POSITION TITLE: Sr. Information Security Analyst - A-123 YEARS OF EXPERIENCE: 5+ Years

ONSITE (Y/N): Onsite - Hybrid schedule; 1 day/week onsite (Tuesdays) LOCATON: Camp Springs, MD 20588

CLEARANCE REQUIRED: Public Trust

****Please Note: Aretec, Inc. does not offer Corp - 2 - Corp (C2C) employment. *****

Aretec is seeking a Senior Information Security Analyst- A-123 to join our team in support of our federal customer. This position requires on-site support 1 day/ week at our federal client's HQ located in Camp Springs, MD.

The successful candidate will assist the client in coordinating with the internal organization that executes A-123 internal controls assessments including but not limited to, conducting A-123 self-assessments/ internal verification and validation activities, responding to and coordinating with system teams to response to all requests for information, reviewing and uploading supporting artifacts, etc. The individual will be responsible for developing written summaries for the Deputy CISO and CISO, advising on concurrence/ nonconcurrence with audit findings, and developing comprehensive responses to findings. This individual may also be asked to support audits initiated from external organizations such as the OIG and/or GAO.

RESPONSIBILITIES:

• A-123:
  • Experience with A-123 controls including Test of Design and Test of Effectiveness.
  • Experience with writing responses to A-123 audit findings; writing responses to OIG and GAO audit findings is a plus, but not required.
• Risk Management Framework (RMF) Activities:
  • Support all activities as outlined in the NIST SP 800-37, Risk Management Framework for Information Systems and Organizations. This includes the process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.
• Security Authorization Documentation:
  • Initial development and, at least, annual reviews/updates of the FIPS 199, e-Authentication, Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA), Security Plan (SP), Contingency Plan (CP), and Contingency Plan Test (CPT), Interconnection Security Agreement (ISAs) and Memorandum of Agreement/Understanding (MOA/Us) and any other FISMA related security documentation.
• Security Control Assessment Response:
  • Support all assessment activities by responding to interview questions as well as working with the system teams to gather appropriate evidence as directed by the client.
• Change Management:
  • Review all change requests for potential impact to the system security posture.
• Continuous Monitoring:
  • Review artifacts associated with the conduct of audit log and account management reviews.
• Configuration/Patch/Vulnerability Management:
  • Review scan results for the system assets, identify the respective remediation's for misconfigurations and weaknesses, and work with the system team to ensure timely implementation of fix.
• Possess a deep understanding of Security Regulations, such as the NIST Publications and OMB Security related documents
• Prepare documentation and materials to support the operations of FedRAMP compliance requirements throughout the organization
• Develop briefings and presentations for Government PM and Executive Management.
• Ability to adapt to an Agile environment and provide quality, professional deliverables in a short timeframe with little to no guidance from the Government.
• Performing audit documentation reviews; recommending revisions and corrective actions to address audit requirements.
• Conduct periodic gap analyses; provide recommendations for improvement of existing Audit Program to client, in both formal and informal formats and forums.
• Work with internal and external stakeholders to finalize remediation strategies resulting from audit findings.
• Perform other duties as assigned by the Government.
• Determine the clearest and most logical way to present information and instructions for greatest reader comprehension and write and edit technical information accordingly.
• Meet with SMEs in order to ensure that specialized topics are appropriately addressed and discussed.
• Coordinate with stakeholders to obtain status information on audit remediation activities.
• Assist in the development of presentations and talking points for our customer's Senior Leadership.
• Update and maintain audit documentation, including SOPs, in the designated repository(ies).
• Evaluate and contribute to the improvement of audit control processes; provide recommendations for and/or create automated processes enabling management to assess the effectiveness of controls and detect associated risks.
• Develop a framework for year-round testing of the design and effectiveness of IT controls for financial systems within the customer's portfolio.
• Maintain familiarity with legislative and regulatory requirements to include the GAO Green Book, OMB Circular A-123, The Chief Financial Officers Act, Federal Financial Management Improvement Act (FFMIA) and FISMA.
• May be asked to lead a team of up to 3 Security Analysts in coordinating workload, identifying dependencies, escalating risks, etc.

REQUIRED SKILLS:

• Minimum of 5 years of experience evaluating IT systems using NIST SP 800-53 in the federal government.
• A-123 experience is a must.
  • The candidate needs to have written responses to A-123 audit findings, writing responses to OIG and GAO audit findings is a plus, but not required.
• Experience facilitating responses to external audits initiated by the OIG or GAO.
• Ongoing Authorization experience is a must.
• Must have security tools experience such as Splunk Enterprise v 7.3 and higher, Tenable, PrismaCloud, DoJ CSAM, Nexus IQ Server, etc.
• Familiarity with Nessus scans and associated output.
• Experience working with NIST SP 800-53, RMF, FISMA, DHS and Department of Defense (DoD) STIGS and associated policies.
• Experience developing and drafting POA&Ms, including milestones at an appropriate level to facilitate remediation and tracking efforts.
• 3+ years of experience with analyzing, assessing, and implementing corrective actions based on vulnerability management tools.
• Must possess good listening skills, with the ability to detect explicit and implicit needs and wants of the client. Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints.
• Ability to work independently and possesses a solid understanding of cyber security concepts.
• Ability to work efficiently and effectively in a dynamic and fast-paced environment. Ability to adapt to frequent changes in priorities, follow project schedules, meet established deadlines, and proactively communicate risks and issues to the Contractor PM and/or Federal Leads.
• Ability to communicate clearly and effectively via written and verbal communication in both formal and informal situations.
• Ability to adapt to an Agile environment and provide quality, professional deliverables in a short timeframe with little to no guidance from the Government.
• Possess strong analytical and critical thinking skills with the ability to apply them to the client/ contract workspace.
• Must have previous client-engagement experience.

PREFERRED SKILLS: Previous experience supporting Department of Homeland Security federal clients

EDUCATION: Bachelor's Degree in Information Technology or related field.

CERTIFICATIONS:

• Must have and maintain at least one active certification such as CASP, GSEC, GSLC, CISSP, CEH, CISM, and CISA, or other comparable certification.
• CISA, CISM, and/or CISSP preferred, but not required.