• Technical Consultant/POA&M SME

    Job Locations US-DC
    Job ID
    # of Openings
    IT Security
    Work Authorization
    US Citizens, preferred
  • Overview

    VariQ has an exciting opportunity for a highly qualified Technical Consultant/POA&M SME to support Plan of Action and Milestones (POA&M) Management and System Security Plan (SSP) reviews at the SEC in Washington, DC.


    Additional Information:

    •  Location: Federal client offices in North East, Washington, DC
    • Salary: Dependent upon experience
    • Security Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.
    • Available: within 30 days


    Role: As the Senior Security Specialist for this engagement, the successful candidate will serve as a technical consultant and SME regarding federal information and cybersecurity doctrine, including FISMA and the NIST issuances. Our client’s FISMA compliance program is risk-based (in agreement with NIST issuances), with a lifecycle that leads to and sustains ATOs.

    The candidate will join a seven-person team: 5 Senior Security Analysts, one of which leads the POA&M process, and two Security Analyst II’s, who are more junior members. Additional members may join the team as part of surge support. Your team will be supported by a part-time program manager, thus, these positions require self-motivated, educated, and mature candidates who are comfortable with working with minimal supervision, and who have the gravitas to speak with authority and earn the respect of the team’s members and the client’s personnel, including senior leadership.

    While the this position will focus on POA&M Management and SSP Reviews, all members of the team are required to learn and support the various aspects of the work required under this task. The client has licensed the RSA Archer™ product as a FISMA/SA&A support tool, primarily for use in POA&Ms and ISA/MOU (~30) management, as well as general security reporting and tracking. The client must also submit the customary CyberScope data, including PMC, CAP, and FISMA inventory information. Our client is currently sustaining a FISMA portfolio of approximately 100 systems, with a mix of general support as well as major/minor application systems. All systems require at least an annual update to the SSP, but only about 30 systems each year require new or heavily updated SSPs. Our client uses the traditional per-system SSP model, as well as program-level SSPs that support reuse and common control inheritance. Many of our client’s applications are being moved to the cloud, using the government’s FedRAMP program.

    As our Senior Security Specialist, you will be a key technical member of the team, charged with sustaining and evolving the specified elements of the SA&A program, including the processes and tools employed throughout our client’s FISMA compliance program.

    The successful candidate will:

    • Provide expert counsel to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), Security Plans (SP 800-18), and the NIST Framework for Improving Critical Infrastructure Cybersecurity (aka, the Cybersecurity Framework, or “CSF”).
    • Help input, manage and report on application POA&Ms in Archer. GSS POA&Ms are managed by another entity within SEC.
    • Help develop, track, and implement Corrective Action Plans (CAPs), including those for POA&M remediation as well as those used to address audit findings.
    • Coordinate with auditing entities to convey finding closure memos and evidence of finding closures, and coordinate with stakeholders as CAPs change over time.
    • Support System Security planning efforts, including performing updates to SSPs, determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5). While the “routine” SSP support will be done by the team’s more junior members, as the Senior Security Analyst you will be required to help address the more complex, difficult, and troubled security planning situations. For example, moving a system to the cloud and transitioning from the traditional SSP inheritance factors to use of the FedRAMP program’s artifacts and processes will be led and overseen by a Senior Security Analyst.
    • Support monthly, quarterly, and annual CyberScope reporting, including performing data calls, collating data and producing metrics, and providing decision support materials regarding Cross Agency Priorities, President’s Management Council initiatives and scoring, and FISMA metric compliance. Analyze changes to the CyberScope reporting metric publications for CIO, OIG, and SAOP, and provide appropriate updates to stakeholders. Revise data call tools and processes as CyberScope metrics change, and ensure that the most efficient means of gathering correct data are employed.
    • Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
    • Support and coach the more junior team members, perform quality reviews and oversight as needed, and help ensure that the team provides deliverables of impeccable quality. Never settle for “good enough,” and foster a culture in others to do the same. As needed, step in and support any project underway with the team.


    Required Experience and Abilities:

    • Mastery of, and fluency in, the NIST SP 800-3X series and SP 800-18, and a solid understanding of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrine.
    • Ability to participate as a senior member of a technical team that is performing audit support, POA&M management, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
    • Strong understanding of DHS CyberScope reporting, to include how to collect correct data in the most efficient manner, deduce metrics, and meet immovable deadlines for reporting periods.
    • Understanding of GRC frameworks, such as that supplied by the RSA Archer™ tool, and how to use such tools to support information security objectives. Strong preference is given to candidates with hands-on RSA Archer™ tool experience. Experience with other GRC tools, such as RSAM, or experience with SA&A tools, such as Xacta, is also of significant value.
    • Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
    • Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
    • Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
    • Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
    • Quickly review the work products of others, employ your own fluency in federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.

    Years of Experience: At least 10 years of federal information security experience. At least five years involving the SA&A and security planning processes. At least 1 year of experience with POA&M Management.


    Professional Certifications: Candidates must hold one or more of the following certifications (or equivalents): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or CompTIA Security+.


    Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.


    VariQ is an equal opportunity employer.


    Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
    Share on your newsfeed