Serves as a Vulnerability Assessment Engineer / Penetration Tester on the Client’s Risk Management Framework (RMF) Team responsible for certifying the clients classified IT systems. Guides and directs systems security analysis, vulnerability management and assessments, risk assessments, security surveys, independent certification testing, security test and evaluation, and verifies the accuracy and completeness of the reports associated with each of those activities. Uses best of breed tools to assess the vulnerability and compliance status of classified IT systems.
An ideal candidate will have a strong knowledge and background in red/blue team penetration testing, Web Application testing, and scripting. This person will apply their knowledge and expertise to build a professional penetration testing capability at the client that will serve as the internal resource for this testing. This person should have a strong analytical and procedural mindset in order to build the functional and SOP documentation required for this capability.
Applies broad information security knowledge and extensive experience of information systems to provide technical support, advice, and guidance for preparation of information system plans, systems design plans, test plans, Statements of Work (SOWs), and specifications for major information systems.
- Provide in depth technical expertise in penetration testing and to take the lead in building this capability for the client. Leverage experience and knowledge to recommend hardware and software to be used for assessments.
- Interface with System Owners and System Administrators in order to coordinate and perform vulnerability and compliance testing on a wide range of classified IT systems.
- Provides technical security and administrative direction for personnel performing System Administration.
- Coordinates with the Program Manager to ensure Assessment and Authorization (A&A) process adheres to approved timelines
- Assesses Security Controls, reviews documentation, prepares A&A packages, and makes recommendations, for approval of major/minor/support systems installations.
- Tracks Plan of Actions & Milestones to completion with System Administrators and Stakeholders
- HS Diploma and a minimum of 9 years relevant experience
- Associate and a minimum of 7 years relevant experience
- Bachelor Degree and a minimum of 5 years relevant experience
- Master’s Degree and a minimum 3 years relevant experience
- PhD and at least 1 year relevant experience
- Experience with Red Team / Blue Team Penetration Testing. Knowledge of the latest and greatest penetration testing hardware and software tools.
- Experience performing Web Application Testing and scripting.
- Familiarity with ICD 503, 4300A/B/C, NIST 800-53 Rev3 and Rev4, Risk Management Framework (RMF), and Security Technical Implementation Guides (STIG’s).
- Familiarity with the operation of Nessus, Security Center/ACAS, SCAP Compliance Checker, STIGS, Exacta, etc.
- Attention to Detail - Is thorough when performing work and conscientious about attending to detail;
- Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services;
- Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately; and
- Problem Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations.
Travel: Require up to 25-30 percent travel
- Must be able to pass a government background investigation
- Desired, not required: OSCP, OWASP, GPEN, CEH, CPT, etc.
Clearance: TS/SCI (DHS suitability preferred)