Various Cybersecurity Positions

The Alaka`ina Foundation Family of Companies (FOCs) has a need for Various Cybersecurity Positions to support our government customer primarily located in the NCR - National Capital Region, (Washington, D.C. and/or Germanton, MD.)

Some positions will be located in: Albuquerque NM and Las Vegas, NV. Majority of positions will be held within the NCR. All positions will require on-site support at designated government location.

Positions to include but not limited to:

Information System Security Manager (ISSM)

Information System Security Officer (ISSO)

Authorization Official Designated Representative (AODR)

CSSP Analyst

Technical Assessor

Programmatic Assessor

DESCRIPTION OF RESPONSIBILITIES:

• Assist in developing and maintaining accurate cybersecurity documentation for the on premises and cloud information systems and major applications.
• Support Information Assurance documentation including Information System Security Plans (ISSPs), security baselines, risk assessments and Plan of Action and Milestones (POA&M).
• Ensure that systems comply with Federal requirements and government baselines, in accordance with NA-IM cybersecurity policies.
• Information System Security Officer (ISSO) Requirements:
  
  • Provide ISSO support for NA-IM in Information Assurance activities.
  • Must have the skill set to utilize implemented tools and monitoring capabilities to support continuous authorization.
  • Must have the ability to interpret data from implemented tools to identify changes to a system, changes in vulnerabilities, configuration, and implemented security control.
  • Carry out activities at the organization, mission, business process, and information system levels of the enterprise to help prepare NNSA-OCIO to manage its security and privacy risks using the RMF.
  • Determine and assign ISSO resources.
  • Establish and document organizationally tailored control baselines.
  • Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.
  • Utilize implemented tools to continuously monitor control effectiveness.
  • Identify and document assets that require protection.
  • Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis.
  • Define and document the security and privacy requirements for the system and the environment of operation.
  • Determine the placement of the system within the enterprise architecture.
  • Categorize the information system into low, moderate, or high potential security impact, using FIPS 199 as a guide. Use NIST 800-60 Volume 2 to determine the security categorization of the system based on the organization's requirements.
  • Categorize the information system and document the results of the security categorization in the Security Plan.
  • Provide a written subsection of the System Security Plan that covers FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
  • Describe the information system (including system boundary) and document the description in the Security Plan.
  • Provide a written System Definition Document which is a subsection in the System Security Plan.
  • Ensure all information systems are designed, implemented, and operated securely through agile cybersecurity authorization that works closely with system administrators or developers early and throughout the development, testing, and implementation phases.
  • Register the information system with appropriate organizational program/management offices.
  • Establish and maintain security controls to protect information systems and data as identified in NIST 800-53 and CNSSI 12-53 as well as any other implemented requirements document.
  • Identify and document the controls for the system and environment of operation in system security plans.
  • Leverage the security categorization, privacy risk assessment, security and privacy architectures, and the allocation of controls to achieve balance between security and privacy protections and mission based functional requirements.
  • Document the controls that describe implementation of system-specific and hybrid controls, and the plans and expectations regarding the functionality of the system.
  • Work with the system owner or designee to ensure that security and privacy requirements for the system and the controls selected satisfy the requirements.
  • Implement appropriate Enterprise or Site Common Controls developed during the RMF Prepare-Organization Level for inheritance.
  • Conduct activities that assess the selected security controls for IT and OT systems for correct implementation, ensuring that they are operating as intended and produce the desired outcomes that they are still operating within the approved risk boundaries.
  • Develop and submit plans to assess implemented controls. Plans should reflect the type of assessment, testing and evaluation strategy, independent verification and validation, audits, continuous monitoring, and assessment failure remediation actions.
  • Assess the controls in accordance with the assessment procedures described in the assessment plan.
  • Provide a Security Assessment Report (SAR) to the System Owner, ISSO, ISSM, AODR and AO upon completion of security control testing activities.
  • Document compliance results and associated risks within the SAR.
  • Document assessment findings within the approved eGRC tool.
  • Work with the system owner or designee to develop and track Plan of Action and Milestones (POA&MS) for any failed control or program component.
  • Provide data call response and evidence gathering.
  • Provide accurate and timely responses to data call request. Utilize approved data call response tools.
  • Provide expert support for internal and external assessments and audits.
  • Collaborate with internal and external partners.
  • Work closely and cooperatively with both internal and external partners such as Cyber Operations, IT Operations, Mission Integration, Security Operations Center, other NNSA entities and Other Government Agencies.
  • Regularly audit security measures and practices to ensure effectiveness and program compliance.
  • Effectively communicate and work with the IA Federal personnel to identify program non-compliance and establish corrective actions or remediations in a timely manner.
  • Ensure that program level requirement documents, policies, and procedures remain up to date reflecting current requirements and program implementation. Examples include but are not limited to: NA-IM Enterprise Cybersecurity Program Plan; NA-IM Enterprise Cybersecurity Improvement Plan; NNSA Cybersecurity Threat and Risk Statement.
  • Support the development of Governance type program and policy documents to implement DOE/NNSA and federal requirements.
  • Support the adjudication of comments on federal requirements, and NA-IM policies and procedures.
  • Review Legislation, Executive Orders, OMB Documents, and DOE/NNSA directives to identify potential impacts. Make recommendations for implementation of NNSA policy/guidance changes.
• Information System Security Manager (ISSM), Authorizing Official Designated Representative (AODR) and Program Management Requirements:
  
  • Ensure that system, application and hardware authorization activities such as ISSPs, Risk Assessments, Security Baselines, etc. are completed in a timely and accurate manner. This includes initial authorization and re-authorization.
  • The ISSM is an organizational official responsible for ensuring that federal and program cybersecurity requirements are implemented as deemed necessary.
  • The AODR is an organizational official designated by the AO who is empowered to act on behalf of the AO to coordinate and conduct the day-to-day activities associated with managing risk to information systems and organizations. This includes carrying out many of the activities related to the execution of the RMF, but DOES NOT INCLUDE the authorization decision and signing of the associated authorization decision document (i.e., the acceptance of risk).
  • Develop the authorization package and submit the package to the ISSM for review and submit the package to the AO/AODR for review and approval upon approval from the ISSM.
  • Maintain a knowledge of AO approved risk boundaries and risk tolerance.
  • Update authorization documentation at organizationally defined frequency in accordance with the risk management objectives of the organization.
  • Shall only approve operations that are covered within existing authorizations (instantiate).
  • Ensure that all decisions made by the AODR will support the AO and be fully transparent.
  • Actively manage and coordinate the onboarding and termination of contractor personnel.
  • Ensure the work products and deliverables provided under the PWS task areas meet the Enterprise Cybersecurity Program requirements and services are of the highest quality and meeting the TPOC's standards.
  • Provide strategic support at meetings, briefings, and presentations.
  • Work, coordinate, and maintain a healthy working relationship with other contractors supporting NA-IM and the NNSA.
• Cyber Security Service Provider Analyst Requirements:
  
  • Must continues to meet Department of Defense (DOD), Cybersecurity Service Providers (CSSPs) certification requirements.
  • Will require CSSP certification.
  • Use Evaluator Scoring Metrics (ESM) to provision and conduct self-assessments of its provisioned services. The ESM contains the criteria for which General Service (GENSER), and Special Enclave (SE) evaluations are conducted.
  • Manage the Vulnerability Management Reporting.
  • Tracks, drafts, and updates CSSP Policies and Procedures.
  • Ensures sites are operating in accordance with policies and interfaces with sites for assistance.
  • Ensure the applications of the ESM through programmatic reviews and application, works with IARC NOC/SOC for technical implementation of sites boundary monitoring and incident response.
  • Work with Hardening Guidance and Standards for DOD in application to Cyber Security Service Provider (CSSP) and Subscriber Sites.
  • Track and maintain annual documentation reviews.
  • Develop ESM Metrics in Enterprise Archer for CSSP (to track with annual reviews).
  • Work with CCRI Auditors for local assessments and providing support for auditing activities.
  • Develop Monthly Site Report (MSR) integration process, documentation, and training personnel on the process.
  • Conduct Port, Credential Scanning, and Monthly Vulnerability Reporting (Tenable Security Center) for NNSA Subscriber Sites.
  • Create (and Maintain) Master POC List for NNSA Subscriber Sites.
  • Process Network Diagrams and Site Portfolios.
  • Produce Hardware and Software Asset Lists (monthly) as seen by Centralized Scanning Devices.
  • Conduct annual CSSP Hardware and Software Inventories.
  • Provide computer security support for an Enterprise network environment.
  • Develop improvements for TSC Scanning, Reports, and Improvements to processes for exception tracking, POC lists, and portfolios (i.e. Templates, Repeatable processes, SOP's, training staff).
  • Develop PKI Policy for CSSP and NNSA Enterprise based on NIST SP 800-32, CNSS-015-2016 Guidance, DoD NSS PKI Best Practices by the PMO.
  • Develop and establish a rapport with enterprise site personnel for troubleshooting issues, site notices, document updates, and policy requirements.
  • Provide personnel approved as a derivative classifier for derivative classification review following the "Classification Guide for Safeguards and Security Information" (CG-SS) and CUI Marking/Review for the CSSP.
  • Work with the Enterprise ISSMs to inform changes to ISA's or other documentation created from the Enterprise perspective.
  • Work very closely with Enterprise ISSE Team to support Tenable Security Center and Cyber Tool Access.
  • Be responsible for maintaining account access to Tenable (including processing forms, confirming training, managing access, troubleshooting issues.

REQUIRED DEGREE/EDUCATION/CERTIFICATION:

• Technical assessors must be certified, at a minimum, according to Cyber Security Service Provider Auditor (minimum mastery of IAT III), within six months of assignment.
• Programmatic assessors must be certified to Information Assurance Manager II and III (junior and senior roles respectively), within six months of assignment.
• Must meet certification requirements IAW DCWF DoDD 8140, NNSA, or equivalent training and experience.

REQUIRED SKILLS AND EXPERIENCE:

• Must have experience supporting a cybersecurity compliance program for a Federal or DoD customer.

REQUIRED CITIZENSHIP AND CLEARANCE:

• Must be a Born or Naturalized U.S. Citizen. For the purposes of this work effort, Green Card or Visa holders are not eligible.
• Top Secret and/or Q Clearance is required

The Alaka`ina Foundation Family of Companies (FOCs) is a fast-growing government service provider. Employees enjoy competitive salaries. Eligible employees enjoy a 401K plan with company match; medical, dental, disability, and life insurance coverage; tuition reimbursement; paid time off; and 11 paid holidays.

We are an Equal Opportunity/Affirmative Action Employer of individuals with disabilities and veterans. We are proud to state that we do not illegally discriminate in employment decisions on the basis of any protected categories. If you are a person with a disability and you need an accommodation during the application process, please click here to request accommodation. We E-Verify all employees

"EOE, including Disability/Vets" OR "Equal Opportunity Employer, including Disability/Veterans"

The Alaka`ina Foundation Family of Companies (FOCs) is comprised of industry-recognized government service firms designated as Native Hawaiian Organization (NHO)-owned and 8(a) certified businesses. The Family of Companies (FOCs) includes Ke`aki Technologies, Laulima Government Solutions, Kūpono Government Services, and Kapili Services, Po`okela Solutions, Kīkaha Solutions, LLC, and Pololei Solutions, LLC. Alaka`ina Foundation activities principally benefit the youth of Hawaii through charitable efforts which includes providing innovative educational programs that combine leadership, science & technology, and environmental stewardship.

For additional information, please visit www.alakainafoundation.com

#LI-JS1

#ClearanceJobs