Security Assessor - Arlington, United States - Zermount, Inc

Description

Job Description

Security Assessor - SR

MILITARY FRIENDLY & PREFERRED - HOH SPONSOR

Zermount Inc. is seeking a Senior Security Assessor who plays a critical role in evaluating and providing recommendations to enhance the security posture of the organization. The Security Assessor will identify and provide solutions to mitigate potential risks, ensuring compliance, and establishing a robust security framework to protect sensitive information, systems, and assets. The Security Assessor is responsible for evaluating and assessing the security measures and practices for the organization. They will be required to identify vulnerabilities, potential risks, and weaknesses in the organization's security infrastructure, systems, and procedures; and provide recommendations and solutions to enhance security and mitigate potential threats. The extent of the Security Assessments will include Security Control Assessments (SCAs), Risk Assessment (RA) and analysis, evaluations of compliance of required configurations, vulnerability assessments, examination of documentation, conducting manual testing and verification and validation of the implementation of security principles.

Duties & Responsibilities

• Support the client by serving as a Security Assessors responsible for conducting the testing and verification and validation of the proper implementation of security controls for IT systems.
• Follow and apply the Zermount five phased Security Control Assessment Process to:
  • Serve as the Security Assessor for system Security Authorization (SA) / ATOs, annual assessments, Ongoing Authorization (OA) assessments, and conducting risk assessments for changes to the systems.
  • Utilize structured mini teams to complete SA and Risk Assessment (RA) Activities.
  • Assess all applicable security controls defined in the mandated Agency Compliance Tool and applicable to the systems under their purview.
  • Conduct assessment and analysis of system's FIPS-199, Privacy Threshold Analysis (PTA), E-Authorizations,
  • Contingency Plans (CPs), Contingency Plan Tests (CPTs), Security Plans (SPs), and 800.53A test cases
  • Assemble the SA Package in accordance with the Agency and Organizations SOP and requirements to include Security Assessment Plans (SAP); Security Assessment Reports (SAR); SAR Briefing; Drafting CISO Recommendation Memo and AO ATO Letters; and developing finding matrices.
  • Conduct RA and develop RA Memos.
• Ensure objective/fact-based results (findings) are documented completely and accurately in the mandated Agency Compliance Tool at the operating system, application, and database levels.
• Gather evidence for ATO efforts and store results (findings) in the mandated Agency Compliance Tool and/or in a separate GRC repository.
• Review Requests for Change (RFC) or upgrades and provide impact assessments on potential cybersecurity major or minor changes and overall cybersecurity impacts. Utilize the IT tool for tracking changes.
• Analyze and document change requests submitted to TSA, assessment of scope and extent that such changes support ZT mandates and configuration changes made by the Organization O & M team(s).
• Conduct vulnerability assessments, and analyze results from ATO assessments, penetration tests, or ad hoc risk assessments from the following set of tools, to include but not limited to: Tenable, AppDetective, WebInspect, AppScan and Nipper and create Findings /POA&M Matrices from results.
• Conduct Audit of Privileged Accounts (APA) as part of ATO activities and annually review ISSO Privileged Account Audits.
• Execute responsibilities as outlined in the SA and OA Standard Operating Procedures and assist in the review of these, and other SOP-related processes for updates.
• Conduct gap analysis of existing RMF processes and procedures and execute direction of the Program Manager or GRC SME.
• Assist in conducting ZT reviews and assessments of all existing cybersecurity and IT capabilities for all the organizations systems and the Enterprise. This includes conducting ZT readiness assessments.
• Prepare a Readiness Assessment Report and any mitigations or recommendations.
• Evaluate emerging technologies being considered by the Organization, conduct an analysis of alternatives (AoA) to determine compliance with federal mandates and requirements.
• Support assessments of plans, designs, technical concepts, implementation approaches, standards compliance, business and technical tradeoffs, and risk analyses.
• Review existing network infrastructure and coordinate with other stakeholders and contractors to perform a network assessment that includes but is not limited to reviewing existing circuits, connection types, bandwidth, types of traffic, and routing protocols.
• Conduct TIC 3.0 compliance assessments to determine compliance, gaps, and develop solutions to mitigate weaknesses and recommendations to meet compliance.
• Perform complex risk analyses which also include risk assessment to identify compliance with federal requirements (e.g., EO 14028, OMB M 22-09, M21-31, A-130, NIST SP 800-37, 800-53, FIPS 199, and FIPS-200, etc.), and security requirements based upon the analysis of people, processes, and technologies.
• Perform assessment / analysis of designs, architectures, configurations, and implementation of ZT principles and security capabilities.
• Research major obstacles related to the ever-changing DHS FISMA requirements, which customers will need to overcome on a weekly, monthly, and yearly basis.
• Provide assistance and support as required to other team members as required by the Program Manager.

Required Qualifications

• 5 years minimum of IT Cybersecurity experience including direct support of the US government and 4 years acting as an ISSO, assessor, or compliance analyst. 7 years is required if the candidate does not have a Bachelor's Degree.
• Experience and knowledge of Executive Orders (EO's), Office of Management and Budget (OMB) Memorandums, Federal, DoD and CISA Technical Reference Architectures, Maturity Models, NIST guidance, FISMA, Cloud, and Risk Management Framework (RMF).
• Knowledge / experience using cybersecurity and analysis tools such as Archer, Tenable, Splunk, etc.
• Understanding of zero trust principles is beneficial but not required.
• Proficient in risk assessment methodologies and security architecture frameworks.
• Experience with cloud-based environments and technologies is preferred.
• Knowledge of common cybersecurity threats, risk, and vulnerabilities and how to mitigate them.
• Excellent communication skills, with the ability to explain complex concepts in a clear, concise manner.
• Technical knowledge of IT systems and implementation of security controls.
• Strong problem-solving skills, proactive attitude towards identifying potential issues and implementing solutions.
• Must be able to conduct system analysis to detect issues with performance.
• Well versed in developing and implementing IT solutions to resolve technical challenges.
• Ability to work independently and as part of a team.

Education

• Minimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field.
  • Relevant years of experience may be used in substitution for situations where the candidate does not have a Bachelor's degree in the required field.

Certificationsand Training

A minimum of at least one of the following security certifications:

• Certified Authorization Professional (CAP)
• Certified Information Systems Security Officer (CISSO)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)

Clearance Level

• Minimum of an active Secret Clearance.

Work Location

Remote; occasional onsite meetings at contractor site and TSA HQ in Springfield, Virginia.

Hours of Operation

• Business Hours: 8:00 am EST - 4:30 pm EST.