About the Role: The candidate will provide technical expertise on Security control implementations and development of Information Security procedures for systems and applications. Although you will be the ISSO for these systems after they are authorized for use, candidates will also be required to perform pre-assessment activities, including a detailed analysis of the technology stacks comprising the vendor solutions. This position requires a fundamental understanding of engineering-compliant architectures and solutions. You will be part of a team working to assess vendor systems for technical compliance with NIST and agency standards.
Role Description:
- Perform detailed architecture and technical design reviews on the full stack for vendor solutions (examples of some areas requiring detailed analysis):
- Assess and document encryption standards for encryption at rest and in transit (what cipher sets are used? What type of encryption? etc)
- Assess and document authentication mechanisms for all points in the system (Is MFA implemented at all authentication points? Is the MFA solution approved and compliant with NIST and agency standards?)
- Assess and document session management and control for all layers of the system
- Schedule and lead screen-sharing sessions with the vendors to gain a full understanding of the technology stack, document all security-relevant information required for the architecture review and create a full report for presentation to the CISO
- Serves as the IT security POC (ISSO) for assigned systems to ensure agency information systems comply with FISMA OMB and agency Policies.
- Oversee and manage relationships for assigned systems that may be contractor owned and contractor operated, ensuring vendors comply with agency security and privacy requirements.
- Assist stakeholders with IT security-related activities to ensure project deadlines are met.
- Ensure security activities are implemented throughout the SDLC from beginning to end.
- Ensure all systems are operated, maintained, and disposed of IAW documented security policies and procedures, including but not limited to Assessment & Authorization (A&A).
- Support the development and maintenance of all security documentation such as the System Security Plan, Privacy Impact Assessment, Configuration Management Plan, Contingency Plan, Contingency Plan Test Report, POA&M, annual FISMA assessment, and incident reports.
- Research assigned IT security systems to provide insight into IT security architectures and IT security recommendations for assigned systems.
- Report and respond to security incidents.
- Assess vulnerabilities to ascertain if additional safeguards are needed and ensure systems are patched, and security hardened at all levels of the “stack,” and monitor to see that vulnerabilities are remediated as appropriate.
- Promote Information Security Awareness and provide training.
Required Qualifications & Education:
- Six (6) years of experience in the IT security field
- Two (2) years of experience supporting A&A (NIST 800-53) and compliance activities
- Four (4) years of hands-on technical experience as a System Architect or Security Engineer
- Bachelor’s degree in Computer Science or a related field or an additional two years of industry experience.
- Security+, CISSP, CISM, CISA, or equivalent Security certification.
- Technical expertise with Nessus Tenable Security and Invicti reports.
- Experience in reviewing 3rd party security assessment reports
- Have detailed knowledge and experience with NIST Policies, Governance, Security Planning and Architecture, FISMA Compliance, RMF, Incident Analysis, and General Security Best Practices.
- Ability to communicate, written and oral, to technical and non-technical stakeholders.
- Possess strong written and oral communication skills to support customers, internal stakeholders, peers, and public audiences.
Desired Qualifications:
- Direct experience with NIST 171 is preferred
- Strong communication skills to interact with senior managers, junior staff, and business unit (non-technical) customers.
Clearance and Location Requirements: Able to be cleared for a Public Trust clearance.
About NR Labs
At NR Labs, our passion is to solve the hard problems that keep security leaders up at night in a way that caters to their unique technical, financial, political, and business posture. Our company empowers every organization to achieve its cyber potential. NR Labs focuses on cybersecurity for public and private sector clients and is dedicated to solving their most complex cyber challenges. If you are curious in learning more about NR Labs, please visit our website at nrlabs.com.
