You will perform security controls assessments that are an integral part of the Assessments and Authorizations process. You will perform A&A scanning, comprehensive assessment testing, penetration testing, documentation, reporting and analysis requirements. This includes performing dedicated functions for all NGA missions involved with Assessments and Authorizations or compliance with applicable National Intelligence Community or Department of Defense information system security guidance.
More About the Role:
Perform comprehensive security assessments of identified and applied security controls. Provide summaries of initial assessments in Security Assessment Reports (SAR) that address the technical evaluation and results of assessment, identify weaknesses or deficiencies, and recommend corrective actions for risk mitigation.
Perform and assess the degree to which a system is compliant with operating system, network, and application security STIG reviews.
Perform host and network based security control assessments, determine residual security risks, prepare assessment test reports, prepare and assess test plans, and provide formal recommendations in support of authorization.
Perform mobile device and mobile application security reviews and document results of such reviews.
Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to information security and risk management.
Provide testing support for evaluations and shall provide specific test plans and testing services tailored to security controls of the systems being tested. The tester will use NGA accepted tools and techniques, including but not limited to manual testing, web assessment software, vulnerability scanning, pen testing tools, and in house scripts as approved by NGA. Tests may be conducted either remotely or locally on the systems to ensure compliance and to identify security vulnerabilities, risks, threats and gaps.
Review and analyze the findings that identify security issues on the system. You shall compile results and finding into a final Security Assessment Report, along with assessments and recommendations for remediation.
Conduct testing and scanning via NGA accepted techniques and scanning tools, including manually (software and hardware) used either remotely or locally on the systems to evaluate compliance and to identify security vulnerabilities, threats, risks, and gaps. You will review and analyze the findings that identify security issues on the system.
For those position(s) associated with scanning for Fortify (OCIO2-ES-DO-0037), the position(s) are considered Software Security Consultants with the following requirements:
Scanning customer source code, auditing results with development and/or security teams and offering plans for remediation of vulnerabilities; communicating technical application security concepts to customer staff including developers, architects, and managers; training customer staff on application security and products; assessing and scoping of customer's application security needs; contributing to project planning and other project deliverables; customizing the implementation of HP Fortify's production and test products; and collaborating with Product Management and Engineering to enhance products.
Review security plans, test the documented systems in accordance with applicable policies and guidelines, and document results of the testing; either recommend authorization approval or not approved for authorization with rationale supporting recommendation.
Assist with providing detailed test plans and conducting security testing of security controls specific to security boundaries, including Cross Domain Solutions (CDS).
Provide on-site and/or remote testing in support of FISMA through manual testing, vulnerability scans and penetration testing at industrial and NGA hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.
Augment cyber penetration testing activities in the planning, execution, tracking, and reporting of Blue/Red Team Assessments consisting of identifying and exploiting vulnerabilities on NGA systems.
Coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in NGA networks. The Blue Team will work cooperatively with Key Components (KCs) to provide notification and make recommendations to mitigate those vulnerabilities and assist in corrective actions.
You'll Bring These Qualifications:
An active TS/SCI clearance is required.
Must have a current certification compliant with DoD 8570 IAM or IAT level 3 OR obtain certification within 6 months of hire and maintain certification throughout employment.
Typically has a University Degree (BA/BS) or equivalent experience and minimum 10 years of related work experience.
Knowledge and experience in security disciplines including, but not limited to, information systems security, operations security, administrative security, personnel security, physical security and communications security.
Knowledge of IA principles and organizational requirements that are relevant to confidentiality, integrity, availability, authentication, and non-repudiation.
Ability to develop best practices for processes and standards that will better the system.
Knowledge of IT security principles and methods (e.g., firewalls, demilitarized zones, encryption).
Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
Knowledge of security system design tools, methods, and techniques.
Knowledge of relevant laws, policies, procedures, or governance as they relate to work that may impact critical infrastructure.
Knowledge of TCP/IP networking technologies, Windows Active Directory and UNIX account administration, Windows Active Directory and UNIX folder permissions, Patch Management best practices on Operating Systems and applications, known vulnerabilities associated with Windows and UNIX platforms
Knowledge of OSI model and how specific devices and protocols interoperate, including knowledge of protocols, and services for common network traffic
Knowledge of DoD/IC system security control requirements
Knowledge and experience with XACTA
Knowledge of DCID 6/3, ICD 503, CNSSI 1253, NIST SP 800-53, NIST SP 800-53A, NIST SP 800-37, and the NGA security controls assessment criteria/procedures
Knowledge of industry information security standards and protocols
Knowledge of known vulnerabilities from alerts, advisories, and bulletins
These Qualifications Would be Nice to Have:
Experience with ICD 503 and working knowledge of Risk Management Frame work as outlined in NIST SP 800-37.
Working knowledge of information system security controls and how to assess their effectiveness per NIST SP 800-53 and NIST SP 800-53A.
Knowledgeable in continuous monitoring processes as outlined in NIST SP 800-137 appropriate for systems, leveraging existing tools, efforts, and incorporating new automation techniques.
Knowledgeable in information system vulnerability analysis and management.
Must have a thorough knowledge of IT including but not limited to network sub netting.
Experienced in system testing methodologies that include: Penetration testing, Configuration analysis, Security best practices validation
Experienced in security testing and penetration tools that include: WASSP, SECSCN, Backtrack 5, Assured Compliance Assessment Solution (ACAS), Wireshark, Retina, Tripwire, HP Fortify Web Inspect, Network Discovery & Visual Analytics experience (i.e., IP Sonar, etc., Red / Blue team assessment experience, Knowledgeable in cyber Incident handling., Experienced in using the XACTA application, Proficient in the use of Microsoft Application tools (i.e. Excel and Powerpoint), Experience within the Intelligence Community
What We Can Offer You:
- We’ve been named a Best Place to Work by the Washington Post.
- Our employees value the flexibility at CACI that allows them to balance quality work and their personal lives.
- We offer competitive benefits and learning and development opportunities.
- We are mission-oriented and ever vigilant in aligning our solutions with the nation’s highest priorities.
- For over 55 years, the principles of CACI’s unique, character-based culture have been the driving force behind our success.