Security RMF Pen Tester & Technical Controls Assessor

The ideal candidate has experience performing internal penetration testing, vulnerability assessments and manual exploitation of servers, web applications/services and databases to identify vulnerabilities, misconfigurations, and compliance issues. In addition, the candidate will have extensive experience in performing FISMA technical controls assessments, writing final reports, Pen Testing Rules of Engagements (RoE), Test Plans and Standard Operating Procedures (SOPs).

Seeking experienced Security Risk Management Framework (RMF) Technical Controls Assessor and pen tester to support a Federal government client. The responsibilities for the Security RMF Technical Controls Assessor include:

• Conduct custom penetration testing scoped to the Federal Information Security Modernization Act (FISMA) systems’ unique environment and role based on the controls, schedule, and resources concurrent with the Information System
• Write final reports, defend all findings to include the risk or vulnerability, mitigation strategies, and references
• Conduct internal penetration testing and vulnerability assessment of servers, web applications, web services, and databases
• Manually exploit and compromise operating systems, web applications, and databases
• Examine results of web/OS scanners, scans and static source code analysis
• As needed, provide Penetration Testing, Vulnerability Scanning, and App Scanning using tools such as: Burp, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect, Metasploit
• Develop Penetration Testing Rules of Behavior (RoB) and deliver to team and clients
• Understand how to create unique exploit code, bypass AV, and mimic adversarial threats
• Help customer perform analysis and mitigation of security vulnerabilities
• Research and maintain proficiency in tools, techniques, countermeasures, and trends in computer network vulnerabilities, data hiding, network security, and encryption
• Work with the Assessor Lead to conduct the Authorization & Assessment (A&A) for the annual FISMA systems assessment
• Establish the schedule and resources for the A&A of the annual FISMA systems assessments
• Conduct verbal discussion/meeting to address progress of the A&A effort

· Prepare and update various security documentation such as Systems Security Plans (SSPs), Plan of Action and Milestones (POA&Ms), Risk Assessments, Private Impact Assessments (PIAs), and more

• Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
• Assist in preparing Security Assessment Plans (SAP) to document test and assessment procedures
• Collect artifacts as proof that security controls are performing effectively
• Conduct custom interviews based on initial analysis of the system’s security plan to assess compliance with security controls
• Conduct system specific review and assessment of applicable controls at each site to be assessed, including and remote assessments (if applicable)
• Conduct FISMA systems Continuous Monitoring implementation and assessment
• Validate inventories for the annual FISMA system’s assessments

· Gather and analyze sufficient artifacts to verify technical control implementation against agency security policies

• Review relevant policies, schedule activities, and provide recommendations for courses of action

· Complete comprehensive test plans for identified security controls following National Institute of Standards and Technology (NIST 800-53), Federal Risk and Authorization Management Program (FedRAMP) guidance, and/or agency-specific guidance

• Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence)
• Produce complete, accurate, and timely findings reports
• Develop documents and document templates
• Promote an environment of continuous process improvement, learning and team collaboration

Requirements

Qualifications and Skills

• Must be a United States citizen

· Two (2) or more years of experience with penetration testing preferred

• Two (2) or more years of experience in technical controls assessments preferred
• Two (2) or more years of experience with RMF preferred
• Two (2) or more years of experience with A&A preferred
• Must have hands-on technology experience (Engineering, Development, or Operations)

· Strong familiarity with at least one of the following: Burp Suite, Open Web Application Security Project (OWASP) top 10, Penetration Executive Standard (PTES), and National Security Agency (NSA) Vulnerability and Penetration Testing Standards

• Familiarity with the Cyber Security Assessment and Management (CSAM) System for system assessments, or other equivalent tools
• Previous experience with security and scanning tools such as Burp Suite, NMAP, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect.
• Knowledgeable with information security and assurance principles and associated supporting technologies
• Flexibility to adapt to contingencies resulting from changes or modifications to the schedule and assessment requirements.
• Excellent customer service and organization skills
• Excellent oral and written communication skills
• Experience in presenting control requirements and deficiencies to both technical and non-technical audiences

Benefits

One or more of the following certifications preferred:

o Offensive Security Certified Professional (OSCP)

o GIAC Security Leadership (GSLC)

o GIAC Penetration Tester (GPEN)

o GIAC Web Application Penetration Tester (GWAPT)

o Certified Information Systems Security Professional (CISSP)

o Certified Ethical Hacker (CEH)

o Other Penetration Testing certifications