Security Assessor - MID Job at Zermount, Inc in Arlington
Zermount, Inc, Arlington, VA, United States
Job Description
SECURITY ASSESSOR MID
MILITARY FRIENDLY & PREFERRED - HOH SPONSOR
Zermount Inc. is seeking a Security Assessor MID who plays a critical role in evaluating and providing recommendations to enhance the security posture of the organization. The Security Assessor will identify and provide solutions to mitigate potential risks, ensuring compliance, and establishing a robust security framework to protect sensitive information, systems, and assets. The Security Assessor is responsible for evaluating and assessing the security measures and practices for the organization. They will be required to identify vulnerabilities, potential risks, and weaknesses in the organization's security infrastructure, systems, and procedures; and provide recommendations and solutions to enhance security and mitigate potential threats. The extent of the Security Assessments will include Security Control Assessments (SCAs), Risk Assessment (RA) and analysis, evaluations of compliance of required configurations, vulnerability assessments, examination of documentation, conducting manual testing and verification and validation of the implementation of security principles.
Duties & Responsibilities:
The MID Security Assessor will provide the following support and services:
- Support the client by serving as a Security Assessors responsible for conducting the testing and verification and validation of the proper implementation of security controls for IT systems.
- Follow and apply the Zermount six phased Security Control Assessment Process to:
- Serve as the Security Assessor for system Security Authorization (SA) / Authorization to Operate (ATOs), annual assessments, Ongoing Authorization (OA) assessments, and conducting risk assessments for changes to the systems.
- Utilize structured mini teams to complete SA and Risk Assessment (RA) Activities.
- Assess all applicable security controls defined in the mandated Agency Compliance Tool and applicable to the systems under their purview.
- Conduct assessment and analysis of system's Federal Information Processing Standards (FIPS-199), Privacy Threshold Analysis (PTA), E-Authorizations, Contingency Plans (CPs), Contingency Plan Tests (CPTs), Security Plans (SPs), and National Institute of Standards and Technology (NIST) 800.53A test cases
- Assemble the SA Package in accordance with the Agency and Organizations SOP and requirements to include Security Assessment Plans (SAP); Security Assessment Reports (SAR); SAR Briefing; Drafting the Chief Information Security Officer (CISO) recommendation Memo and AO ATO Letters; and developing finding matrices.
- Conduct RA and develop RA Memos.
- Ensure objective/fact-based results (findings) are documented completely and accurately in the mandated Agency Compliance Tool at the operating system, application, and database levels.
- Gather evidence for ATO efforts and store results (findings) in the mandated Agency Compliance Tool and/or in a separate GRC repository.
- Support the Requests for Change (RFC) process by conducting risk assessments to evaluate changes and potential cybersecurity impacts. Utilize the IT tool for tracking changes.
- Analyze and Document
- Assist in the assessment of scope and extent that such changes support Zero Trust mandates; and
- Assist in the assessment of Architectural and configuration changes made by the Organization O&M team(s).
- Conduct vulnerability assessments, and analyze results from ATO assessments, penetration tests, or ad hoc risk assessments from the following set of tools, to include but not limited to: Tenable, AppDetective, WebInspect, AppScan and NIPRNet and create Findings /Plan of Action and Milestone (POA&M) Matrices from results.
- Conduct compliance scans and validation of Standard Technical Implementation Guides (STIGS) at time of assessment.
- Conduct Audit of Privileged Accounts (APA) as part of ATO activities and annually review Information System Security Officer (ISSO) Privileged Account Audits.
- Execute responsibilities as outlined in the SA and OA Standard Operating Procedures and assist in the review of these, and other SOP-related processes for updates.
- Conduct gap analysis of existing RMF processes and procedures and execute direction of the Program Manager or GRC SME.
- Evaluate emerging technologies being considered by the Organization, conduct an Analysis of Alternatives (AoA) to determine compliance with federal mandates and requirements.
- Support assessments of plans, designs, technical concepts, implementation approaches, standards compliance, business and technical tradeoffs, and risk analyses.
- Review existing network infrastructure and coordinate with other stakeholders and contractors to perform a network assessment that includes but is not limited to reviewing existing circuits, connection types, bandwidth, types of traffic, and routing protocols.
- Conduct Trusted Internet Connection (TIC) 3.0 compliance assessments to determine compliance, gaps, and develop solutions to mitigate weaknesses and recommendations to meet compliance.
- Perform complex risk analyses which also include risk assessment to identify compliance with federal requirements (e.g., EO 14028, OMB M 22-09, M21-31, A-130, NIST SP 800-37, 800-53, FIPS 199, and FIPS-200, etc.), and security requirements based upon the analysis of people, processes, and technologies.
- Perform assessment / analysis of designs, architectures, configurations, and implementation of ZT principles and security capabilities.
- Research major obstacles related to the ever-changing DHS FISMA requirements, which customers will need to overcome on a weekly, monthly, and yearly basis.
- In view of the remote nature of the contract, an individual Weekly Status Report and Status Briefing is a required deliverable for tasks assigned. The resources must have the ability to effectively develop weekly status reports, that are consistent, well structured, answer to all the assigned management templates guidelines, are in alignment with the task area of support, and are relevant to the reporting period.
- Must ensure deliverables meet a level of accuracy that does not require "return for correction" for typographical and grammatical errors.
- Must have the ability to prepare to present, brief, and explain; all information captured in weekly status report to management and/or government client.
- Provide assistance and support as needed to other team members as required by the Program Manager or Deputy.
- Collaborate with Compliance Specialist and other members of the GRC Team based on assigned systems.
- Assist in conducting ZT reviews and assessments of all existing cybersecurity and IT capabilities for all the organizations systems and the Enterprise. This includes conducting ZT readiness assessments.
- ZT assessment includes assessment criteria for ZT readiness. Prepare a Readiness Assessment Report and any mitigations or recommendations. Conduct a gap analysis and identify gaps
- in existing capabilities compliance with RMF mandates. Incorporate approved changes into the Organization's roadmap established with the CIO ZT Plan, IMS, and other applicable documentation.
Qualifications:
- Experience and knowledge of Executive Orders (EO's), Office of Management and Budget (OMB) Memorandums, Federal, DoD and CISA Technical Reference Architectures, Maturity Models, NIST guidance, FISMA, Cloud, and Risk Management Framework (RMF).
- Understanding of zero trust principles is beneficial but not required.
- Proficient in risk assessment methodologies and security architecture frameworks.
- Experience with cloud-based environments and technologies is preferred.
- Knowledge of common cybersecurity threats, risk, and vulnerabilities and how to mitigate them.
- Excellent communication skills, with the ability to explain complex concepts in a clear, concise manner.
- Technical knowledge of IT systems and implementation of security controls.
- Strong problem-solving skills, proactive attitude towards identifying potential issues and implementing solutions.
- Must be able to conduct system analysis to detect issues with performance.
- Well versed in developing and implementing IT solutions to resolve technical challenges.
- Ability to work independently and as part of a team.
- Knowledge of NIST Guidelines and FISMA Cybersecurity compliance requirements
- Technical knowledge of IT systems
- Knowledge of and experience using relevant cybersecurity and analysis tools such as Archer, Nessus Security Center, Splunk, etc.
- Experience communicating effectively, both oral and written, with technical, non-technical, and executive-level customers.
- Coordinate and/or perform additions and changes to network hardware and operating systems, and attached devices; includes investigation, analysis, recommendation, configuration, installation, and testing of new network hardware and software.
- Provide direct support in the day-to-day operations on network hardware and operating systems, including the evaluation of system utilization, monitoring response time and primary support for detection and correction of operational problems.
- Troubleshoot at the physical level of the network, working with network measurement hardware and software, as well as physical checking and testing of hardware devices at the logical level working with communication protocols.
- Maintain network infrastructure standards including network communication protocols such as TCP/IP.
- Provide technical consultation, training and support to IT staff as designated by the government.
Education and/or Experience:
- Minimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field and 5 years of IT Cybersecurity experience including direct support of the US government and 4 years acting as an ISSO, assessor, or compliance analyst.
- Without a B.S. degree, a minimum of 7 years of IT cybersecurity experience including direct support for the US Government will be accepted
Certifications:
- A minimum of at least one of the following certifications is required: Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO) OR equivalent according to the DOD 8570 approved certification list.
Clearance level:
- Minimum of an active Secret Clearance.
Work Location:
- Primarily Remote (Onsite work in Arlington, VA or in the United States may be occasionally required).
Hours of Operation:
- Business Hours: 8:00 am EST - 4:30 pm EST.