OVERVIEW:
We are seeking an IT Security Policy Analyst/ISSO for our mission-critical customer in Washington, DC. You will work as part of a fantastic team providing security compliance expertise on a high-priority project.
GENERAL DUTIES:
- Developing, maintaining, and assessing Security Assessment & Authorization (SA&A) packages resulting in an authority to operate (ATO) for IT systems.
- Creating and maintaining SSPs and supporting documentation in accordance with agency guidelines and directives. This includes writing implementation statements, creating supporting documentation (e.g., Contingency Plans, Incident Response Plans, Account Management Plans, etc.), and performing self- assessments, while working with system stakeholders.
- Develop, coordinate, test, and train personnel on Incident Response Plans and Contingency Plans.
- Ensuring that information systems are accredited, maintain their ATO, and are being continuously monitored.
- Performing risk assessments for government systems, to include cloud-based systems.
- Performing security control assessments to include collecting supporting artifacts/evidence and interviewing system owner/owner representatives.
- Having an in-depth knowledge of the Risk Management Framework (RMF).
- Maintaining and tracking system POA&Ms.
- Conducting vulnerability management and analysis.
- Reviewing and analyzing government policy. · Taking ownership on various projects and efforts related to the items highlighted above.
- Improving on processes and procedures and making recommendations to improve the security posture of the agency's IT systems and applications.
REQUIRED QUALIFICATIONS:
- 6+ years’ experience with NIST, FISMA, and Security Assessment & Authorization.
- FedRAMP and Cloud (Azure, AWS, Oracle (OCI)) experience.
- Familiarity with various security-related NIST publications (e.g., SP 800-53r5, SP 800-53A, SP 800-18r1, etc.)
- Certifications: CISSP required
DESIRED QUALIFICATIONS:
- Familiarity with the security control families from the NIST guidance covered by the documents that they are responsible for evaluating.
- Ability to provide subject matter expert-level knowledge to the project team to ensure compliance with applicable requirements.
- Demonstrated knowledge of IT Security policy implementation statements, the regulatory structure of policy, the role of the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST).
- Hands-on experience using a Governance, Risk, and Compliance tool, such as CSAM or eMASS.
- Ability to conduct gap analysis on non-federated vendor audit results, such as SOC Type 2, HIPAA comparison review and analyst against NIST SP 800-53 Revision 5 security controls.
- Hands-on experience providing C-Level presentation and reporting.
- Excellent written communication skills and understand the purpose and use of the System Security Plan (SSP).
- Possess an understanding of control inheritance as applied to the Risk Management Framework (RMF) implementation in the CSAM tool.
- Ability to accurately manage complex workstreams, comprehend the application of the RMF, and understand the application of security controls across the interface, application, operating system, network, and database layers of modern information systems. Understand the applicable artifacts used as evidence to assess compliance.
- Experience with multiple tools providing security functions such as vulnerability management (e.g., Nessus), configuration management (e.g., BigFix, SCCM, ePO), endpoint protection (e.g., antivirus, ATP), data loss prevention, and intrusion detection software and hardware.
- Ability to evaluate data flows, network diagrams, and logical security boundaries.
- Excellent oral and written communication skills
- Familiarity with the use of data analysis tools, including the use of Microsoft Excel or PowerBI to combine data from multiple sources.
CLEARANCE:
- US Citizenship required with the ability to obtain a Public Trust clearance
