THIS IS A HYBRID REMOTE POSITION REQUIRING LIMITED TRAVEL
In its majority, work will be performed remotely from the employee's place of residence. Pre-planned travel to Oak Ridge, Tennessee, or Amarillo, Texas, for on-site interaction, support, and training will be required as needed (up to 15%).
Global Engineering and Technology (GET) is seeking qualified applicants for the position of Security Control Assessor (SCA) supporting information assurance and cybersecurity for sensitive national security sites. This is a highly compensated technical guidance position that is central to our mission's success.
The SCA conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).
THE SCA SHALL:
- Manage and approve Accreditation Packages
- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan
- Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy
- Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change
- Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks
- Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials)
- Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network
- Verify and update security documentation reflecting the application/system security design features
- Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations
- Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers)
- Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risks
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals
- Assess the effectiveness of security controls
We provide exceptional benefits to our full-time employees (spouse/family coverage option also available at a company-subsidized rate).
- Medical plan options with United Health Care
- Long-/Short term Disability with MetLife
- 401(k) match with Principal Financial
All benefits are effective on day one of employment.
Global Engineering & Technology, Inc. is an equal opportunity employer and does not discriminate on the basis of race, sex, color, religion, age, national origin, marital status, disability, veteran status, genetic information, sexual orientation, gender identity, or any other reason prohibited by law in provision of employment opportunities and benefits.Requirements
This position requires a current DOD Top Secret or DOE Q security clearance.
Required knowledge (as demonstrated by technical expertise and certification):
- Computer networking concepts and protocols, and network security methodologies
- Risk management processes (e.g., methods for assessing and mitigating risk)
- Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
- Cybersecurity and privacy principles
- Cyber threats and vulnerabilities
- Authentication, authorization, and access control methods
- Database systems
- Security Assessment and Authorization process
- Risk Management Framework (RMF) requirements
- Information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption)
- Supply Chain Risk Management Practices (NIST SP 800-161)
- Personally Identifiable Information (PII) data security standards
- Application Security Risks
Required skills (as demonstrated by technical expertise and certification):
- Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
- Discerning the protection needs (i.e., security controls) of information systems and networks
- Using virtual machines
- Skill in recognizing and categorizing types of vulnerabilities and associated attacks
- Applying security controls
- Managing test assets, test resources, and test personnel to ensure effective completion of test events
- Preparing Test & Evaluation reports
- Conducting reviews of systems
- Assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.)
- Identifying systemic security issues based on the analysis of vulnerability and configuration data
- Conducting vulnerability scans and recognize vulnerabilities in security systems
- Analyzing test data
- Collecting, verifying, and validating test data
- Translating data and test results into evaluative conclusions
- Ensuring security practices are followed throughout the acquisition process
- Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise
- Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives