Information Systems Specialist Ii - Washington, United States - Criterion Systems, Inc.

Description

Duties, Tasks & Responsibilities_**- Provide cybersecurity expertise to support cybersecurity in the System's Development Life Cycle (SDLC) process, including supporting processing for requirements review in development phases (Agile, Spiral, DEVSECOPS or Waterfall model), annual Security Assessment and Authorization (SA&A), and Information System Continuous Monitoring (ISCM).

• Develop / update information system's data for Privacy Impact Assessments (PIAs), Privacy Threshold Analyses (PTAs), and System of Record Notices (SORNs). This includes interfacing/coordinating with the System Owner (SO) that originates/has responsibility for the document to ensure the PIA/PTA/SORN contains appropriate information to be approved/adjudicated by DOT Privacy Office for inclusion in System Authorization package.
• Assist the System Owner, Information Owner, Component Privacy Officer and Information System Security Manager (ISSM) in recording all known security weaknesses of assigned information systems in the Plans of Action and Milestones (POA&M's) in accordance with DOT policy, guides and procedures.
• Develop Draft Plan of Action and Milestones (POA&M) for observed control level deficiencies or gaps control implementation(s) in accordance with DOT policy, guides and procedures.
• Conduct quality assurance reviews of existing POA&Ms to ensure completeness, accuracy and identified solutions are cost effective.
• Support the information system contingency planning process in accordance with NIST SP Revision (Current), Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities and ensure contingency plan test exercises results are documented in an afteraction report, and Lessons Learned corrective actions are captured for updating information in the Information Systems Contingency Plan (ISCP).

• With Bachelor's degree in Information Systems or related field, at least 6 years experience required
• Without Bachelor's degree, at least 10 years related experience required

• 
  3 years of experience with federal government customers creating and maintaining IT Authorization to Operate (ATO) packages for new systems and interfacing/coordinating with the System Owners (SO), Business Owners, System Maintainers, and Developers:
• Keen understanding Federal Information Security Modernization Act 2014 (FISMA) and federal requirement for reporting.
• Keen understanding of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in detail of all supporting steps and Cybersecurity Framework (CSF) and Privacy Act.
• Knowledge General Services Administration Federal Risk and Authorization Management Program (FedRAMP) including process for continuous monitoring

• Assisting system owners with the mitigation/remediation process, following corrective action plans.
• Conducting weekly and monthly vulnerability and compliance scans of Linux, Windows, and virtual environments with vulnerability tools such as Nessus, Splunk, Invicti (formerly Netsparker), and BigFix.
• With enterprise security architecture methodologies, concepts, procedures, principles, and tools.
• Using security control and privacy control findings and status from assessment to develop POA&M for controls that should be put in place to remediate vulnerabilities.

• Experience developing privacy documentation such as PTAs, PCMs, and PIAs
• Experience with security analysis of security controls for systems in the cloud
• Understanding of Identity, Credential and Access Management (ICAM) implementation

• Certified of Cloud Security Knowledge (CCSK), Azure Certified or other Cloud Certification
• Information Systems Security Professional (CISSP) or similar
• Certified Data Privacy Solution Engineer (CSDPE)
• Certified in Risk and Information Systems Control (CRISC) or CompTIA Advanced Security Practitioner Study (CASP)

• Public Trust

• Minimum of CompTIA Security plus required within 6 months of hire if not in possession of one of the preferred certifications.

• Fulltime, Hybrid Remote 50%

• Medical, Dental, Vision, Life Insurance, Short-Term Disability, Long-Term Disability, 401(k) match, Tuition/Training Assistance, Parental Leave, Paid Time Off, and Holidays.