Senior Primary Assessor
Arlington, VA

Job Description

Overview

NuCrest is seeking a Senior Primary Assessor to be a part of a larger integrated project team for a Federal customer in Arlington, VA. Must possses: an Active Secret Security Clearance and a Bachelors degree with 15+ years of experience (or Masters degree with 5+ years of experience). Must have the ability to obtain one of the following within 6 months: CAP, CASP, CISM, CISSP (or Associate), GSLC, CISA, CEH

Responsibilities:

* Assist in developing a Security Control Assessment (SCA) strategy for the organization; to include an overall assessment process flow or swim-lane diagram which documents the steps required to conduct assessment activities and interact with all necessary parties.
* Integrate SCA functions with overall continuous monitoring and Continuous Diagnostic and Mitigation (CDM)
* Serve as a lead assessor and assigns tasks to the security assessment team; develop associated schedules and resource plans to complete the assessments.
* Identify and document the appropriate security assessment level of effort and project management information to include tasks, reviews (including compliance reviews), resources, due dates, and milestones for the system being tested
* Develop, document and review System Rules of Engagement (ROE), Security Assessment Plans (SAPs) and Security Assessment Reports (SARs).
* Work closely with ISSOs (contractors and Government) and the technical team and ensure all appropriate A&A supporting documentation is provided prior to conducting the assessment.
* Review and provide feedback system boundaries, common controls, the security categorization of information systems, applicable security control baseline based on system categorization.
* Conduct Security Assessment Kickoff briefings and SAR briefings.
* Review cyber/system/network security body of evidence and documentation for accuracy and completeness.
* Conduct security controls assessment of applicable security controls and privacy controls; assess implemented security controls and provide assurance that they are operating as intended
* Analyze security control findings for information systems and applications to convey weaknesses
* Document security assessment results accurately; read, understand, and convey vulnerabilities found during the assessments
* Create security assessment results and document recommendations in a SAR for remediations and security control measures
* Perform audits of each system and provide an authorization recommendation based on determination of risk to the customer
* Audits will include unprivileged and privileged scans against each applicable system.
* Audits will include unprivileged and privileged database scans against each applicable database management system (DBMS).
* Perform quality control on the assessment and associated deliverables
* Conduct Post Assessment Meetings with the customer
* Provide Plan of Action and Milestones (POA&M) support to ensure mitigations are completed or the teams are working to mitigate all vulnerabilities in a timely fashion and within customer policy timelines;.
* Develop and maintain a schedule for conducting reoccurring Continuous Monitoring and ongoing CDM efforts once the initial assessments are complete.
* Perform continuous monitoring to ensure implemented security controls remain functional throughout the lifecycle of the information system.

Required Qualifications:

* 15 years experience in security programs (masters degree substitutes for 5 years)
* Extensive experience with developing and documenting the ROEs, SAPs, and SARs
* Extensive experience and expert knowledge of the NIST Cybersecurity Framework, Risk Management Framework, FIPS, and other NIST A&A publications
* Extensive experience utilizing NIST 800-53 and 800-53A
* Strong experience assessing and providing recommendation on the following: Privacy Impact Assessment, Risk Assessment, System Security Plan, Disaster Recovery / Contingency Plan, and Incident Response Plan
* Strong knowledge of the Systems Development Life Cycle (SDLC) and its application in the development of technology solutions.
* Expert knowledge and skills to perform and document the assessment
* Significant experience with tools such as Nessus, Web Inspect, Db Protect and Splunk
* Strong technical background with Windows, Unix, legacy systems, databases, web servers/applications, cloud and virtualization environments
* Familiar with the cloud environments (services/security) and FedRAMP A&A process
* Strong project management, time management, and work sequencing skills
* Effective verbal and written communication skills with ability to effectively communicate with all levels of users and teammates both written and verbally
* Effective technical writing and documentation processing skills

Education:

* Bachelors degree with 15+ years of experience (or Masters degree with 5+ years of experience)

Certifications:

* Ability to obtain one of the following within 6 months: CAP, CASP, CISM, CISSP (or Associate), GSLC, CISA, CEH

Clearance:

* Active Secret Clearance required

Work Core Hours:

* Eight-hour workday, during the workweek: 8:00 am 5:00 pm ET, Monday through Friday

NuCrest, LLC is a minority-owned Service-Disabled Veteran-Owned Small Business (SDVOSB)/Small-Disadvantaged Business (SDB) based in Anne Arundel County, Maryland focuses on delivering a diverse portfolio of security-focus IT Enterprise Services and Solutions to support the critical missions of Federal and Civic clients. We deliver our services across multiple enterprise platforms, data networks, and cloud environments.

At NuCrest we support our Veterans and encourage all to apply!

NuCrest provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.