Security Controls Assessor - Senior

Security Controls Assessor - Senior

This position requires an active Public Trust clearance or the ability to obtain a Public Trust clearance to be considered.

Applicant MUST have prior US Navy or Coastguard Maritime Cyber Security experience

The Senior Security Controls Assessor provides independent assessments of MARAD information systems in support of system authorization, reauthorization, and continuous monitoring activities. This role evaluates management, operational, and technical security controls in accordance with NIST Risk Management Framework (RMF) requirements, supports Authority to Operate (ATO) decisions, develops assessment documentation and reports, and collaborates with MARAD, DOT, and cybersecurity stakeholders to ensure compliance, risk visibility, and mission assurance.

Compensation & Benefits:

Security Controls Assessor - Senior :

Pay commensurate with experience.

Full time benefits include Medical, Dental, Vision, 401K, and other possible benefits as provided. Benefits are subject to change with or without notice.

Security Controls Assessor - Senior Responsibilities Include:

• Assess MARAD systems in one of three states: System Authorization: Initial Authorization, Reauthorization, or Continuous Monitoring Assessment (CMA), also known as ongoing authorization. The Independent Assessor must be prepared to support the process within each of these three Authorization states.

• Provide annual assessment support to the NSMV and MARAD CIO programs. NSMV assessment support will involve conducting on-site evaluations at the Philadelphia shipyard and other locations.

• Conduct independent assessments of specified MARAD information systems following the System Authorization process as defined in the current DOT Security Authorization and Continuous Monitoring Performance Guide and associated templates. • Review existing information system core documentation including privacy requirements data to support development of security assessment plans and schedules support authority to operate (ATO) dates. Review and establish Annual Assessment schedule in support of deliverables and artifacts.

• Provides identification of non-compliance of security requirements and possible mitigations to requirements that are not in compliance

• Validates the security requirements of the information system

• Verifies and validates that the system meets the security requirements

• Conduct independent, comprehensive assessments of management, operational, and technical security controls and control enhancements within IT systems to determine overall effectiveness.

• Execute and conduct analysis of network and systems to validate appropriate security control implementation. Documentation

• Develop security assessment plans and assessment reports compliant with latest revisions of NIST Special Publication 800-53A Recommended Security Controls for Federal Information Systems and Organizations and NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems.

• Develop Security Assessment Plan (SAP) detailing assessment scope with clarity, specifying scope exclusions, if necessary, controls being assessed, methods of performing assessment including sampling and "determine if" statements, notional schedule, assessment staff members, inventory of targeted system endpoints/components and software, processes, status of account of system specific, hybrid and inherited controls.

• The Assessor must adhere to the approved SAP while executing security controls assessment against targeted information system(s). Use approved techniques to collect and catalogue evidence of security controls assessment findings i.e. documents, screen captures, scanning report(s), interview session notes to support claims of control implementation status (in - place or other).

• Develop security assessment report (SAR) in accordance with scope and schedule defined in the SAP. SAR must detail assessment findings of controls assessed with supporting evidence substantiating claims.

• Develop / update system qualitative risk assessment reports (RAR) compliant with NIST SP 800-30 Guide for Conducting Risk Assessments.

• Develop recommendation report aiding in Plan of Action and Milestone (POA&M) development. Recommendation report would detail findings and applicable actions and effort to be considered for remediation.

• Develop security assessment executive summary documents including summative presentation further providing an overview of activities, findings, risks and mitigation recommendations.

• Enter assessment data the Cyber Security Assessment and Management (CSAM) database, the ATO system of record used by DOT.

• Provide presentations, reports, evaluations, reviews, meeting minutes and working papers in support of all tasks as requested by the COR.

• Apply MARAD/DOT A&A guidance and policy to achieve the program objectives and enhancing the overall quality of packages for receiving an ATO Stakeholder Collaboration and Guidance

• Actively work with the designated Information Systems Security Manager ISSM

• Performs other job-related duties as assigned

Security Controls Assessor - Senior Experience, Education, Skills, Abilities requested:

• Bachelor's Degree in Cybersecurity or related IT field may be substituted for 4 years of experience

• Bachelors Degree in an IT Related Field.

• Certified Information Systems Auditor (CISA), Advanced in AI Audit (AAIA), or equivalent certification

• 12 years of related work experience

• Prior experience supporting US Navy or Coast Guard Maritime Cyber Assessments

• Clearance: Must possess or be able to obtain a public Trust.

• Prior Department of Transportation experience is a plus.

• Must pass pre-employment qualifications of Cherokee Federal

Company Information:

Criterion is a part of Cherokee Federal - the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government's mission with compassion and heart. To learn more about Criterion , visit cherokee-federal.com.

#CherokeeFederal #LI-SM2 #LI-REMOTE #AppC

Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

Similar searchable job titles:

• Senior Information Security Assessor

• RMF Security Controls Assessor

• Senior Cybersecurity Assessor

• Information Assurance (IA) Assessor

• ATO / RMF Lead Assessor

Keywords:

• Continuous Monitoring (CMA),

• Risk Assessment,

• Security Assessment Plan (SAP),

• Security Assessment Report (SAR)

• Federal Cybersecurity

Legal Disclaimer: Cherokee Federal is an equal opportunity employer. Please visit cherokee-federal.com/careers for information regarding our Affirmative Action and Equal Opportunity Employer Statement, and Accommodation request.

Many of our job openings require access to government buildings or military installations. Candidates must pass pre-employment qualifications of Cherokee Federal.