Tuesday, November 28, 2023 04:40 Sign In

Cybersecurity Specialist Sr – Component Assessor

Back to Directory

Responsibilities

  • Support in identifying cybersecurity deficiencies in information systems by performing technical assessments of assigned systems and applications to determine the severity of weaknesses
  • Support the Security Authorization (SA) and Continuous Monitoring (CM) Risk Management Framework (RMF) process. The results from the assessments will be documented in the MGMT compliance tool (e.g., IACS, CSAM, etc…), utilizing a standard report format, along with recommended mitigations. The results will also be entered into the compliance tool.
  • Manage Assessment Schedule Forecasting system assignments for assessments for contract staff and stakeholders.
  • Create and manage all artifacts related to a specific security assessment (Rules of Engagement, Security Requirements Traceability Matrix, and other supporting artifacts).
  • Create, manage, and utilize Assessment Standard Operating Procedures and Testing Templates, and ensure that assessments are conducted accurately, efficiently, and consistently.
  • Create, manage, and utilize Assessment Guides and Training Materials Documents that assist system stakeholders in preparing for upcoming assessments, which include, but are not limited to, Frequently Asked Question guides, workflows, and Training Materials.
  • Create, manage, and utilize Check-Point Reviews to determine the system’s readiness for assessments, which include the status of POA&Ms for the system, review of the control implementations for applicability, and the state of the Body of Evidence (BOE) materials to support the assessment
  • Manage Assessment Entrance Conference Briefing, creating agenda and meeting minutes for the system stakeholders on what to expect and when during the upcoming assessments.
  • Draft Security Assessment Report (SAR) for review by the stakeholders to prepare for the Exit Conference.
  • Manage Assessment Exit Conference Briefing, creating agenda and meeting minutes for the system stakeholders on the results of the Exit conference to determine the final SAR.
  • Create Final Security Assessment Report for review by the stakeholders to prepare for the Exit Conference.
  • Develop and maintain an overall Security Assessment Schedule that forecasts system assignments for contractor and stakeholder staff over the period of performance. The Assessment schedule needs to include assessments that meet the requirements of current DHS policy. The systems in the Ongoing Authorization (OA) program need to be assessed once a year. The systems not in the OA program need to be assessed at a minimum every three years or when a major change occurs. The schedule must also support new systems utilizing the Authority to Proceed (ATP) memo. The new systems utilizing the ATP process assess the critical controls before being placed in production and then require a full assessment within one year after receiving the ATP.
  • Develop testing artifacts for each system to include, as appropriate, the technical assessment plan, the Rules of Engagement (ROE), the Security Requirements Traceability Matrix (SRTM), the Security Assessment Report, and any other necessary documentation.
  • Update and maintain all testing templates and Standard Operating Procedures (SOP) as needed or on an annual basis per DHS guidelines and utilizing the compliance tool.
  • Create Assessment Guides to assist ISSOs, ISSMs, System Owners, and other stakeholders in preparing for upcoming assessments, including, but not limited to, Frequently Asked Questions (FAQs) guides, and Training Materials.
  • Conduct and review vulnerability scans, review device configurations, and review system architecture. The Contractor will utilize vulnerability assessment tools as provided by the government. Test tools used to support the assessment process may include but are not limited to Nessus (Vulnerability Scanner), WebInspect (performs web application security testing and assessment), IACS, CSAM, and AppDetective (database vulnerability scanner). These tools are subject to change.
  • Provide advisement and recommendations to the Government for assessment and security best practices, including tools used for assessment activities.
  • Arrange for physical access to the system, if applicable, with the specific System Owner and the specific facility manager. The system’s Information Security Officer (ISSO) will provide all contact information. Alternatives to physical access to the system may be utilized if it does not compromise the assessment of the controls needed to be accomplished.
  • Conduct an Assessment Kick-off meeting according to the Security Assessment Schedule that reviews the MGMT Compliance requirements, process, and artifacts to prepare the stakeholders for the scheduled assessment.
  • Conduct up to two checkpoint reviews after the kickoff and before the planned assessment date to review the status of the artifacts in the compliance tool. Provide the checkpoint information to the assessment division and conduct reviews with the stakeholders as needed. As part of the checkpoint review, the assessor will provide detailed criteria that would result in significant findings on the assessment or prevent the assessors from conducting an accurate assessment.
  • Conduct an assessment entrance conference according to the Security Assessment Schedule that does a final overview of what is expected during the assessment.
  • Execute the assessment by reviewing system security documentation, vulnerability scan results, audit logs, configuration guides, and other materials provided by the system and system stakeholders.
  • Document the results of the technical assessments in the draft Security Assessment Report (SAR) with the criteria of the tests, testing methods, findings of the assessment, and recommended mitigations. The draft SAR will be sent to the stakeholders one week before the exit conference as defined in the Security Assessment Schedule.
  • Conduct an assessment exit conference according to the Security Assessment Schedule to review the findings of the draft SAR and address any final agreed changes.
  • Based on the results of the exit conference, produce the Final SAR within 5 business days of the conference. The Final SAR will document the technical assessment results with the tests’ criteria, testing methods, assessment findings, and recommended mitigations.
  • Collect and securely store all final materials and media submitted by the system test team according to the SOP in the DHS compliance system. Draft systems assessment may use other DHS MGMT-owned systems as appropriate.

Certifications

  • At least one of the following:
    • CISSP
    • CISM
    • CRISC
    • CSSP

Qualifications

  • Must have a Bachelor’s Degree in Computer Science or related field
  • Must have 8 years of relevant work experience
  • Must have an active Secret security clearance
  • At least 8 years of NIST Security Control Assessor (SCA) experience
  • Must have led Assessment teams from planning through execution and finalization of an assessment
  • Capable of performing in a fast-paced environment
  • Strong communication skills both verbally and in written form
  • Mastery of control assessment requirements based on the NIST 800-53A
  • Technical expertise in assessing environments such as but not limited to Applications, Operating Systems, Databases, Appliances, Cloud Environments, and Physical Environments to validate a full deployment of a defense-in-depth strategy
  • Proficient technical writing technical skills developing control findings, detailed assessment reports, technical requests for the system engineers, and other security assessment documentation
  • Extensive experience conducting assessment interviews of system engineers, administrators, and other support personnel, including demonstrations to accurately validate system configurations
  • Work well within and leading teams with a positive attitude and can solve problems without supervision
  • Deep knowledge of Security Control testing and validation on both technical and policy areas
  • CSAM experience
  • Working knowledge of DHS 4300 Policy +
  • Applies extensive knowledge of a variety of the Cybersecurity field’s concepts, practices, and procedures to ensure the secure integration and operation of all systems.

Location

  • This position requires the candidate to come on-site to the facility twice a week (Tuesday & Thursday), and work can be done remotely. The main facility is located in the National Capital Region within the DC Metropolitan area.

Salary

  • Salary is based on the number of years of relevant work experience the candidate has.

Please email your resume to our HR Recruiters