Duties:
• As a key participant within a Security Governance Team, will share responsibilities for conducting ISSO and Assessor duties in the System Assessments and Authorization (SA&A) process and maintaining continuous Approval To Operate (ATO) for various environments and applications.
• Perform Certification & Accreditation (C&A), System Assessment & Authorization (SA&A) as part of NIST SP 800-37 Risk Management Framework (RMF) system and application accreditation.
• Prepare vulnerability scanning test plans, coordinate testing, and conduct scans using Nessus, WebInspect and other scan applications.
• Analyze vulnerability scan results for validation and root cause.
• Perform security system event analysis, investigation, and validation.
• Provide incident response to classification spills, malware infection, misconfiguration exposure, internal inappropriate behavior and technical issue
• Participate in Lifecycle Management (LCM) Technical Change Control Boards (TCCB) providing technical guidance for security control compliance.
• Perform Federal Information Security Management Act (FISMA) assessments and annual reporting.
• Perform Security control assessments as part of Continuous Monitoring NIST SP 800-53 V4 compliance sustainment for application, infrastructure, and network.
• Task, track and mitigate Plan of Action & Milestones (POA&M) vulnerability scan and security assessment findings requiring mitigation.
• Perform Privileged User Account Management and Role Based Access assignment
• Perform Privacy Threshold Assessment (PTA) and Privacy Impact Assessment (PIA) as part of Personal Identifiable Information (PII) Management
• Maintain Change Management Plans (CMP), Incident Response Plans (IRP) Information System Contingency Plans (ISCP), and System Security Plans (SSP).
• Prepare and conduct training, exercises, and functional testing of IRP and ISCP.
Education:
• Bachelor's Degree from an accredited college or university with a major in Computer Science, Information Systems, Engineering, Business, or other related technical discipline is required.
CISSP is a plus
Experience:
• At least three (3) years of experience in system and application Certification & Accreditation (C&A, System Assessment & Authorization (SA&A, and Independent Validation and Verification (IV&V).
• At least three (3) years of experience in security system monitoring, syslog and traffic analysis, and incident response.
• At least one (1) years of experience in developing and maintaining standard operating procedures and work instructions.
• Cloud Security Knowledge is a plus.