Information Security Continuous Monitoring Analyst
The Information Systems Continuous Monitoring (ISCM) Analyst assists a federal client who manages a complex nationwide cybersecurity risk portfolio. Duties include risk assessments, Security Tests and Evaluations (ST&Es), documentation assessments, security control assessments, reviewing and testing all the documents associated with Authorization to Operate (e.g. system security plans, contingency plans, incident response plans, disaster recovery plans, etc.), and other advanced-level ISCM activities in accordance with NIST Special Publications 800-30, 800-37, 800-60, 800-53 Rev 4, 800-53A Rev 4, FIPS 199, FIPS 200, FISMA, and other related OMB and NIST guidance. The job requires formal and informal risk assessments, clear communication of risk, recommendations for mitigation of risk, and measurement of residual risk to enable risk-based decision-making.
The job requires frequent briefings to senior federal client management and senior executive personnel, sometimes on issues that are inherently contentious and consequential. This position requires a working knowledge of operating systems and network technologies such as Microsoft® Windows® and Linux operating systems; Microsoft Active Directory®; database security and cloud security. The job requires familiarity with enterprise architecture; service oriented architectures; secure development lifecycles; vulnerability testing; networking protocols and topologies; security architectures; and incident management. The position requires 30% domestic travel and an ability to work with clients resident in multiple time zones.
General Description of Duties:
- Lead on-site ISCM independent assessments of information systems, including in-depth and holistic analyses, risk assessments, Security Tests and Evaluations (ST&Es), documentation assessments, security control assessments, reviewing and testing documents associated with Authorization to Operate (e.g. system security plans, contingency plans, incident response plans, disaster recovery plans, etc.), and production of an ISCM/Security Assessment Report to the proper Authorizing Official;
- Determine the level of compliance with federal laws and Departmental policies, procedures, standards, and guidelines by conducting testing and assessments;
- Provide input and recommendations on internal cyber security policies and procedures and review and provide comments on external cyber security documentation.
- Draft or update standard operating procedures;
- Provide support in responding to external audits;
- Recommend corrective actions based on risk assessments;
- Prepare and present cyber security briefings; and
- Provide weekly report input to the project manager, including accomplishments, planned activities, issues, and recommendations.
- And other duties as assigned.
Education: Bachelor's degree and equivalent experience. Any of the following certifications are helpful: DOD 8570 certification, Certified Information Systems Security Professional (CISSP); Certified Authorization Professional (CAP); Risk Management Professional (RMP), Certified Risk Information Systems Control (CRISC); or Industrial Control Systems (ICS-CERT, SANS, GIAC, etc.).
Experience: Minimum of six (6) years IT/technical experience is required, to include four (4) or more years of progressive information security experience with Federal Government projects. Strong knowledge and experience with the most recent FISMA regulations, NIST special publications, FIPS publications, and OMB regulations is also required. Ideal candidates will also have demonstrated practical experience in NIST-based risk management.
Skills: The position requires a demonstrated capacity to analyze, review, and occasionally apply technology solutions which meet the security control requirements specified by FISMA, OMB, and NIST guidance. The position also requires a demonstrated ability to perform risk management, including assessing risk, writing formal risk analysis reports and presenting them to senior management, making recommendations for mitigation and managing implementation. Superior technical, writing, and presentation skills are required. Requires excellent organizational skills, attention to detail, excellent customer service skills, working knowledge of Microsoft Office, ability to multitask, and excellent written and verbal communication skills.
Unique Requirements: Must have an active Top Secret (TS) or DOE Q security clearance. Candidate must be available to travel approximately 15-20 weeks per year
Job Status: Contract/Temporary