This position supports the Assessment and Authorization (A&A) cybersecurity efforts for NIWC PAC code 82000 to support the Research, Development, Test & Evaluation (RDT&E) network. The Cybersecurity Analyst II will serve as a Risk Management Framework (RMF) Subject Matter Expert (SME) for all network security architectures, designs, implementations, and operations within 3 NIWC Pacific RDT&E systems, networks, and applications. Additionally he/she will provide engineering and technical support for the testing of systems, software, tools and products while identifying operational and functional requirements of new, developing and existing systems and develop a system security approach, which includes but not limited to defining potential threats, vulnerabilities, safeguards, and risk factors.
Roles and associated responsibilities
1. Provide practice of Cloud Computing Security Requirements Guide (SRG) and cloud computing industry best practices; and utilize these tools to assist in the evaluation, research and development of IT cloud security risk assessments, security tools, and implementation plans.
2. Analyze / implement enterprise architecture/design, cloud migration plans, generating auditing reports, performance, interoperability, and functionality.
3. Work with all layers of technology stack (network routing and switching, firewalls, Virtual Private Network (VPNs), load balancers, network and server virtualization, server operating systems, large storage systems, data-exchange interfaces, databases, middleware, web services, and enterprise management tools used to administer all such capabilities).
4. Evaluate risks associated with extending the network boundaries and data migration to a cloud environment.
5. Work on Instances and software lists for the AWS Gov Cloud in the West region under Availability Zone A.
6. Utilize the testing and analysis of IA controls and secure configuration using the Assured Compliance Assessment Solution (ACAS).
7. Monitor software compliance in the DoN Application and Database Management System (DADMS).
8. Policy development and enforcement.
9. Assess information security risks to new projects and non-standard IT requests using risk assessment methodologies.
10. Provide experience of NIST SP 800-53, RMF implementation and provide recommendations in accordance with NIST FIPS 199.
11. Provide a system security approach, which includes defining potential threats, vulnerabilities, safeguards, and risk factors.
12. Develop A&A documentation to include system security plans, system categorization forms, contingency plans, configuration management plans, support and sustainability plans.
13. Utilize eMASS and the process for entering all system packages, artifacts, and supporting documentation.
14. Analyze system configurations per DISA STIG using STIGviewer, SCC, and OpenSCAP.
15. Create network architecture and data-flow diagrams.
16. Must be able to verify both technical and non-technical findings, propose actions to address the findings, develop a tracking process inclusive of performance metrics, and prepare responses or reports demonstrating that the findings have been addressed in the Plans of Action and Milestones (POA&M).
17. Provide continuous monitoring efforts of Program of Records (PORs).
18. Verify accreditation boundary information for POR and the networked systems including accreditation boundary, hardware and software lists, and other Authority to Connect (ATC)-related information.
19. Support the ISSO and ISSM.
Key Skills, Knowledge and Abilities
· Must have high level of understanding of various virtual and cloud services (AWS or Google services)
· Must have experience developing Security Policies/Standard Operating Procedures (SOPs)/Other Documentation.
· Must be able provide analysis of Directives, Policies, Instructions (CTOs, FRAG/TASK/OPORDs, IAVM, PKI Guidance), Impact on RDT&E Network/ VRAM
· Demonstrate experience and processes for reviewing security control implementation down to the Control Correlation Identifier (CCI) level for compliance and provide appropriate guidance to customers developing valid mitigation/ remediation statements.
1. Bachelor's Degree in (STEM), or an Information Technology (IT) related field AND five (5) years of relevant work
experience, OR Associate's Degree in an Information Technology (IT) related field AND eight (8) years of relevant
work experience, OR High School Diploma or equivalent AND ten (10) years of relevant work experience.
2. Commercial certification meeting or exceeding DoD 8570.01M requirements for IAM-3 (CISSP or CISM)
3. Four (4) years of demonstrated experience in Risk Management Framework (RMF)
4. Must have high level of understanding of various virtual and cloud services (AWS or Google services)
5. Must have experience developing Security Policies/Standard Operating Procedures (SOPs)/Other Documentation.
6. Must be able provide analysis of Directives, Policies, Instructions (CTOs, FRAG/TASK/OPORDs, IAVM, PKI Guidance), Impact on RDT&E Network/ VRAM
7. Demonstrate experience and processes for reviewing security control implementation down to the Control Correlation Identifier (CCI) level for compliance and provide appropriate guidance to customers developing valid mitigation/ remediation statements.