Security Assessment Lead
gTANGIBLE Corporation (gTC), www.gtangible.com, is a C corporation and a registered Government contractor that provides services and solutions in:
- National Security Programs
- Professional, Administrative, and Management Support
- Mission and Warfighter Support
We are a Service Disabled Veteran Owned Small Business (SDVOSB) and the founder has years of successful experience in the Government contracting arena. Our leadership team is an exceptional group of Government contracting professionals. gTANGIBLE is in the process of identifying candidates for the following position.
Requisition Type: Full Time
Position Status: Contingent
Position Title: Security Assessment Lead
Location: Washington, DC
Duties and Responsibilities
The Security Assessment Lead will oversee primary assessors to assist TSA in conducting the approvals for National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) steps 1 – 3 and completing the assessment package and activities associated with RMF steps 4 – 6 and for all of TSA systems. Duties include the following:
- Serve as the main liaison and driving force for completing all Security Authorization (SA), OA, Preliminary Risk Assessment, and ad hoc Risk Assessment efforts.
- Complete SA Activities:
- Assess all applicable security controls defined in the mandated DHS Compliance Tool and applicable to the systems under their purview
- Ensure Information Systems Security Officers (ISSO) complete a FIPS-199, Privacy Threshold Analysis (PTA), E-Authorizations, Contingency Plans (CPs), Contingency Plan Tests (CPTs), Security Plans (SPs), and 800.53A test cases
- Ensure ISSOs complete a FIPS-199, Privacy Threshold Analysis (PTA), E-Authorizations, Contingency Plans (CPs), Contingency Plan Tests (CPTs), Security Plans (SPs), and 800.53A test cases
- Develop the SA Package documentation to include Security Assessment Plans (SAP), Security Assessment Reports (SAR), Authority to Operate (ATO) Letters, ATO Recommendation Memo, Risk Assessment Memos, CFO Designation Memo, POA&M finding matrices, Executive Data Sheet (EDS), OA artifacts, etc.
- Ensure results are documented completely and accurately in the mandated DHS Compliance Tool at the operating system, application and database levels.
- Gather evidence for ATO efforts and store results in the mandated DHS Compliance Tool and/or in a separate Governance, Risk and Compliance (GRC) repository.
- Review POA&M closure and waiver packages in accordance with the IAD POA&M Standard Operating Procedures.
- Review RFC or upgrades and provide recommendation on whether this will result in major or minor changes and overall cybersecurity impact and utilize IAD tool for tracking of changes.
- Conduct, evaluate, and analyze vulnerability results from ATO assessments, penetration tests, or ad hoc risk assessments from the following set of tools, to include but not limited to: NESSUS, AppDetective, WebInspect, AppScan and Nipper and create POA&M Matrices from results.
- Conduct Audit of Privileged Accounts (APA) as part of ATO activities and annually review ISSO Privileged Account Audits.
- Execute responsibilities as outlined in the SA and OA Standard Operating Procedures and assist the policy manager in the review of these, and other SOP-related processes for updates.
- Provide recommendations for refining and/or improving existing RMF processes and procedures and support implementation of these changes.
Knowledge and Qualifications
- A minimum of 10 years of IT cybersecurity experience including direct support for the US Government and 7 years acting as an ISSO, assessor, or compliance analyst for enterprise IT systems OR a relevant Master's Degree in IT, Computer Science, or Engineering and 7 years' of IT cybersecurity experience including direct support for the US Government and 5 years acting as an ISSO, assessor, or compliance analyst
- At least one of the following security certifications: Certified Authorization Professional (CAP), Certified Information Systems Security Officer (CISSO), Certified Information Security Manager (CISM), or Certified Information Systems Security Professional (CISSP)
- Knowledge of NIST Guidelines and FISMA Cybersecurity compliance requirements
- Technical knowledge of complex enterprise IT systems
- Knowledge of and experience using relevant cybersecurity and analysis tools such as Archer, Nessus Security Center, Splunk, etc.
- Experience communicating effectively, both oral and written, with technical, non-technical, and executive-level customers.
gTANGIBLE Corporation is an equal opportunity employer and does not discriminate against any employee or applicant because of race, age, sex, color, physical or mental disability, religion, sexual orientation, marital status, national origin, or political affiliation.