CALIBRE Systems Inc., an employee-owned Management Consulting and Digital Transformation Company is seeking a Security Control Assessor (Mid-level) who will conduct independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37). This position has a salary of $103,000.
The Security Control Assessor’s responsibilities include, but are not limited to, the following:
- Manage and approve Accreditation Packages.
- Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
- Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
- Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
- Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
- Establish acceptable limits for the software application, network, or system.
- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
- Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
- Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
- Provide input to the Risk Management Framework (RMF) process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
- Verify and update security documentation reflecting the application/system security design features.
- Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals.
- Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
Required Skills
- All RMF steps as documented in the NIST RMF SP 800-series, with particular emphasis managing the ATO process.
- Experience planning, developing, implementing, tracking, and maintaining cybersecurity metrics and POA&Ms.
- Experience with RMF System Continuous Monitoring Plans.
- Experience performing technical risk and providing reports for accreditation.
- Usage of tools such as eMASS or XACTA.
- Usage of DISA STIG Viewer or a similar tool.
Desired Skills
- Proficient with the Microsoft Office suite.
- Strong verbal and written communication skills.
- Understanding of DoDIN, DISA Information Assurance Guidance, and FEDRAMP Cloud Computing.
Required Experience
- US citizen
- Active Top Secret/Sensitive Compartmented Information (TS/SCI) clearance, eligible for Counterintelligence (CI) Polygraph.
- IAM or IAT Level 2 certification.
- Bachelor’s degree or higher from an accredited college or university in Computer Science, Cyber Security, Information Technology, Software Engineering, Information Systems, or Computer Engineering degree; or a degree in a Mathematics or Engineering field.
- Possible travel within the Continental United States (CONUS) and Outside CONUS (OCONUS).