ tool experience. Experience with other GRC tools, such as RSAM, or experience with SA&A tools, such as Xacta, is also of significant value.
- Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
- Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
- Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
- Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
- Quickly review the work products of others, employ your own knowledge of federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.
At least 10 years of federal information security experience. At least three years involving audit support with demonstrated leadership roles.Professional Certifications:
Candidates must hold one or more of the following certifications (or equivalents): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or CompTIA Security+.Clearance:
Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following background suitability and records check.