Information Security Analyst
Pono Aina Management, LLC is seeking an Information Security Analyst to support The Department of State. This is a unique and challenging opportunity in the Office of the Chief Technology Officer (CTO) in Diplomatic Security, US Department of State. CTO is the primary IT group within the Bureau of Diplomatic Security, providing many web applications and other services used by Federal and local law enforcement officers worldwide.
· Arlington, VA (on-site required; flexible telework)
- Integrate and test new technology for compliance with IT security standards
- Perform analysis to ensure security controls are consistently implemented throughout system development life cycle and continuous monitoring phase.
- Develop, document, and execute plans for monitoring, assessing, and verifying security controls across assigned information systems
- Documenting security control implementation statements.
- Knowledge of network security architecture concepts, including topology, protocols, components, and principles.
- Demonstrated experience creating system continuous monitoring and contingency plans that identify critical mission and business functions and recovery processes and procedures.
- Work with cross functional teams across the bureau to complete RMF steps 1 through 3, as required for RMF steps 4, 5 and, 6.
- Complete a weekly activity report.
- Provide recommendations, guidance, and corrective action for all non-compliant security controls
- Responsible for knowledge of and assisting project teams in registering the systems in iMatrix and Xacta.
- Request, gather, and comprehend evidence required to closeout open POAMS.
- Execution and knowledge of FISMA tasks that consist of system authorization/reauthorization, Privacy Impact Assessments, and system security categorization required for DS application systems
- Conduct comprehensive self-assessments consisting of automated and manual security assessments of the management, operational, and technical security controls employed within or inherited by DS information systems to determine the overall effectiveness of the controls
- Optimize processes to meet IT security-related goals and strategies by documenting lessons learned for each system and application by authorization month and year.
- Enter test results and artifacts into the bureau/department repository
- Document assessment activities and results in sufficient detail to enable external review of all assessment processes, activities, results, and conclusions
- Support bureau review of assessment activities, reports, and conclusions
- Develop and maintain all required Assessment documentation following NIST 800-53 requirement for Steps 1, 2, 3, 4 (remediation of independent assessment findings), 5 (Provide artifacts for Authorization Official Approval/Review Package), 6 (Continuous Monitoring actions) of the Risk Management Framework for all Bureau managed systems
- Provide security expertise to ensure security controls are implemented and the resulting documentation and artifacts are current
- Provide guidance to key stakeholders on the necessary components to demonstrate the achievement of control objectives
- Implement a NIST-compliant continuous monitoring process across all major information systems to provide periodic assurance to senior management on the security protections of major information systems; and
- Support periodic assessment of a bureau-identified subset of security controls across assigned information systems.
- All other duties assigned
- Certified Information Systems Security Professional (CISSP) and/or a Certified Information Systems Auditor (CISA)
- Prior server, networking, or application administrative, engineering or system architect experience.
- Experience working in a matrix organizational structure.
- Previous experience using Xacta, JIRA, and/or Service Now
- Some knowledge of SDLC, project manage principles, and ITIL.
- Knowledge of the FAM and FAH Policies
- A minimum of five to seven (5-7) years of experience in performing system and application certifications and accreditations.
- Knowledge of NIST Rev 4 and 5 security controls.
- Expert in the processes and documentation requirements for RMF methodologies
- Certified Authorization Professional (CAP) certification
- Advanced practical experience in managing all phases of systems A&A activities ranging from early concept development to system retirement.
- Demonstrated experience supporting Government Agencies preferably DOS.
- Proficient or able to gain proficiency with a broad array of security software application and tools
- Organized with attention to detail
- Willing to learn
H2 exists to serve alongside the Warfighter. We strive to provide quality and value to the customer by employing skilled professionals who understand and anticipate the needs of a changing military landscape and respond with superior service. Everything we do is inspired by our enduring mission to create value and make a difference everywhere we engage.