4554 Security Control Assessor

GENERAL DUTIES:

This role is responsible for leading Risk Management Framework and other Cyber Security controls evaluations as required for ensuring the effectiveness of security controls within an organization. Serve as the lead SCA and assist the RMF lead in managing the distribution of RMF projects and reporting status on completion efforts of each SCA team member.

Their technical functions encompass a range of tasks aimed at assessing, testing, and validating security measures to identify vulnerabilities and enhance overall security posture. Here are the technical functions typically associated with this role:

• Security Controls Assessment Planning: Develops comprehensive assessment plans based on established security standards, frameworks (e.g., NIST SP 800-53, ISO 27001), and regulatory requirements. Define assessment scope, objectives, methodologies, and timelines.
• Security Controls Testing: Conduct rigorous technical testing of security controls across various domains such as access control, cryptography, network security, and incident response. Use automated tools, manual techniques, and specialized testing methodologies to identify weaknesses and vulnerabilities.
• Vulnerability Scanning and Analysis: Perform vulnerability scans using automated scanning tools to identify potential security flaws in systems, networks, and applications. Analyze scan results, prioritize vulnerabilities based on risk, and provide recommendations for remediation.
• Penetration Testing: Conduct simulated cyberattacks to identify exploitable security weaknesses and assess the resilience of defensive measures. Perform network penetration testing, web application testing, wireless network testing, and social engineering assessments.
• Security Configuration Review: Review and analyze security configurations for systems, devices, and applications to ensure compliance with security policies, standards, and best practices. Identify misconfigurations, weaknesses, and deviations from security baselines.
• Security Control Validation: Validate the effectiveness of implemented security controls through rigorous testing and validation procedures. Verify that controls are functioning as intended and providing adequate protection against security threats and vulnerabilities.
• Security Documentation Review: Review security documentation, including policies, procedures, guidelines, and technical documentation, to assess alignment with security requirements and industry standards. Ensure documentation accurately reflects implemented security controls and practices.
• Compliance Assessment: Assess compliance with regulatory requirements, contractual obligations, and industry standards related to information security. Evaluate adherence to standards such as GDPR, HIPAA, PCI DSS, and SOX through detailed compliance assessments.
• Risk Assessment and Mitigation: Conduct risk assessments to identify and prioritize security risks based on their likelihood and impact. Collaborate with stakeholders to develop risk mitigation strategies and action plans to address identified vulnerabilities.
• Security Reporting and Communication: Prepare comprehensive assessment reports detailing findings, observations, recommendations, and remediation actions. Communicate assessment results to technical and non-technical stakeholders, including senior management, IT teams, and auditors.
• Continuous Improvement Initiatives: Participate in continuous improvement initiatives aimed at enhancing the effectiveness and efficiency of security assessment processes. Identify opportunities for automation, optimization, and enhancement of assessment methodologies and tools.
• Knowledge Sharing and Training: Share knowledge and expertise with team members through training sessions, workshops, and mentoring activities. Stay updated on emerging threats, vulnerabilities, and trends in cybersecurity to continuously improve assessment practices.

REQUIRED QUALIFICATIONS:

• Bachelor's degree from an accredited institute in an area applicable to the position in Cybersecurity, Computer Science, Software Engineering, Systems Engineering, Information Systems, or a related technical discipline.
• 10 years of cyber-security related experience or the equivalent combination of processional support, education, or professional training.
• Skills: Strong Independent work ethic and Emotional Intelligence, exceptional oral and written communication skills, and the ability to work unsupervised and lead teams. Focuses on the consistent execution and updating of organizational processes and procedures to drive RMF efforts, CONMON, and POA&M efficiencies.
• Maintain IAT Level III Certification in DoD 8570.01-M Cybersecurity workforce, compliance with DoD Directive 8140 Cyberspace Workforce Management, and IAT Level III.
• Certification in DoD 8570.01-M Cybersecurity workforce, compliance with DoD Directive 8140 Cyberspace Workforce Management, and IAT Level III (CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH, CCSP).

DESIRED QUALIFICATIONS:

• Experience working with the most senior members of the client organization to ensure that overall program and project direction, strategy and expectations are met.
• Possesses an understanding of DIA's CIO mission and the impact of managerial practices. - Have a firm understanding of IC and DOD Risk Management Framework (Step 1 through 7), continuous monitoring, risk scoring, and risk management experience.
• SME in one or more of the following specialties: cloud and systems architectures, Zero Trust security architecture, cloud applications and storage, high performance computing, and software development.

CLEARANCE:

• Top Secret Security Clearance with SCI eligibility