Information Security Analyst SME with TS/SCI

Company Overview

TestPros is a successful and growing business, established in 1988 to provide Information Technology (IT) technical support services to a wide range of Commercial and U.S. Federal, State, and Local Government customers. Our capabilities include Program Management, Program Oversight, Process Audit, Intelligence Analysis, Cyber Security, NIST SP 800-171 Assessment and Compliance, Computer Forensics, Software Assurance, Software Testing, Test Automation, Section 508 and WCAG Accessibility Assessment, Localization Testing, Independent Verification and Validation (IV&V), Quality Assurance (QA), Compliance, and Research and Development (R&D) services. TestPros is an Equal Opportunity Employer.

TestPros delivers innovative independent IT assessment solutions to critical challenges facing the nation and the world. We support the U.S. Federal Government and Commercial clients within the continental USA. TestPros is dedicated to making lives better, safer and more secure.

Job Summary

TestPros is seeking an Information Security Analyst SME to support a Federal cyber security program.

Position: Full-time

Citizenship: U.S. Citizenship

Job Title:

Location: Arlington, VA (or Pensacola, FL) and Remote

Security Clearance: Top Secret SCI

Project overview:

POA&M Management
The POA&M tracker lists mitigation and milestones with completion dates and serves to track the resolution of vulnerabilities and non-compliance with security controls identified during assessments and at any point during the system's life cycle. The Contractor shall provide a mechanism for vulnerability and POA&M management. The status must be updated on a weekly basis. Recommendation for closure is based on changes made to the system to remediate issues or to mitigate the risks with the necessary supporting evidence presented for resolution. The Contractor shall prepare a detailed weekly status of all activities, including status of open/closed action items, POA&M status/milestones, and any other pertinent data points as requested by the Government.

Vulnerability Management
The Contractor shall perform management of technical and policy related findings as a result of compliance, vulnerability, and penetration testing and internal reviews. The Contractor must meet with product and service teams as required to track progress and serve as a security subject matter expert on issues requiring clarification and resolution. The Contractor shall provide guidance to ensure vulnerabilities are prioritized, fixed, mitigated, or risk accepted. The Contractor shall deliver remediation tracking for all outstanding issues using an automated process to manage results, trending, and report. Risk mitigation strategies, recommendations, and applicable security controls must be documented and must include cost effective solutions that support mission goals.

Security Review of System Changes
The Contractor shall review change requests to ensure the proposed changes are in accordance with all security requirements in effect at the time of the change request. The contractor must provide a recommendation to the Government as to whether the change request should be approved, approved with certain conditions, or disapproved citing the reason for disapproval. The Contractor shall maintain a repository where every change request is stored along with the analysis performed by the contractor for each change request. The Contractor shall also capture and store pertinent artifacts for each change request in a location commensurate with the classification level of the artifacts. The Contractor shall prepare a detailed weekly status of all activities, including status of change requests, open/closed action items, and any other pertinent data points as requested by the Government.

Comprehensive Security Technical Documentation
Activities related to managing organizational and program risk are paramount to an effective information security program especially for complex information systems. The Contractor shall work with the product and service teams throughout the RMF process. The Contractor shall perform reviews of the policies, procedures, and related documentation currently maintained by program staff to identify missing or outdated documentation. Subsequent reviews should be performed on an annual basis at a minimum or as directed by the Government. In support of this activity, the Contractor shall develop and maintain documentation as required by security controls outlined in NIST 800-53a which include the following:

• Program policies and common controls
• Standard Operating Procedures (SOPs)/Guides
• Program common controls
• Security artifacts and artifact templates
• Concept of Operations (CONOPS)
• Other security-related technical documentation as directed by the Government.

The Contractor shall update the aforementioned processes, procedures, and other living documents as needed and create new work products to fill identified gaps. The Contractor shall review and provide guidance for documentation developed by the service and product teams ensuring that these work products are completed following NIST guidance, commercial best practices, and the applicable federal policies. The Contractor shall provide guidance to service and product teams for security information systems in accordance with CNSSI 1253, and NIST SP 800-30, 800-37, 800-39, 800-137. The Contractor shall review work products, including security artifacts to ensure that the target is secured/documented appropriately (i.e., in accordance with CISA and DRS-defined security requirements) and that the documentation reflects and properly addresses CISA and DHS security requirements. In addition, the Contractor shall support service and product teams with the selection and tailoring of security controls appropriate to the information system and the system's security objectives for confidentiality, integrity, and availability in accordance with NIST and CNSS guidance. The Contractor shall perform this iteratively throughout the system life cycle. The Government shall make the final determination as to the work product that is considered acceptable.
A scheme for storing and managing all documentation must be developed and/or maintained under this contract and, as appropriate, disseminated via mechanisms such as Microsoft SharePoint. The tools and methods selected to perform this function must be approved by the COR/GOV POC prior to implementation if different than the tools currently in use.

Additional activities include ML Security Operations, Offensive Security, risk assessments, consistent communication, and detailed technical documentation.

Responsibilities and Duties:

The SME Information Security Analyst is responsible for leading the RMF assessment, authorization, and monitoring steps for systems following NIST and ICD 503 standards and best practices.

Required skills:

• 10+ years of proven experience performing security controls.
• Experience in RMF assessment, authorization, and monitoring steps for systems following NIST and ICD 503 standards and best practices.
• Expert knowledge of Federal policies and practices related to cyber security.
• Possess excellent verbal and written communication skills.
• Have knowledge, skills, abilities, and experience with common assessment & authorization (A&A) application platforms (e.g. eMASS, CSAM, Xacta is preferred) for performing tasks.
• Strong architecture, network and infrastructure security, or next gen security expertise (agile/hybrid agile, cloud).
• The SME Information Security Analyst must have extensive experience working with various security methodologies and processes, compliance controls related to cloud security, performing assessments in cloud computing environment. CADS is currently hosted in the cloud. It is a multi-cloud offering containing AWS, Azure, and GCP services.
• Extensive experience providing analysis and trending of vulnerability data from a large number of heterogeneous devices.
• Must possess expert knowledge in risk and vulnerability management.
• Active clearance up to TS/SCI security clearance.

Preferred Qualifications and Skills:

• Agency experience (ideally DHS CISA).
• Cyber program experience.
• SAFe and DevSecOps experience.

Benefits

TestPros offers a competitive salary, medical/dental/vision insurance, life insurance, paid time off, paid holidays, 401(k) retirement plan with company match, opportunities for professional growth, cell phone discounts, and much more! All benefits are per TestPros current policies and are subject to change without notice. Benefits are available to full-time employees.

TestPros, Inc. is an Equal Opportunity Employer.

EEO Statement

All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity, marital status, age, national origin, protected veteran status, or disability. VEVRAA Federal Contractor.