Project Lead/ Senior Security Control Assessor (Hybrid-Remote) - E

Project Lead/ Senior Security Control Assessor

Kingfisher Systems, Inc. (Kingfisher) specializes in providing a full range of Information Technology, Cybersecurity, Intelligence, and support services to the U.S. Government. Kingfisher's core competency is technology-enabled services with a specific focus on national security. Since 2005 Kingfisher has established itself as a recognized and trusted partner whose mission is safeguarding sensitive information, operations, and programs for our Federal customers and U.S. warfighters.

Responsibilities

Kingfisher is seeking a Project Lead/ Senior Security Control Assessor (SCA)

Government customer information systems are considered in one of three states of System Authorization: Initial Authorization, Reauthorization, or Continuous Monitoring Assessment (CMA), also known as ongoing authorization. The SCA SME must conduct comprehensive security assessments to yield a clear understanding of security status and risk to operations and executing the mission.

• SCA must review the customers System Authorization process as defined in the current customer Security Authorization and Continuous Monitoring Performance Guide and associated templates and provide recommendations for updates to create a draft Assessment Package for approval.

• SCA activities within this task shall include a review of existing information systems core documentation. This review shall include privacy requirements data to support the development of security assessment plans, to include level of rigor (depth and breadth), and schedules support authority decision anniversary dates.

• SCA shall ensure the accuracy of the system inventory, categorization, plan of action and milestones (POA&Ms), and other technology and technology type within the authorization boundary.

• SCA shall validate system support services (vulnerability SCA SMEnning and security monitoring technology) and personnel roles, including but not limited to,

• Authorization Official and Authorization Official Designated Representative

• System Owner,

• Information System Security Officer,

• Privacy Officer,

• Application/System Administrator,

• Common Controls Provider (CCP), or

• Cloud Service Provider (CSP).

• FedRAMP access to packages will be approved (as required) to ensure the accuracy of information and notification of the assessment schedule.

• SCA must review and establish an Annual Assessment Schedule in support of deliverables and artifacts.

• SCA shall develop the required Security Assessment Plans (SAP) and Security Assessment Reports (SAR) to be compliant with the latest revisions of NIST Special Publication 800-53A Recommended Security Controls for Federal Information Systems and Organizations and NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems. The SAPs must detail assessment scope with clarity, including specifying scope exclusions, if necessary, controls being assessed, methods of performing assessment including sampling and determine if statements, notional schedule, assessment staff members, inventory of targeted system endpoints/components, and software, processes, status of account of system specific, and hybrid and inherited controls.

• SCA shall develop Security Assessment Motives in the customers Cybersecurity Assessment Management system (CSAM) to support controls selection commensurate to approved SAP.

• SCA shall adhere to the approved SAP while conducting authorized security assessments. Contractor shall collect, and catalogue evidence of security controls assessment findings i.e., documents, screen captures, and interview session notes to support claims of control implementation status (in place or other).

• SCA shall develop SAR in accordance with scope defined in the SAP. SAR must detail assessment findings of controls assessed with supporting evidence supporting claims.

• SCA shall develop and update system qualitative risk assessment reports (RAR) compliant with NIST SP 800-30 Guide for Conducting Risk Assessments.

• SCA shall develop a Recommendation Report and draft a Plan of Action and Milestones in accordance with requirements in CSAM. The Recommendation Report must detail findings, applicable actions, and efforts to be considered for full weakness remediation and/or compensating measure to reduce risk (likelihood of occurrence or impact).

• SCA shall develop a Security Assessment Executive Summary including documents for a presentation, providing summary of activities completed, findings, risks, and recommendations. The Executive Summary shall include methods of data collections, reporting applications and tool suites, and processes using plain language, graphs, charts, and other means for clear communications.

• SCA must provide an Executive Summary Briefing at customer site or hosted virtually, as determined by the COR. The briefing will include presentations, reports, evaluations, reviews, meeting minutes, and working papers in support of all tasking. Final artifacts supporting assessment activities shall be uploaded in CSAM as designated by the COR.

• SCA shall ensure all written and published media is relevant to topic and provide clear plain language without grammar or spelling errors

• SCA shall be familiar with the updating, writing, and creation of Cybersecurity policy

Required Qualifications

• Highly skilled in cybersecurity professional with a keen understanding of technology including but not limited to application, databases, networking and architecture to support adequate security and remediation planning activities.

• Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

• Experience developing and delivering System Security Plan(s) in CSAM.

• Experience in application and system continuity and risk strategies.

• Experience in network firewall, data loss prevention, network intrusion detection systems, and intrusion prevention systems.

• Experience in Operating Systems and systems services (Windows Server, Linux/ Unix and Active Directory).

• Ability to conduct dynamic web application security testing, both manual testing and utilizing application security tools to discover exploitable vulnerabilities and interpret result for remediation.

• Experience in vulnerability Application and database security assessment, SCA SMEnning and results interpretation.

• Ability to format and configure large documents in Microsoft suites and Adobe PDFs

• Ability to format and configure datasheet and workbook in Microsoft suite e.g., Excel or SharePoint List.

• Ability to function effectively in a dynamic, fast-paced environment.

Additional Requirements

• Knowledge of applicable laws, statutes, Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.

• Knowledge of Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.

• Federal Information Security Management Act (FISMA) of 2014

• Clinger-Cohen Act of 1996 also known as the Information Technology Management Reform Act of 1996, 40 U.S.C § 1401 et seq.

• Privacy Act of 1974, 5 U.S.C. § 552a, as amended.

• Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, and Appendix Ill, Security of Federal Automated Information Systems, as amended.

• OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies.

• National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication (PUB) 140, Security Requirements for Cryptographic Modules.

• NIST FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems.

• NIST FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems.

• NIST Special Publication 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems.

• NIST Special Publication 800-30 Rev 1, Guide for Conducting Risk Assessments.

• NIST Special Publication 800-53 Rev 4 and 5 Security and Privacy Controls for Federal Information Systems and Organizations.

• NIST Special Publication 800-53A Rev 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations.

• NIST Special Publication 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

• NIST Special Publication 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems.

• NIST Special Publication 800-47 Rev 1, Managing the Security of Information Exchanges

• Expert experience in Federal Information Security Modernization Act 2014 (FISMA) and federal requirement for reporting.

• Keen understanding of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in detail of all supporting steps and Cybersecurity Framework (CSF) and Privacy Act.

• Knowledge of Department of Homeland Security Cybersecurity & Infrastructure and Security Agency (CISA) Directives and programs e.g., Continuous Diagnostic and Mitigation (CDM).

• Understanding of information assurance, cybersecurity, privacy policies disciplines, methodologies.

• Knowledge of current and emerging cyber technologies.

• Knowledge of Application Security Risks (e.g., Open Web Application Security Project and others).

• Knowledge General Services Administration Federal Risk and Authorization Management Program (FedRAMP) including process for continuous monitoring.

• Understanding of Identity, Credential and Access Management (ICAM) implementation.

• Ability to work with customers to assess needs, provide assistance, resolve problems, satisfy expectations; knows products and services.

• Understanding of CSAM application and its reporting and controls management (Common, Hybrid, and System specific).

Project Lead Requirement

• Project Lead shall provide management, direction, administration, quality assurance and leadership of the execution of this work.

• Ability to work with customers to assess needs, provide assistance, resolve problems, satisfy expectations; knows products and services.

• Understanding of the principles, methods, or tools for developing, scheduling, coordinating, and managing projects and resources, including monitoring work, and performance.

• Ability to determine the validity of technology trend data.

• Ability to develop, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.

• Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues.

• Ability to design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organizations strategic plan.

• Experience with managing Federal contracts projects and must have the ability to communicate effectively both orally and in writing.

• Understanding of the principles, methods, or tools for developing, scheduling, coordinating, and managing projects and resources, including monitoring and inspecting costs, work, and performance.

Required Certifications: One of the following, at a minimum, is required

• Certified Information System Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)

Desired Certification:

• Project Management Professional (PMP)

Years of Experience:

• Must have a minimum of eight (8) of progressive experience supporting information technology projects with at least five (5) Five years of experience in defining security programs or processes for the protection of sensitive or classified information.

• Must have a minimum of Five (5) years of experience in Project Management, with cybersecurity project management highly desired

Degree Requirement:

• Bachelors Degree Preferred

Minimum Clearance Requirement:

• Must be eligible for Public Trust

U.S. Citizenship:

• Required

Location:

• The position is hybrid-remote to DC Metro area only

Kingfisher Systems, Inc. is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, gender identity, national origin, age, protected veteran status, among other things, or status as a qualified individual with a disability.