Provides security engineering designs and implementation in all aspects of Information Assurance and Information Security (InfoSec) Engineering. Assesses and mitigates system security threats/risks throughout the program life cycle; validates system security requirements definition and analysis; establishes system security designs; implements security designs in hardware, software, data, and procedures; verifies security requirements; performs system certification and accreditation planning and testing and liaison activities, and supports secure systems operations and maintenance.
The SI has an exciting opportunity for an Information Assurance professional to support our NGA Customer! If you have experience in Information Security Control Assessment we would love to hear from you!
This position shall perform security controls assessments that are an integral part of the Assessments and Authorizations process. Perform A&A scanning, comprehensive assessment testing, penetration testing, documentation, reporting and analysis requirements. This includes performing dedicated functions for all NGA missions involved with Assessments and Authorizations or compliance with applicable National Intelligence Community or Department of Defense information system security guidance.
Duties may include, but not limited to:
o Perform comprehensive security assessments of identified and applied security controls. Provide summaries of initial assessments in Security Assessment Reports (SAR) that address the technical evaluation and results of assessment, identify weaknesses or deficiencies, and recommend corrective actions for risk mitigation.
o Perform and assess the degree to which a system is compliant with operating system, network, and application security STIG reviews.
o Perform host and network based security control assessments, determine residual security risks, prepare assessment test reports, prepare and assess test plans, and provide formal recommendations in support of authorization.
o Perform mobile device and mobile application security reviews and document results of such reviews.
o Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to information security and risk management.
o Provide testing support for evaluations and shall provide specific test plans and testing services tailored to security controls of the systems being tested. The tester will use NGA accepted tools and techniques, including but not limited to manual testing, web assessment software, vulnerability scanning, pen testing tools, and in house scripts as approved by NGA. Tests may be conducted either remotely or locally on the systems to ensure compliance and to identify security vulnerabilities, risks, threats and gaps.
o Review and analyze the findings that identify security issues on the system. The contractor shall compile results and finding into a final Security Assessment Report, along with assessments and recommendations for remediation. The final report shall provide analysis for the DAO, Information System Security Engineer (ISSE), and PM for compliance with security controls, remediation, and informational purposes. The report shall comprehensively encompass both technical and non-technical findings, assessments, and recommendations.
o Conduct testing and scanning via NGA accepted techniques and scanning tools, including manually (software and hardware) used either remotely or locally on the systems to evaluate compliance and to identify security vulnerabilities, threats, risks, and gaps. The contractor shall review and analyze the findings that identify security issues on the system. The final report shall provide analysis for the DAO and PM for remediation and informational purposes. The report shall comprehensively encompass both technical and non-technical security compliance results.
o Review security plans, test the documented systems in accordance with applicable policies and guidelines, and document results of the testing; either recommend authorization approval or not approved for authorization with rationale supporting recommendation.
o Assist with providing detailed test plans and conducting security testing of security controls specific to security boundaries, including Cross Domain Solutions (CDS).
o Provide on-site and/or remote testing in support of FISMA through manual testing, vulnerability scans and penetration testing at industrial and NGA hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.
o Augment cyber penetration testing activities in the planning, execution, tracking, and reporting of Blue/Red Team Assessments consisting of identifying and exploiting vulnerabilities on NGA systems.
o Coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in NGA networks. The Blue Team will work cooperatively with Key Components (KCs) to provide notification and make recommendations to mitigate those vulnerabilities and assist in corrective actions.
• Minimum of 10 years’ experience in systems engineering/analysis as applied to the cybersecurity, information assurance or related field; candidate must have experience with application of security controls to information systems.
Knowledge, Skills & Abilities
• Knowledge and experience in security disciplines including, but not limited to, information systems security, operations security, administrative security, personnel security, physical security and communications security
• Knowledge of IA principles and organizational requirements that are relevant to confidentiality, integrity, availability, authentication, and non-repudiation
• Knowledge of IT security principles and methods (e.g., firewalls, demilitarized zones, encryption)
• Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI])
• Knowledge of security system design tools, methods, and techniques
• Knowledge of relevant laws, policies, procedures, or governance as they relate to work that may impact critical infrastructure
• Knowledge of TCP/IP networking technologies, Windows Active Directory and UNIX account administration, Windows Active Directory and UNIX folder permissions, Patch Management best practices on Operating Systems and applications, known vulnerabilities associated with Windows and UNIX platforms
• Knowledge of OSI model and how specific devices and protocols interoperate, including knowledge of protocols, and services for common network traffic
• Knowledge of DoD/IC system security control requirements
• Knowledge and experience with XACTA
• Knowledge of DCID 6/3, ICD 503, CNSSI 1253, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-37, and the NGA security controls assessment criteria/procedures
• Knowledge of NGA roles, missions, and operational enterprise architecture
• Knowledge of roles and procedures of red/blue team activities
• Knowledge of industry information security standards and protocols
• Knowledge of commercial or military software development methodologies, process, and standards
• Knowledge of web services protocols, including Simple object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Description, Discovery and Integration (UDDI)
• Knowledge of structured content tools and languages, and content management systems
• Knowledge of known vulnerabilities from alerts, advisories, and bulletins
• Skill in using network analysis tools to identify vulnerabilities
• Skill in assessing the robustness of security systems and designs
• Skill in designing security controls based on IA principles and tenets
• Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
• Skill in developing and applying security system access controls
• Skill in assessments of industry IT operating system, software database, or hardware
• Skill in systems engineering, requirements analysis, system development, software development, or hardware development as applied to the information assurance or cyber security field
• Ability to prepare the various types of security related documents
• Ability to conduct vulnerability scans and recognize vulnerabilities in security systems
• Ability to evaluate the trustworthiness of the supplier and/or product
• Ability to evaluate the adequacy of security designs
• Ability to establish effective working relationships internally and externally to NGA
The SI Organization is an Equal Opportunity and Affirmative Action Employer. M/F/V/D.
We are an Equal Opportunity Employer and do not discriminate against any employee or applicant for employment because of race, color, sex, age, national origin, religion, sexual orientation, gender identity, status as a veteran, and basis of disability or any other federal, state or local protected class.