Security Control Assessor

Title: Security Control Assessor, Senior

Location: On-site Bethesda, MD

Job Type: Full-time (40 hours per week) with benefits.

Availability: immediate.

Security Clearance: TS/SCI with CI or FS Polygraph.

Job Description

Bachelor’s degree in computer engineering, Computer Science, Electrical Engineering, information systems, Information Technology, Cybersecurity, or a closely related discipline.

· Four years of additional demonstrated work experience in Security Control Assessor (SCA) and Defensive Cyber Operations (DCO)Testing will be accepted in lieu of a bachelor’s degree.

· A Master’s degree in an applicable discipline be substituted for three years of demonstrated work experience.

· Three (3) years of cybersecurity experience with at least one year of experience conducting SCAs under ICD 503/CNSSI 1253 NIST Cybersecurity Framework, Risk Management Framework (RMF), or a similar framework.

· One full year of SCA experience within the last three calendar years.

· One full year supporting cloud environment and experience performing security assessments in a cloud environment (AWS, Google, IBM, Azure, and Oracle).

· Must meet Department of Defense (DOD) 8570.01-M baseline certification requirement for information Assurances Technical (IAT) Level III: CASP+CE, CCNP Security, CISA, or CISSP or Associate, GCED, GCIH, or CCSP.

· Knowledge of Independent Verification & Validation (IV&V) of security controls.

· Knowledge of general attack strategies (e.g., MITRE ATT&CK Framework).

· Knowledge of NISPOM, ICD 503, NIST SP 800-53, ICD 705, and other ICDs as appropriate.

· Skill in conducting vulnerability scans and recognizing vulnerability in security systems (e.g., Cloud Environments) ASW, Google, IBM, Azure, and Oracle.

· Expertise in conducting risk-based assessments within Operational Technology (OT) systems including the identification of potential threats, vulnerabilities, regulatory compliance, documentation/reporting, and impacts on critical operations.

· Deep understanding of various Operational Technology (OT) systems, architectures and components and security assessment tools/resources such as MITRE ATT&CK for Industrial Control Systems and the National Vulnerability Database (NVD)

Other Requirements:

· Make recommendations to the IC CISO or designee for improving TTPS for better cyber threat protection.

· Knowledge of system and application security threats and vulnerabilities.

· Knowledge of network access, identity, and access management e.g. public key infrastructure (PKI).

· Knowledge of network protocols such as Transition Control Protocol/Internet Protocol (TCP/IP), Dynamic Host Configuration, Domain Name System (DNS), and directory Services.

· Ability to assess the robustness of security systems and designs.

· Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

· Three years of experience performing security assessments in a cloud computing environment.

· Strong writing skills.

· Write final reports and defend all findings, including risk or vulnerability, mitigation strategies, and references.

· Report vulnerabilities identified during security assessments.

· Write penetration testing Rules of Engagement (ROE), Test Plans, and Standard operating procedures (SOP).

· Conducted security reviews, and technical research and provided reporting to increase security defense mechanisms.

Travel Domestic and International Travel 0-25%.

Benefits

• Medical
• Dental
• 401K