Remote or Hybrid allowed
Qualifications
At least five years of experience performing the functions associated with this labor
category.
Experience performing control assessments as part of a team in accordance with applicable NIST standards (NIST 800-53, Rev 5, or newer version, as applicable).
Experience preparing control assessment plans, executing technical and non-technical assessments actions, evaluating the risk associated with areas of deficiency, and documenting detailed findings and executive- level summaries of assessment results.
Experience briefing stakeholders on key findings, recommendations, risks, and impacts.
Experience providing direct support of information security compliance activities, including managing plans of actions and milestones (POA&Ms) and inventories of information systems.
Capabilities
Client Assessment and Authorization (A&A) program operates in alignment with the NIST Risk Management Framework (RMF) as outlined in the current release of NIST SP 800-37. The objective of Control Assessment task is to provide security subject matter expertise to develop A&A methodologies, maintain accurate assessment schedules, and conduct control assessment activities for newly developed or acquired information systems, as well as for systems and common controls in ongoing authorization.
Assessment Methodology:
?
? Develop a methodology for conducting control assessments for software- as-a-service (SaaS) solutions operated by a vendor on behalf of the Client that have not received FedRAMP authorization, and assessing external organizations and systems that process, store, or transmit Client information.
Align those assessment methodologies with principles set forth in FISMA, OMB, and NIST standards and publications, and consider efficient and cost-effective means of assessment to allow Client senior leaders and stakeholders to make risk-based authorization decisions.
Planning and Scheduling
Develop and maintain a Master Assessment Schedule that tracks new information systems that require full control assessments and existing information systems and common controls under ongoing authorization that are in the continuous monitoring phase of the RMF.
? Develop the Master Assessment Schedule such that it shall adjust estimated completion dates in real-time to account for unplanned assessments, changes in prioritization, delays, or changes in resource availability. Enable Client security staff to provide stakeholders with estimated completion dates for all scheduled A&As at any given time.
Control Tailoring and Overlays
. Review and update Control Overlays that define and justify the applicable security and privacy controls for information systems with common characteristics, such as internally developed web applications, FedRAMP authorized SaaS solutions, etc.
Control Assessment Plans
Based on the receipt and review of artifacts provided by system owners or support staff that may include, but are not limited to, FIPS-199 Categorization Memos, System Security and Privacy Plans (SSPP), Contingency Plans, etc., develop control assessment plans (CAPS) for each system, service, or common control provider to be assessed, that includes, at minimum:
The assessment methodology to be followed.
Certification
Certified Information Systems Security Professional (CISSP) Certified Analytics Professional (CAP) Preferred
VIVA is an equal opportunity employer. All qualified applicants have an equal opportunity for placement, and all employees have an equal opportunity to develop on the job. This means that VIVA will not discriminate against any employee or qualified applicant on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability or protected veteran status