Information security management support services to maintain the overall security posture of the National Institute of Health (NIH) environment, by performing the following Cyber Policy, Planning, and Evaluation; Enterprise Training, Evaluation and Awareness; Risk Management and Assessment and Authorization (A&A); Management; and Cybersecurity Program Training Material Development.
Design, develop, engineer, and implement solutions to MLS requirements. Perform complex risk analyses which also include risk assessment. Establish and satisfy information assurance and security requirements based upon the analysis of user, policy, regulatory, and resource demands. Support customers at the highest levels in the development and implementation of doctrine and policies. Apply know-how to government and commercial common user systems, as well as to dedicated special purpose systems requiring specialized security features and procedures. Perform analysis, design, and development of security features for system architectures.
- Risk Management: Experience providing recommendations, guidance, planning, and implementation support for NIH risk management activities and tools. Providing support as needed to enhance NIH’s Information Security Program related to governance, optimizations, automation, and supporting tools.
- Ability to develop Information Security Risk Management Strategy in accordance with latest released versions of NIST Special Publications. Conducting an enterprise risk assessment and developing Information Security Risk Assessment Reports, Privacy and Security Roadmap, Security Risk Management Plan, Risk Scoreboard, and enhance the RM program.
- Assessment and Authorization (A&A) Support: Responsible for providing recommendations and implement process improvements to the NIH A&A process based on best practices from other HHS OPDIVs and federal agencies. Ability to provide A&A process recommendations that enable the agency to be more be agile, extensible, and maximize the use of automation.
- Advise NIH on how best to tailor the revised A&A process to handle non-traditional technologies including, but not limited to, cloud, mobile, and Internet of Things. Develop guidance, templates, other tools, and advice to the ICs to support their risk management and ATO activities.
- Track and review Plans of Actions and Milestones (POA&Ms) agency-wide to identify areas of risk as a result of unimplemented POA&Ms, a buildup of risk-based decisions, or other cross-cutting issues observed as a result of its risk management support.
- Bachelor’s Degree; and/or 10 years of additional relevant experience may be substituted for education
- Five (5) years of management experience
- Certified Information Systems Security Professional (CISSP), or GIAC Security Leadership (GSLC) certification, or Certified Information Security Manager (CISM), required
- PMP Certification, preferred