Cybersecurity Engineer - Military veterans preferred

Description

SAIC is seeking a cyber security engineer for the Cloud One program under the Air Force Lifecycle Management Center Office for Network Integration (AFLCMC/HNI). The Cloud One Common Computing Environment is an existing global, interconnected, virtualized, hybrid, and IT infrastructure hosting mission systems, applications, services, and data that will serve the U.S. Air Force (USAF) and U.S. Army (USA). Cloud One incorporates the capabilities of commercial cloud and Managed Service Providers (MSP) residing in Cloud Service Providers (CSPs). Cloud One facilitates the USAF and USA’s efforts to migrate applications to a cloud environment, allowing the closure of data centers to support the Data Center Optimization Initiative (DCOI) and allowing for increased efficiencies across the entire spectrum of the USAF and USA's IT operations. The candidate for this position may work anywhere in the United States. There is no requirement to work at a SAIC or customer site to support Cloud One.

The candidate for this position:

• Designs, tests, and implements secure operating systems, networks, security monitoring, tuning and management of IT security systems and applications, incident response, digital forensics, loss prevention, and eDiscovery actions. Conducts risk and vulnerability assessment at the network, system and application level. Conducts threat modeling exercises. Develops and implements security controls and formulates operational risk mitigations along with assisting in security awareness programs. Involved in a wide range of security issues including architectures, firewalls, electronic data traffic, and network access. Researches, evaluates and recommends new security tools, techniques, and technologies and introduces them to the enterprise in alignment with IT security strategy. Utilizes COTS/GOTS and custom tools and processes/procedures in order to scan, identify, contain, mitigate and remediate vulnerabilities, and intrusions.  Assists in the implementation of the required government policy (i.e., NISPOM, DCID 6/3), and makes recommendations on process tailoring. Performs analyses to validate established security requirements and to recommend additional security requirements and safeguards. Supports the formal Security Test and Evaluation (ST&E) required by each government accrediting authority through pre-test preparations, participation in the tests, analysis of the results, and preparation of required reports. Periodically conducts a review of each system's audits and monitors corrective actions until all actions are closed.  May support cyber metrics development, maintenance and reporting. May provide briefings to senior staff. Utilizes COTS/GOTS and custom tools and processes/procedures in order to scan, identify, contain, mitigate and remediate vulnerabilities, and intrusions.  Assists in the implementation of the required government policy (i.e., NISPOM, DCID 6/3), and makes recommendations on process tailoring. Performs analyses to validate established security requirements and to recommend additional security requirements and safeguards. Supports the formal Security Test and Evaluation (ST&E) required by each government accrediting authority through pre-test preparations, participation in the tests, analysis of the results, and preparation of required reports. Periodically conducts a review of each system's audits and monitors corrective actions until all actions are closed.  May support cyber metrics development, maintenance and reporting. May provide briefings to senior staff. 

• Problem Complexity: Provides technical solutions to a wide range of difficult problems where analysis of data requires evaluation of identifiable factors.  Solutions are imaginative, thorough, practicable and consistent with organization objectives. 

• Impact: Contributes to completion of specific programs and projects.  Failure to obtain results or erroneous decisions or recommendations would typically result in serious program delays and considerable expenditure of resources.

• Liaison: Frequent inter-organizational and outside customer contacts.  Represents organization in providing solutions to difficult technical issues associated with specific projects.

Specific duties include: 

• Assist in the completion of eMASS tasks for coordination through all applicable parties.
• Developed security artifacts IAW AFI 17-101 & Army Regulation 25-2
• Perform on-going RMF Step 2 through Step 6 to maintain the customer ATO packages in eMASS.
• Support reviews and analysis of system changes to determine any security impacts.
• Assist in assessing the data Impact Level (IL) of migrating applications in accordance with the DoD Cloud Computing Security Requirements Guide (SRG).
• Analyze and recommended risk mitigations for identified vulnerabilities and weaknesses.
• Support the documenting of the inheritable environment controls required to meet security standards as described in the RMF for an A&A package.
• Support security assessments and the resolution of concerns/issues identified by assessment team(s) including security reviews, test, and exercises.
• Develop, deliver and execute a contractor Security Assessment Plan (SAP)
• Record actual results of the Security Control Assessment in the Security Assessment Report (SAR) and Plan of Action and Milestones (POA&M)
• Conduct security testing and continuous vulnerability monitoring to include delivering a continuous monitoring plan and vulnerability management reports.
• Working with the CSSP to ensure applications are properly configured for auditing/monitoring
• Ensure DoD Public Key Infrastructure (PKI) is enabled/implemented where appropriate according to policy.
• Ability to provide timely remediation recommendations for audit findings
• Ability to support POA&M reviews and recommendations
• Ability to collect and deliver the application ISSM identified Assess-Only security artifacts as defined by eMASS to include: Categorization and Selection Checklist; HW List; SW List; Identification of applicable STIGs; POA&M List; Signed Security Assessment Report; Scan results; Security configuration testing; Port, Protocols, and Services worksheet; Topology/System Authorization Boundary; CMP/CCB; and applicable SLA/MOU/A.
• Ability to support the updates to Risk Management Framework Artifacts
• Ability to update both the USAF and USA instances of EMASS in tandem.

• Ability to create System Security Plan (SSP) templates that provides a common approved language for documenting common inherited security features.  

  
  

Qualifications

• Bachelors and five (5) years or more of related experience; Masters and three (3) years or more related experience; PhD and 0 years experience. In lieu of a degree an additional four (4) years of experience is required (or add statement about certifications in lieu of degree).

• A secret security clearance is required.

• Minimum Information Assurance Technical (IAT) Level II certified IAW DoD 8570.01M

• Compliant with DoD and USAF training requirements in DoDD 8570.01, DoD 8570.01-M, and AFMAN 17-1303.

• Knowledge of DoD Policies and procedures including DoD 8500.01 and DoD 8510.01.

• Experience with Risk Management Framework (RMF) and updating of security artifacts

• Experience with compliance verification methods including DISA STIG, SRGs, and best practices

• Experience with DevSecOps

• Knowledge of the DoD suite of security tools including ACAS, HBSS, and eMASS.

• Knowledge of cloud environments provided by AWS and Azure

• Working knowledge of Microsoft Office Suite including Microsoft Visio

Desired Qualifications

• Knowledge of DESMF
• CISSP certification preferred

• Experience with Agile, Scrum, SAFe or other modern software development methods/practices

• Experience supporting USAF or USA software development projects

• Experience supporting software migration efforts