VariQ has an exciting opportunity for a highly qualified Senior Security Specialist/Audit SME to support a client in Washington, DC.

Additional Information:

• Location: Fully remote through at least March 2021 due to COVID-19. Federal client offices in North East, Washington, DC with up to 2 days telework post-COVID-19.
• Salary: Dependent upon experience
• Security Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following background suitability and records check.
• Available: within 30 days

Role: As the Senior Security Specialist for this engagement, the successful candidate will serve as a technical consultant and subject matter expert (SME) regarding federal information and cybersecurity doctrine, including FISMA and the NIST issuances with a focus on audit support.

The successful candidate will:

• Provide expert counsel to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), Security Plans (SP 800-18), and the NIST Framework for Improving Critical Infrastructure Cybersecurity(aka, the Cybersecurity Framework, or “CSF”).
• Research and compile evidence in support of our client’s information security-related audits. Provide support for third-party audits performed by the OIG (annual FISMA audit, system security audits, per-request security topic audits, etc.), as well as the GAO (annual audit of internal controls, FISCAM audits, etc.).
• Intake requests, specifically call for “Provided by Client” or “PBC” items, including requests for artifacts, interviews, tests, and examinations or observations of demonstrations and walkthroughs, etc. Each request must be tracked, reported upon, coordinated with needed stakeholders to obtain the requested materials, and conveyed to the auditors, with meticulous records being kept as to every PBC item, the timing of met and unmet requests, etc.
• Help develop, track, and implement Corrective Action Plans (CAPs), including those for Plan of Action and Milestone (POA&M) remediation as well as those used to address audit findings.
• Coordinate with auditing entities to convey finding closure memos and evidence of finding closures, and coordinate with stakeholders as CAPs change over time.
• Draft audit finding closure memos, responses to auditor reports (including the Annual FISMA audit report), and other audit-related documentation. This is done in coordination with stakeholders regarding the appropriate responses.
• Prepare, analyze and verify monthly audit status reports.
• Support System Security planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5).
• Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
• Support and coach the more junior team members, perform quality reviews and oversight as needed, and help ensure that the team provides deliverables of impeccable quality.
• Prepare executive-level presentations and summary reports.

Required Experience and Abilities:

• Mastery of, and fluency in, the NIST SP 800-3X series and SP 800-18, and a solid understanding of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrines.
• Ability to participate as a senior member of a technical team that is performing audit support, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
• Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
• Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
• Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
• Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
• Quickly review the work products of others, employ your own knowledge of federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.

Years of Experience: At least 10 years of federal information security experience. At least three years involving audit support with demonstrated leadership roles.

Professional Certifications: Candidates must hold one or more of the following certifications (or equivalents): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or CompTIA Security+.

Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following background suitability and records check.

OTHER DUTIES

• This job description is not designed to cover a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities are subject to change at any time. Employees will be required to follow any other job-related instructions and to perform any other job-related duties requested by any person authorized to give instructions or assignments.

PHYSICAL DEMANDS AND WORK ENVIRONMENT

• The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this position. Reasonable accommodation may be made to enable individuals with disabilities to perform these functions.
• While performing the duties of this position, the employee is regularly required to talk or hear. The employee frequently is required to use hands or fingers, handle or feel objects, tools, or controls. The employee is occasionally required to stand, walk, sit, and reach with hands and arms. Specific vision abilities required by this position include close vision, distance vision, and the ability to adjust focus. The noise level in the work environment is usually low to moderate. 

NOTE

• All duties and responsibilities are essential functions and requirements and are subject to possible modification to reasonably accommodate individuals with disabilities. To perform this job successfully, the employee will possess the skills, aptitudes, and abilities to perform each duty proficiently. The requirements listed in this document are the minimum levels of knowledge, skills, or abilities. This document does not create an employment contract, implied or otherwise, other than an “at will” relationship.

VariQ is an Equal Opportunity/Affirmative Action employer.  All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability, protected veteran status, or any other protected class. We consider diversity and inclusiveness to be core to our culture, and central to our commitment to fostering an empowering and supportive workplace.