The Sr. Security Control Assessor (SCA) is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls. The Security Control Assessor shall provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities.
- 4+ years conducting security control assessments based on NIST SP 800-53 Rev. 4, NIST SP 800-53A Rev. 4, and NIST 800-37 Rev.1.
- 1+ year of experience conducting analysis of vulnerability scan results.
- 1+ year of experience reviewing Security Assessment Plan (SAP), the System Security Plan (SSP), and the Security Control Traceability Matrix (SCTM)
- Preferred Skills & Qualifications:
- Understanding of various Operating Systems.
- Advanced knowledge of general-purpose vulnerability scanners (e.g., QualysGuard, Nessus).
- Ability to communicate effectively; strong documentation and communication (written and verbal) skills.
- Understanding of SCADA or Industrial Control Systems
- Self-motivated and able to work in an independent manner.
- Experience reviewing/updating SSP’s
- Evaluates IT systems for compliance with FISMA controls (NIST 800-53); Drafts/updates SAR.
- Evaluate IT systems for compliance with Risk Management Framework (RMF) artifacts required for FISMA Compliance and controls (NIST 800-53)
- Coordinate with Operations and Maintenance (O&M) teams to drive compliance with Security Controls and requirements
- Work with System Owners to draft achievable Plans of Actions & Milestones (POA&Ms) to remediate findings
- Monitor and reporting on POA&M remediation activities
- Serve as a Point of Contact (POC) for cyber security questions
- Advise System Owners on cyber security best practices
- Provide clarification on cyber security policies and regulations
- Coordinate with Information System Security Managers (ISSMs) and Operations and Maintenance (O&M) teams in support of account approvals
- Draft/ update SAR
- Coordinate with Security Engineering and O&M teams to identify and document system asset data
- Coordination with security and O&M teams to report and mitigate vulnerabilities
- Compliance Management; Cybersecurity Operations; Security Policy Frameworks
- Conduct security testing and security control assessments on federal applications and general support systems to ensure compliance with the NIST SP 800-53 Rev. 4, NIST 800-37 Rev.1, and agency-specific requirements.
- Evaluate Authorization packages and make authorization recommendations
- Review and compile the security control implementations, test results, Security Assessment Reports (SARs), Plan of Action and Milestones (POA&M), risk acceptance recommendations, and risk mitigation strategies to support the recommendation for client risk acceptance authorization decisions.
- Technically assess both major application and general support system security configurations and implementation.
- Analyze results from vulnerability scanning tools such as Nessus, HP WebInspect, QualysGuard, AppDetective, and Burp Suite.