• Senior Security Specialist/Technical Consultant

    Job Locations US-DC-Washington DC
    Job ID
    # of Openings
    Information Technology
    Public Trust
    Work Authorization
    US Citizens, preferred
    Contract - W2
    Posted Date
  • Overview

    VariQ has an exciting opportunity for a highly qualified Senior Security Specialist/Technical Consultant to support the a client in Washington, DC.


    Additional Information:

    • Location: Federal client offices in North East, Washington, DC with up to 2 days telework
    • Salary: Dependent upon experience
    • Security ClearanceCandidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.
    • Available: within 30 days


    Role: As the Senior Security Specialist (S3) for this engagement, the successful candidate will serve as a technical consultant and subject matter expert (SME) regarding federal information and cybersecurity doctrine, including FISMA and the NIST issuances. Our client’s FISMA compliance program is risk-based (in agreement with NIST issuances), with a lifecycle that leads to and sustains ATOs. Like most federal agencies, our client is constantly improving and refining systems, developing and deploying new systems, refreshing technologies, and incorporating new products as the IT market advances. Simultaneously, our client must address the ever-evolving threat landscape, changes in statute, standards, and regulations, and the continuous adaptation of their information security program to provide appropriate, cost-effective security in the midst of all of these factors.

    The successful candidate will be a member of a nine-person team: the candidate, a Program Manager (PM), five Senior Security Specialists (S3) and two Security Analyst II’s, who are more junior members. Additional members may join the team as part of surge support. The team will be supported by a part-time Director (who will handle minor oversight to ensure that client needs are being met), and a part-time technical writer (who will help with QA on deliverables). This position requires a self-motivated, educated, and mature candidate who is comfortable with working with minimal supervision, and has the gravitas to speak with authority and earn the respect of the team’s members and the client’s personnel, including senior leadership.

    While the S3 will focus on more complex and technical aspects of the support needed by this client, all members of the team are required to learn and support the various aspects of the work required under this task. The client has licensed the RSA Archer™ product as a FISMA/SA&A support tool, primarily for use in Plan of Action and Milestone (POA&M) and ISA/MOU management, as well as general security reporting and tracking. All systems require at least an annual update to the SSP, but only about 30 systems each year require new or heavily updated SSPs. Our client uses the traditional per-system SSP model, as well as program-level SSPs that support reuse and common control inheritance. Many of our client’s applications are being moved to the cloud, using the government’s FedRAMP program.

    As our Senior Security Specialist, you will be a key technical member of the team, charged with sustaining and evolving the specified elements of the SA&A program, including the processes and tools employed throughout our client’s FISMA compliance program.

    The successful candidate will:

    • Provide expert counsel to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), Security Plans (SP 800-18), and the NIST Framework for Improving Critical Infrastructure Cybersecurity(aka, the Cybersecurity Framework, or “CSF”).
    • Research and compile evidence in support of our client’s information security-related audits. Provide support for third-party audits performed by the OIG (annual FISMA audit, system security audits, per-request security topic audits, etc.), as well as the GAO (annual audit of internal controls, FISCAM audits, etc.).
    • Intake requests, specifically calls for “Provided by Client” or “PBC” items, including requests for artifacts, interviews, tests, and examinations or observations of demonstrations and walkthroughs, etc. Each request must be tracked, reported upon, coordinated with needed stakeholders to obtain the requested materials, and conveyed to the auditors, with meticulous records being kept as to every PBC item, timing of met and unmet requests, etc.
    • Help develop, track, and implement Corrective Action Plans (CAPs), including those for Plan of Action and Milestone (POA&M) remediation as well as those used to address audit findings.
    • Coordinate with auditing entities to convey finding closure memos and evidence of finding closures, and coordinate with stakeholders as CAPs change over time.
    • Draft audit finding closure memos, responses to auditor reports (including the Annual FISMA audit report), and other audit related documentation. This is done in coordination with stakeholders regarding the appropriate responses.
    • Support System Security Planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5).
    • Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
    • Support and coach the more junior team members, perform quality reviews and oversight as needed, and help ensure that the team provides deliverables of impeccable quality.


    Required Experience and Abilities:

    • Mastery of, and fluency in, the NIST SP 800-3X series and SP 800-18, and a solid understanding of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrine.
    • Ability to participate as a senior member of a technical team that is performing audit support, POA&M management, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
    • Understanding of Governance, Risk and Compliance (GRC) frameworks and tools, such as RSA Archer™, RSAM, CSAM, or experience with SA&A tools, such as Xacta.
    • Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
    • Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
    • Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
    • Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
    • Quickly review the work products of others, employ your own knowledge of federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.


    Years of Experience: At least 10 years of federal information security experience. At least five years involving the SA&A and security planning processes with demonstrated leadership roles. At least two years of experience with compliance audit support. At least two years of hands-on experience with a security-relevant GRC tool.


    Professional Certifications: Candidates must hold one or more of the following certifications (or equivalents): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or CompTIA Security+.


    Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.



    VariQ is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, or protected veteran status.


    Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
    Share on your newsfeed