CACI has an opening for a Security Control Assessor (SCA) to support a Government client. The candidate will provide support in security control assessment and continuous monitoring of the organization's information systems following ICD 503 standards and best practices. The candidate will provide various levels of Information assurance by developing test plans and assessing or auditing information system security controls by applying best practices of NIST 800-37, 800-53, 800-53A, and CNSS 1253 guidance. The individual will conduct vulnerability scanning of information systems using government accepted scanning tools to ensure compliance and to identify security weaknesses and vulnerabilities. The individual will review and analyze scanning results and provide recommendations concerning vulnerability mitigation efforts.
- P rovide technical services for installation, operation, maintenance and authorization of hardware and software required for vulnerability scanning capabilities.
- Review system security body of evidence documentation for accuracy and completeness.
- Support development of Plan of Action and Milestones (POA&M) containing corrective actions required for unacceptable system and enterprise level risks.
- Provide support to configuration management and control processes to integrate security and risk management.
- Scan for network security compliance in accordance with DISA STIGs.
- Conduct security impact analyses of security controls based on proposed system changes.
- Support the preparation of security test plans, execute and assess the security control effectiveness using security control test procedures, and create Security Assessment Reports (SAR) based on assessment findings.
- Support vulnerability scanning activities for external audits (i.e. FISMA and CCRI).
- Develop tools and methodologies for tracking and reporting on identified information system vulnerabilities.
The clearance level required is dependent on the type of clearance supported by our client.
- Must have a current certification compliant with DoD 8570 IAM or IAT level 3. OR must provide demonstrable progress to achieve a DoD 8570 compliant certification within 90 days of hire and maintain certification throughout employment.
- Typically requires bachelor's degree or equivalent and ten to twelve years of related experience.
- Experience with ICD 503 and working knowledge of Risk Management Frame work as outlined in NIST SP 800-37.
- Working knowledge of information system security controls and how to assess their effectiveness per NIST SP 800-53 and NIST SP 800-53A.
- Knowledgeable in continuous monitoring processes as outlined in NIST SP 800-137 appropriate for systems, leveraging existing tools, efforts, and incorporating new automation techniques.
- Knowledgeable in information system vulnerability analysis and management.
- Must have a thorough knowledge of IT including but not limited to network sub netting.
- Experienced in system testing methodologies that include:
- Penetration testing
- Configuration analysis
- Security best practices validation
- Experienced in security testing and penetration tools that include:
- Backtrack 5
- Assured Compliance Assessment Solution (ACAS)
- HP Fortify Web Inspect
- Network Discovery & Visual Analytics experience (i.e., IP Sonar, etc.)
Red / Blue team assessment experience
- Knowledgeable in cyber Incident handling.
- Experienced in using the XACTA application.
- Proficient in the use of Microsoft Application tools (i.e. Excel and Powerpoint).
- Experience within the Intelligence Community.
EDUCATION & EXPERIENCE:
Typically requires a bachelor's degree or equivalent and 10 to 12 years related experience. Master's degree or doctorate in field mathematics, telecommunications, electrical engineering, computer engineering, or computer science is preferred.
Normal demands associated with an office environment. Ability to work on computer for long periods, and communicate with individuals by telephone, email and face to face. Some travel may be required.