Role: As the Senior Security Specialist (S3) for this engagement, the successful candidate will serve as a technical consultant and SME regarding federal information and cybersecurity doctrine, including FISMA and the NIST issuances. Our client’s FISMA compliance program is risk-based (in agreement with NIST issuances), with a lifecycle that leads to and sustains ATOs. Like most federal agencies, our client is constantly improving and refining systems, developing and deploying new systems, refreshing technologies, and incorporating new products as the IT market advances. Simultaneously, our client must address the ever-evolving threat landscape, changes in statute, standards, and regulations, and the continuous adaptation of their information security program to provide appropriate, cost-effective security in the midst of all of these factors.
While the S3 will focus on more complex and technical aspects of the support needed by this client, all members of the team are required to learn and support the various aspects of the work required under this task. The client has licensed the RSA Archer™ product as a FISMA/SA&A support tool, primarily for use in POA&M (~300 plans) and ISA/MOU (~30) management, as well as general security reporting and tracking. The client must also submit the customary CyberScope data, including PMC, CAP, and FISMA inventory information. Our client is currently sustaining a FISMA portfolio of approximately 100 systems, with a mix of general support as well as major/minor application systems. All systems require at least an annual update to the SSP, but only about 30 systems each year require new or heavily updated SSPs. Our client uses the traditional per-system SSP model, as well as program-level SSPs that support reuse and common control inheritance. Many of our client’s applications are being moved to the cloud, using the government’s FedRAMP program.
As our Senior Security Specialist, you will be a key technical member of the team, charged with sustaining and evolving the specified elements of the SA&A program, including the processes and tools employed throughout our client’s FISMA compliance program.
The successful candidate will:
- Provide expert counsel to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), Security Plans (SP 800-18), and the NIST Framework for Improving Critical Infrastructure Cybersecurity (aka, the Cybersecurity Framework, or “CSF”). This includes performing research, interpreting control requirements and the suitability of control measures, analyzing draft/pending issuances (such as Version 1.1 of the CSF, currently in draft), and advising stakeholders regarding different effective and efficient courses of action.
- Research and compile evidence in support of our client’s information security-related audits. Provide support for third-party audits performed by the OIG (annual FISMA audit, system security audits, per-request security topic audits, etc.), as well as the GAO (annual audit of internal controls, FISCAM audits, etc.). Usually, there are two enterprise level audits per year, but other audits may also require support. Prior to the audit, you will help refine and review “audit readiness” work.
- Intake requests, specifically calls for “Provided by Client” or “PBC” items, including requests for artifacts, interviews, tests, and examinations or observations of demonstrations and walkthroughs, etc. Each request must be tracked, reported upon, coordinated with needed stakeholders to obtain the requested materials, and conveyed to the auditors, with meticulous records being kept as to every PBC item, timing of met and unmet requests, etc.
- Help develop, track, and implement Corrective Action Plans (CAPs), including those for POA&M remediation as well as those used to address audit findings.
- Coordinate with auditing entities to convey finding closure memos and evidence of finding closures, and coordinate with stakeholders as CAPs change over time.
- Draft audit finding closure memos, responses to auditor reports (including the Annual FISMA audit report), and other audit related documentation. This is done in coordination with stakeholders regarding the appropriate responses.
- Support System Security Planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5). While the “routine” SSP support will be done by the team’s more junior members, as the S3 you will be required to help address the more complex, difficult, and troubled security planning situations. For example, moving a system to the cloud and transitioning from the traditional SSP inheritance factors to use of the FedRAMP program’s artifacts and processes will be led and overseen by an S3.
- Perform an initial assessment of the information security program’s compliance with the NIST Cybersecurity Framework, and then periodically report upon changes to that information. Support future requirements in gathering information, responding to and creating reports on the NIST Cybersecurity Framework.
- Support monthly, quarterly, and annual CyberScope reporting, including performing data calls, collating data and producing metrics, and providing decision support materials regarding Cross Agency Priorities, President’s Management Council initiatives and scoring, and FISMA metric compliance. Analyze changes to the CyberScope reporting metric publications for CIO, OIG, and SAOP, and provide appropriate updates to stakeholders. Revise data call tools and processes as CyberScope metrics change, and ensure that the most efficient means of gathering correct data are employed.
- Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
- Support and coach the more junior team members, perform quality reviews and oversight as needed, and help ensure that the team provides deliverables of impeccable quality. Never settle for “good enough,” and foster a culture in others to do the same. As needed, step in and support any project underway with the team.