Security Control Assessor

Security Control Assessor

The Security Control Assessor will conduct security validations and assessments, in support of the Department of the Navy and ONI. This position provides technical expertise to senior management, department heads and/or staff. Only local candidates to the Maryland area will be considered since this position is On-site. Telework is an option for one to two days a week.

Certificates, Licenses, and Education

• Bachelor of Science (B.S.) or equivalent combination of IT technical or cybersecurity Associates Degree.
• Candidates must be certified in one of the areas as directed by DoD 8570- CISM, CISSP, GSLC, or CCISO.
• Candidates must have a DOD Top Secret Clearance with eligibility to obtain SCI.
• Candidates who hold the Navy Qualified Validation certificate are preferred.

Position Responsibilities and Qualifications

• Conduct Cloud Security Assessments to include validated cyberSecurity Controls, certifier's recommendation, and certifier’s statement of residual risk, certification assessment briefing slides, and a provisional authorization.
• Cloud Continuous Monitoring: Perform Navy Cloud Ecosystem on-going Authorization support to include continuous monitoring, annual reviews, any significant change requests of Cloud offerings or design reviews, recommendations, written reports, and briefings.
• Review, evaluate, and provide analysis in order to develop the Cloud Security Assessment Package in accordance with (IAW) the established guidelines.
• Three (3) years of cybersecurity experience with at least one year of experience conducting SCAs under ICD 503/CNSSI 1253 NIST Cybersecurity Framework, Risk Management Framework (RMF).
• Minimum of one full year supporting cloud environment and experience performing security assessments in a cloud environment (AWS preferred).
• Skill in conducting and reviewing Secure Technical Implementation Guide’s (STIG’s), vulnerability scans (Nessus) for both software (IAVM’s) and applications (SAST & DAST) as well as recognizing vulnerabilities in security systems (e.g., Cloud Environments).
• Knowledge of general attack strategies (e.g., MITRE ATT&CK Framework).
• Knowledge of Independent Verification & Validation (IV&V) of Security Controls.
• Knowledge of enterprise solutions across multiple cloud operating environments (JWICS, SIPRNET, NIPRNET, and commercial Internet)
• Knowledge of Risk Management Framework (RMF) processes (e.g., methods for assessing and mitigating risk) as well as knowledge of specific operational impacts of cybersecurity lapses (Xacta and eMASS experience preferred).
• Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• Knowledge of IT and cloud computing security principles and methods (e.g., firewalls, demilitarized zones, encryption, CDS, etc.).
• Knowledge of cloud computing environment security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, virtualization, containerization, IaaS, PaaS, etc.).