Location: Washington,DC, USA
We are seeking a Information Systems Specialist II (Mid) to support our Department of Transportation (DoT) customer in Washington, DC!Selected incumbent will support in the area of information system cybersecurity management ensuring security posture and compliance tasks, to include but not be limited, program and information system / application support ensuring security in all phases of system engineering process, supporting information system / application Risk Management Framework (RMF) task(s) in accordance with NIST Special Publication 800-37, addressing and documenting system requirements (controls). Support in contingency planning, incident handling, risk analysis and mitigation IT security and privacy baseline compliance, respond to and support security assessments (internal and self-conducted) and other audits requests, and develop and adhere to approved Information System Continuous Monitoring (ISCM) plans in accordance with supporting DOT policy, standards, and guidelines.Duties, Tasks and ResponsibilitiesProvide support to the continuous monitoring process, assessing and evaluating Information System (Hardware and Software) inventory to detect vulnerabilities, identifying critical and high weakness via insecure application development techniques, inherited controls from Common Control Provider including FedRAMP cloud service providers (CSP), networked enclaves, and provide remediation or corrective actions to improve the security posture.Provide support in tracking and ongoing evaluation of weakness, vulnerabilities in DOTs Continuous Diagnostic and Mitigation (CDM), other identified security tool suite or other detection reports, issued corrective action plans, re-mediatingaddressing issues affecting the security posture of applications information system infrastructure.Provide cybersecurity expertise to support cybersecurity in the Systems Development Life Cycle (SDLC) process, including supporting processing for requirements review in development phases (Agile, Spiral, DEVSECOPS or Waterfall model), annual Security Assessment and Authorization (SAandA), and Information System Continuous Monitoring (ISCM).Develop / update information systems data for Privacy Impact Assessments (PIAs), Privacy Threshold Analyses (PTAs), and System of Record Notices (SORNs). This includes interfacing/coordinating with the System Owner (SO) that originates/has responsibility for the document to ensure the PIA/PTA/SORN contains appropriate information to be approved/adjudicated by DOT Privacy Office for inclusion in System Authorization package.Assist the System Owner, Information Owner, Component Privacy Officer and Information System Security Manager (ISSM) in recording all known security weaknesses of assigned information systems in the Plans of Action and Milestones (POAandMs) in accordance with DOT policy, guides and procedures.Develop Draft Plan of Action and Milestones (POAandM) for observed control level deficiencies or gaps control implementation(s) in accordance with DOT policy, guides and procedures.Conduct quality assurance reviews of existing POAandMs to ensure completeness, accuracy and identified solutions are cost effective.Support the information system contingency planning process in accordance with NIST SP 800-34 Revision (Current), Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities and ensure contingency plan test exercises results are documented in an after-action report, and Lessons Learned corrective actions are captured for updating information in the Information Systems Contingency Plan (ISCP).Required Experience, Education, Skills and TechnologiesWith Bachelor's degree in Information Systems or related field, at least 6 years experience requiredWithout Bachelor's degree, at least 10 years related experience requiredMinimum of 6 years information system and net ork security experience with an emphasis in Information Assurance3 years of experience with federal government customers creating and maintaining IT Authorization to Operate (ATO) packages for new systems and interfacing/coordinating with the System Owners (SO), Business Owners, System Maintainers, and DevelopersKeen understanding Federal Information Security Modernization Act 2014 (FISMA) and federal requirement for reporting.Keen understanding of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in detail of all supporting steps and Cybersecurity Framework (CSF) and Privacy Act.Knowledge General Services Administration Federal Risk and Authorization Management Program (FedRAMP) including process for continuous monitoringAt least 3 years of experience:Assisting system owners with the mitigation/remediation process, following corrective action plans.Conducting weekly and monthly vulnerability and compliance scans of Linux, Windows, and virtual environments with vulnerability tools such as Nessus, Splunk, Invicti (formerly Netsparker), and BigFix.Performing vulnerability application and database security assessment, scanning and results interpretation.With enterprise security architecture methodologies, concepts, procedures, principles, and tools.Contingency planning and backup and recovery best practices and application of NIST guidance in this area.Ability to plan, execute and develop report for application, network (internal or external) vulnerability analysis and provides technical recommendations to maintain and improve mission functionality.Using security control and privacy control findings and status from assessment to develop POAandM for controls that should be put in place to re-mediatevulnerabilities.Preferred Experience, Education, Skills and TechnologiesExperience developing privacy documentation such as PTAs, PCMs, and PIAsExperience with security analysis of security controls for systems in the cloudUnderstanding of Identity, Credential and Access Management (ICAM) implementationITILv3Certified of Cloud Security Knowledge (CCSK), Azure Certified or other Cloud CertificationInformation Systems Security Professional (CISSP) or similarCertified Data Privacy Solution Engineer (CSDPE)Certified in Risk and Information Systems Control (CRISC) or CompTIA Advanced Security Practitioner Study (CASP)Security Clearance LevelPublic TrustCertificationMinimum of CompTIA Security plus required within 6 months of hire if not in possession of one of the preferred certifications.Work ScheduleFull-time, Hybrid Remote 50%Benefits OfferedMedical, Dental, Vision, Life Insurance, Short-Term Disability, Long-Term Disability, 401(k) match, Tuition/Training Assistance, Parental Leave, Paid Time Off, and Holidays.Criterion Systems, LLC and its subsidiaries are committed to equal employment opportunity and non-discrimination at all levels of our organization.We believe in treating all applicants and employees fairly and make employment decisions without regard to any individuals protected status: race, ethnicity, color, national origin, ancestry, religion, creed, sex/gender, gender identity/gender expression, sexual orientation, physical and mental disability, marital/parental status, pregnancy (including childbirth, lactation, and related medical conditions), age, gen