SECURITY ASSESSOR, SR.rnMILITARY FRIENDLY & PREFERRED - HOH SPONSORrnZermount Inc. is seeking a Senior Security Assessor who plays a critical role in evaluating and providing recommendations to enhance the security posture of the organization. The Security Assessor will identify and provide solutions to mitigate potential risks, ensuring compliance, and establishing a robust security framework to protect sensitive information, systems, and assets. The Security Assessor is responsible for evaluating and assessing the security measures and practices for the organization. They will be required to identify vulnerabilities, potential risks, and weaknesses in the organization's security infrastructure, systems, and procedures; and provide recommendations and solutions to enhance security and mitigate potential threats. The extent of the Security Assessments will include Security Control Assessments (SCAs), Risk Assessment (RA) and analysis, evaluations of compliance of required configurations, vulnerability assessments, examination of documentation, conducting manual testing and verification and validation of the implementation of security principles. rnDuties & Responsibilities:rnThe Senior Security Assessor will provide the following support and services:rnrnSupport the client by serving as a Security Assessors responsible for conducting the testing and verification and validation of the proper implementation of security controls for IT systems. rnFollow and apply the Zermount five phased Security Control Assessment Process to:rnServe as the Security Assessor for system Security Authorization (SA) / ATOs, annual assessments, Ongoing Authorization (OA) assessments, and conducting risk assessments for changes to the systems. rnUtilize structured mini teams to complete SA and Risk Assessment (RA) Activities.rnAssess all applicable security controls defined in the mandated Agency Compliance Tool and applicable to the systems under their purview.rnConduct assessment and analysis of system's FIPS-199, Privacy Threshold Analysis (PTA), E-Authorizations,rnrnContingency Plans (CPs), Contingency Plan Tests (CPTs), Security Plans (SPs), and 800.53A test casesrnrnAssemble the SA Package in accordance with the Agency and Organizations SOP and requirements to include Security Assessment Plans (SAP); Security Assessment Reports (SAR); SAR Briefing; Drafting CISO Recommendation Memo and AO ATO Letters; and developing finding matrices.rnConduct RA and develop RA Memos.rnEnsure objective/fact-based results (findings) are documented completely and accurately in the mandated Agency Compliance Tool at the operating system, application, and database levels.rnGather evidence for ATO efforts and store results (findings) in the mandated Agency Compliance Tool and/or in a separate GRC repository.rnReview Requests for Change (RFC) or upgrades and provide impact assessments on potential cybersecurity major or minor changes and overall cybersecurity impacts. Utilize the IT tool for tracking changes.rnAnalyze and DocumentrnAll change requests (CRs) submitted to the TSA Change Request Board for new systems,rnAssist in the assessment of scope and extent that such changes support Zero Trust mandates; andrnAssist in the assessment of Zero Trust (ZT) Architectural and configuration changes made by the Organization O&M team(s).rnConduct vulnerability assessments, and analyze results from ATO assessments, penetration tests, or ad hoc risk assessments from the following set of tools, to include but not limited to: Tenable, AppDetective, WebInspect, AppScan and Nipper and create Findings /POA&M Matrices from results.rnConduct Audit of Privileged Accounts (APA) as part of ATO activities and annually review ISSO Privileged Account Audits.rnExecute responsibilities as outlined in the SA and OA Standard Operating Procedures and assist in the review of these, and other SOP-related processes for updates.rnConduct gap analysis of existing RMF processes and procedures and execute direction of the Program Manager or GRC SME.rnAssist in conducting ZT reviews and assessments of all existing cybersecurity and IT capabilities for all the organizations systems and the Enterprise. This includes conducting ZT readiness assessments. rnZT assessment includes assessment criteria for ZT readiness. Prepare a Readiness Assessment Report and any mitigations or recommendations. Conduct a gap analysis and identify gaps in existing capabilities compliance with RMF mandates. Incorporate approved changes into the Organization's roadmap established with the CIO ZT Plan, IMS, and other applicable documentation.rnEvaluate emerging technologies being considered by the Organization, conduct an analysis of alternatives (AoA) to determine compliance with federal mandates and requirements.rnSupport assessments of plans, designs, technical concepts, implementation approaches, standards compliance, business and technical tradeoffs, and risk analyses.rnReview existing network infrastructure and coordinate with other stakeholders and contractors to perform a network assessment that includes but is not limited to reviewing existing circuits, connection types, bandwidth, types of traffic, and routing protocols.rnConduct TIC 3.0 compliance assessments to determine compliance, gaps, and develop solutions to mitigate weaknesses and recommendations to meet compliance. rnPerform complex risk analyses which also include risk assessment to identify compliance with federal requirements (e.g., EO 14028, OMB M 22-09, M21-31, A-130, NIST SP 800-37, 800-53, FIPS 199, and FIPS-200, etc.), and security requirements based upon the analysis of people, processes, and technologies. rnPerform assessment / analysis of designs, architectures, configurations, and implementation of ZT principles and security capabilities. rnResearch major obstacles related to the ever-changing DHS FISMA requirements, which customers will need to overcome on a weekly, monthly, and yearly basis. rnIn view of the remote nature of the contract, an individual Weekly Status Report and Weekly Status Reports Briefing are it is required deliverables for tasks assigned. The resources must have the ability to effectively develop weekly status reports, that are consistent, well structured, answer to all the assigned management templates guidelines, are in alignment with the task area of support, and are relevant to the reporting period.rnMust ensure deliverables meet level of accuracy that does not require "return for correction" for typographical and grammatical errors. (Repetitive requests for correction by the management or Government team may result in a determination of failing to meet the basic standards for professional writing, reporting, accuracy, quality, and completeness of the contractual requirements for deliverables.)rnMust have the ability to prepare to present, brief, and explain; all information captured in weekly status report to management and/or government client.rnProvide assistance and support as required to other team members as required by the Program Manager. rnrn.Qualifications:rnrn5 years minimum of IT Cybersecurity experience including direct support of the US government and 4 years acting as an ISSO, assessor, or compliance analyst. 7 years is required if the candidate does not have a Bachelor's Degree. rnExperience and knowledge of Executive Orders (EO's), Office of Management and Budget (OMB) Memorandums, Federal, DoD and CISA Technical Reference Architectures, Maturity Models, NIST guidance, FISMA, Cloud, and Risk Management Framework (RMF). rnKnowledge / experience using cybersecurity and analysis tools such as Archer, Tenable, Splunk, etc. rnUnderstanding of zero trust principles is beneficial but not required.rnProficient in risk assessment methodologies and security architecture frameworks.rnExperience with cloud-based environments and technologies is preferred.rnKnowledge of common cybersecurity threats, risk, and vulnerabilities and how to mitigate them. rnExcellent communication skills, with the ability to explain complex concepts in a clear, concise manner.rnTechnical knowledge of IT systems and implementation of security controls. rnStrong problem-solving skills, proactive attitude towards identifying potential issues and implementing solutions.rnMust be able to conduct system analysis to detect issues with performance.rnWell versed in developing and implementing IT solutions to resolve technical challenges. rnAbility to work independently and as part of a team. rnrnEducation:rnrnMinimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field. rnRelevant years of experience may be used in substitution for situations where the candidate does not have a Bachelor's degree in the required field. rnrnCertifications:rnrnA minimum of at least one of the following certifications is required: Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), , Certified Chief Information Security Officer (CCISO). rnrnClearance level: rnrnMinimum of an active Secret Clearance. rnrnWork Location: rnrnRemoternrnHours of Operation: rnrnBusiness Hours: 8:00 am EST - 4:30 pm EST.
