The SCA is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).
- Security Clearance Level Active Top Secret/SCI
- 8 – 10 years of experience as an SCA
- Strong organizational skills; ability to multi-task
- Excellent Communication skills (written and oral)
- Familiar with Project management tools/techniques/time management
- Strong interpersonal and diplomatic skills
- Technical understanding (understanding network diagrams, vulnerability and compliance scans)
- Flexibility to adapt to different environments and personalities
- Works well under pressure and in fast-paced environment
- Nessus, Rapid7 Nexpose, SCAP, NMAP, etc.
- Bachelor’s Degree in Computer Science or a related technical discipline, or the equivalent combination of education, professional training or work experience.
- IAM Level II Certification is required: CAP / CASP / GSLC / CISM / CISSP
Security Control Assessor (SCA) Responsibilities
(U//FOUO) Responsibilities of the SCA, under the direction of I&A CISO and supervision of the Risk Management Framework Lead, include, but are not limited to:
- Advising the Information System Owner (ISO) concerning the impact levels for confidentiality, integrity, and availability for the information on a system.
- Evaluating threats and vulnerabilities to information systems to ascertain the need for additional safeguards.
- Reviewing and approving the information system security assessment plan, which is comprised of the SSP, the Security Control Traceability Matrix (SCTM), and the Security Control Assessment Procedures.
- Ensuring security assessments are completed for each IS.
- At the conclusion of each security assessment activity, preparing the final Security Assessment Report (SAR) containing the results and findings from the assessment.
- Initiating a Plan of Action and Milestones (POA&M) for each information system based on findings and recommendations from the SAR.
- Evaluating security assessment documentation and provide written recommendations for security authorization to the AO.
- Developing and submitting the security authorization package to the AO. The package will contain, at a minimum, the SSP, the SAR, the POA&M, System Inventory and Installation Procedures, Security Assessment Procedures and a Risk Assessment.
- Assessing changes to information systems and/or changes to new information system, to include evaluate information systems environment of operation, and mission needs that could affect system authorization.
Security Control Assessor (SCA) Duties:
Duties of the SCA, under the direction of I&A CISO and supervision of the Risk Management Framework Lead, include, but are not limited to:
- Performing vulnerability and compliance scans using approved enterprise scan solutions such as Nessus and SCAP to validate status of the Exception.
- Performing manual checks utilizing tools such as: Security Technical Implementation Guides (STIGs), DHS Configuration Guides, and System Test and Evaluation (ST&E) guides based on industry best practices as required.
- Performing the appropriate vulnerability and compliance testing, compiles the results in customer designated format/application(s), and sends to Stakeholder.
- Maintaining and updates Waivers and Exceptions database.
- Reviewing I&A CISO Software Database to determine if newly requested software is currently approved, complete initial software request due diligence, and perform appropriate further testing.
- Providing oversite and guidance of offsite Penetration testing.
- Within CISO defined parameters of internal penetration tests; performing penetration testing on C- LAN network to assess network risks.
- Initiating and analyzing static code scans using organization-defined tools.
- Configuring and maintaining designated toolkit laptops (e.g. organization-defined tools).
- Reviewing media transfers and providing technical analysis support to IT security operations; based on technical finding recommends approving/disapproving media transfers.
- Familiarity with the Risk Management Framework (RMF) ICD 503, NIST SP 800-53 Rev. 4, 800- 53A, CNSSI 1253, and the Risk Management Framework (RMF) described in NIST SP 800-37.
- Act as the Subject Matter Expert (SME) of assigned Information System(s).
- Ability to identify organization risk-exposure post Assessment & Authorization activities.
- Ability to understand network architecture designs and logical network designs.
- Facility/observer the execution of Vulnerability & Compliance scans via automated tools (e.g. Nessus, Rapid7 Nexpose, SCAP, NMAP, etc.).
- Ability to work as an independent Security Control Assessor and independently to meet program deliverables.
- Ability to work in a team with a variety of audiences with different levels of technical understanding; Flexibility to Travel.
- Ability to actively participate in Technical Exchange Meetings (TEMs).
- Ability to make solid organizational risk-based recommendation to Chief Information Security Officer (CISO) and Authorizing Official (AO).
- Ability to participate in local and non-local travel to support onsite Security Testing & Evaluation (ST&E).
- Review and understand all security related artifacts (e.g. System Security Plan (SSP), Security CONOPS, Risk Assessment Reports (RAR), test results, etc.) to include knowledge of developing the security related artifacts.
- Ability to identify any issues with security artifacts and clearly articulate any discrepancies or concerns.
- Participate in onsite/offsite meetings/conference calls in support of projects.
- Provide status reports/updates of projects on a Weekly basis.
- Develop Security Assessment Reports (SAR) post-assessment.
- Assist with the management of Plans of Action and Milestones (POAMs).
- Draft Authorization to Operate (ATO) or Denial of Authorization to Operate (DATO).