Employer:Castalia Systems LLC
Location:Springfield, VA 22150 (map)
Job Description
Candidates will perform security controls assessments that are an integral part of the Assessments and Authorizations process. The contractor shall perform A&A scanning, comprehensive assessment testing, penetration testing, documentation, reporting and analysis requirements. This includes performing dedicated functions for all the Government Customer's missions involved with Assessments and Authorizations or compliance with applicable National Intelligence Community or Department of Defense information system security guidance.
Tasks Include:
o Perform comprehensive security assessments of identified and applied security controls. Provide summaries of initial assessments in Security Assessment Reports (SAR) that address the technical evaluation and results of assessment, identify weaknesses or deficiencies, and recommend corrective actions for risk mitigation.
o Perform and assess the degree to which a system is compliant with operating system, network, and application security STIG reviews.
o Perform host and network based security control assessments, determine residual security risks, prepare assessment test reports, prepare and assess test plans, and provide formal recommendations in support of authorization.
o Perform mobile device and mobile application security reviews and document results of such reviews.
o Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to information security and risk management.
o Provide testing support for evaluations and shall provide specific test plans and testing services tailored to security controls of the systems being tested. The tester will use the Government Customer's accepted tools and techniques, including but not limited to manual testing, web assessment software, vulnerability scanning, pen testing tools, and in house scripts as approved by the Government Customer. Tests may be conducted either remotely or locally on the systems to ensure compliance and to identify security vulnerabilities, risks, threats and gaps.
o Review and analyze the findings that identify security issues on the system. The contractor shall compile results and finding into a final Security Assessment Report, along with assessments and recommendations for remediation. The final report shall provide analysis for the DAO, Information System Security Engineer (ISSE), and PM for compliance with security controls, remediation, and informational purposes. The report shall comprehensively encompass both technical and non-technical findings, assessments, and recommendations.
o Conduct testing and scanning via Government Customer's accepted techniques and scanning tools, including manually (software and hardware) used either remotely or locally on the systems to evaluate compliance and to identify security vulnerabilities, threats, risks, and gaps. The contractor shall review and analyze the findings that identify security issues on the system. The final report shall provide analysis for the DAO and PM for remediation and informational purposes. The report shall comprehensively encompass both technical and non-technical security compliance results.
o Review security plans, test the documented systems in accordance with applicable policies and guidelines, and document results of the testing; either recommend authorization approval or not approved for authorization with rationale supporting recommendation.
o Assist with providing detailed test plans and conducting security testing of security controls specific to security boundaries, including Cross Domain Solutions (CDS).
o Provide on-site and/or remote testing in support of FISMA through manual testing, vulnerability scans and penetration testing at industrial and the Government Customer's hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.
o Augment cyber penetration testing activities in the planning, execution, tracking, and reporting of Blue/Red Team Assessments consisting of identifying and exploiting vulnerabilities on the Government Customer's systems.
o Coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in the Government Customer's networks. The Blue Team will work cooperatively with Key Components (KCs) to provide notification and make recommendations to mitigate those vulnerabilities and assist in corrective actions.
Education:
Master's degree or equivalent experience in Computer Science, Computer Engineering, Electrical Engineering, or Management Information Systems with emphasis in Information Technology/Information Assurance
Certifications:
CISSP, CISM, CASP, CISA or GSLC certification (CISSP preferred)
Clearance Required TS/SCI
Location Springfield, VA; St Louis, MO; Denver, CO