Job Description

LOCATION: Washington DC

JOB TITLE: Information Assurance Specialist

EDUCATION/EXPERIENCE:

• BS/BA in Computer Science, Information Systems, Software Engineering or other related analytical, scientific or technical discipline.
• CISSP Certification highly preferred.
• Five (5) years of experience in performing ISSO role and duties in support of the Federal Government.
• Knowledge of Federal Government SA&A practices and policies, particularly FISMA and NIST Special Publications 800 series.
• Ability to work independently and also collaborate with application developers, engineers and others.
• Must be motivated and results oriented.
• Effective written and oral communication skills.

INDUSTRY CERTIFICATION(S):

• At least one (1) of the following: CISSP, GIAC, CEH, TNCP, Security+, Network+ etc.

FUNCTION:

1. Support the development and review of architectural specifications and documents for IT security;

2. Support the review of IT security program plans, agency's IT security directives, policies and procedures, and agency's IT security templates including agency's Information Technology Policy;

3. Develop and maintain a comprehensive project plan (roadmap) that at a minimum identifies the tasks to be accomplished in the course of completing the requirements, defines project staff roles/responsibilities, and provides a detailed timeline for completion of tasks. The project plan shall include at a minimum the following:

4. Milestones and dates for completion of each deliverable per system

5. Gantt chart for project plan showing milestones and dates for completion of each deliverable per system

6. Resources assigned to each system on project plan

    

7. IT Security Program Evaluation Reports.Support the evaluation of the effectiveness of the implementation of agency IT security policies, and procedures using a Capability Maturity Model (CMM) based framework;

8. The candidate shall assist in security assessment activities at all phases of the SDLC. This includes conducting market research that supports agency's technical evaluation of software, hardware devices, applications or services.

9. For new agency's information systems, and in the case of major modifications to certified systems, the Candidate shall be the independent security assessor as defined in NIST and OMB guidance.

10. For each information system, at a minimum, the Candidate shall plan and conduct a security assessment in compliance with NIST SP 800-37 “Guide to Applying the Risk Management Framework to Federal Information Systems” and NIST SP 800-53a “Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans”, deliver a security assessment report andassist with recommendations to correct weaknesses and deficiencies identified in the Plan of Action and Milestones (POA&M).

11. The Candidate shall conduct ongoing security control assessments; monitoring and evaluation of configuration settings; status reporting on the implementation of remediation plans in the system POA and an annual assessment of security controls selected on the basis of a risk analysis of the operating environment and the current threat(s).

12. Ongoing Authorization of FISMA-reportable systems includes the following:

    1. Assessment Plan.On an annual basis, prepare an assessment plan which complies with NIST SP 800-37 guidance.
    2. Control Assessment.Using the plan, assess a selected subset of the technical, management and operational security controls employed within and inherited by information systems.
    3. Remediation Activities.Monitor remediation activities, review and approve completed remediation actions and assess risk of outstanding items in system POA&Ms and generate a monthly status report.

13. Support reviews of the Agency's record management practices

14. Vulnerability Scanning.Conduct monthly and ad-hoc vulnerability scans of systems.

15. Employ agency supplied automated tools to gather data needed to conduct real-time assessments and analysis of detected security events

16. Develop templates as needed