Cybrex is seeking a Certified Fully Qualified Navy Validator with extensive knowledge and experience with the Risk Management Framework (RMF) Process and the phases of Certification and Accreditation (C&A) process. Experience in an IA or C&A related field. Satisfies provisions of CNSS no. 4016 (Risk Analyst), Intermediate Level, but is not required to hold the certificate. Demonstrate in-depth knowledge of all C&A subject areas with in-depth familiarity and understanding of Navy IT sites, systems and infrastructure; applies Navy C&A guidance to Navy C&A efforts. Experience working with Navy C&A efforts as a Navy Validator. Strong writing skills to develop and maintain System Security Plans (SSP), Contingency Plans, Privacy Impact Assessments, Certification Reports, Accreditation Reports, Plan of Action & Milestones (POA&M), and other C&A documentation. Demonstrates oral and written communication skills to work closely with all levels of personnel involved in IT operations and technical aspects of systems. This position is an IAM Level II in accordance with Cyber Security Workforce Guidelines. The candidate will have extensive experience as a Risk Management Framework (RMF) Specialist providing Risk Management Framework (RMF) assessment and authorization (A&A) support. Systems will be both classified and unclassified operational Information Technology (IT) Networks, and systems. The candidates will have an advanced level understanding of Risk Management Framework (RMF), provide technical analysis for Information Assurance (IA)/Cyber Security (CS) support and integration efforts, and perform Subject Matter Analysis of RMF A&A documentation prior to submission for ATO Approval. Candidates will be capable of authoring RMF Artifacts if needed and have a current Secret Security Clearance.
Responsibilities/Knowledge/Skills:
Experience Auditing and building RMF A&A packages including scanning for both classified and unclassified operational technology and Information Technology (IT) systems.
Understanding of SCADA theory, operation and programming
Perform reviews of Risk Management Framework (RMF) assessment and authorization (A&A) accreditation packages prior to submission to Approving Authority
Correction of RMF Artifacts when required
Perform reviews of Platform IT (PIT) RMF packages prior to submission to Approving Authority
Strong Proficiency in performing Vulnerability scanning and analysis using Assured Compliance Assessment Solution (ACAS) and NESSUS tools, and develop Plan of Actions and Milestones (POA&M) for corrective actions
Author Risk assessment and risk mitigation reports
Identify and validate Security Controls Using appropriate NIST Publications
In depth understanding of common Ports, Protocols, and Services
Ability to author a Contingency Operations Plan (COOP) with Stakeholders
Identification and application of DISA STIGS
Knowledge of Boundary Defense and Identification
Knowledgeable in C&A/A&A requirements and processes
Knowledgeable in Information Assurance/Cybersecurity policy development, review and/or implementation
Knowledgeable in System analysis, preparation of Test Plans, security test and evaluation and development of reports regarding test outcomes including development of POA&Ms
Audits and validates configurations deployed on laptops, workstations, and servers
Audit and validate configurations of network devices based on DISA STIGs, or defining and implementing compensating controls of such STIGs as required to ensure mission execution.
Maintain and update all Risk Management Framework (RMF) and C&A documentation to ensure the relevancy and currency to include required revisions and updates in eMass or MCCAST.
Conduct comprehensive annual RMF package reviews to ensure continued compliance of the customer Networks.
Ensure traceability is maintained throughout the RMF submission process (e.g.: C&A Plan, POAM, RAR, Topology, Software, Ports Protocols and Services, Test Plan).
Maintain documentation and registration of Network Ports, Protocols, and Services.
Maintain and report on the status of all outstanding C&A items and supporting documentation.
Provide recommendations for corrective action of any non-compliant security controls.
Execute DISA STIG validations for systems in conjunction with C&A package reviews annually.
Provide security expertise to ensure security controls are implemented and the resulting documentation and artifacts are current.
Prepare reports on scanning results and configuration management observations as requested.
Document assessment activities and results in sufficient detail to enable an external review of all assessment processes, activities, results, and conclusions.
Ability to work both independently and as a member of a team.
Ability to be self–motivated and multi–task with limited supervision in a fast–paced environment.
Experience:
Ten (10) years of professional experience. Experienced in the management of Information Assurance Technical (IAT), certification agents and system engineers on the compliance requirements to achieve certification and accreditation IAW the DoD RMF program and the Department of Navy (DON) Chief Information Officer (CIO) IA Policy for Platform Information Technology (PIT) Systems. Ten (10) years of support to the DON or DoD, preferably as an Information Assurance Management (IAM), Certification Agent and/or Designated Approval Authority and Certification Authority staff.
Demonstrated background and experience in Information Assurance, C&A, RMF Assessment and Authorization (A&A), eMass, STIG Auditing and remediation
Experience utilizing assessment tools (e.g., ACAS, SCAP, HBSS) and RMF process tools (e.g., MCCAST, eMASS, eArcher, VRAM and DITPR-DON/DADMS)
Required:
Must have a current SECRET security clearance.
Must be a Certified Fully Qualified Navy Validator Level III
Required to meet DOD Directive 8570.1/ Cybersecurity Work Force IAT-II criteria, (ex: CAP, CASP CE, CISM, CISSP or Associate, GSLC).
Certifications:
One of the following: CAP, CASP CE, CISM, CISSP or Associate, GSLC
Certification as a Fully Qualified Navy Validator (FQNV) Level 3
Education:
Target Education: Bachelor of Science in Computer Science.