Security Control Assessor

SBD is seeking a Security Control Assessor (SCA) to join our team supporting our federal client. This position is involved in all steps of the Risk Management Framework (RMF) as outlined in the NIST SP 800-37, Risk Management Framework for Information Systems, with a primary focus on executing all security control assessments for the organization.

This position is hybrid, requiring at least 2 days/week onsite at our customer's location in Camp Springs, MD.

Responsibilities Include:

• Ensuring a timely, thorough, and effective security assessment, ensuring risks are clearly stated and appropriately rated.
• Prepare the necessary security assessment artifacts and reports, documenting the results associated with the assessment, and conduct close out briefings for the respective system's stakeholders.
• Provide peer reviews of teammate's assessment deliverables as needed.
• Risk assessments
• FedRAMP assessments
• Review and input into enterprise security policy and governance, and security architecture and configuration of enterprise resources.

Required Experience and Qualifications:

• Bachelor's Degree and 3 to 6+ years of related experience.
• Must have and maintain at least one certification such as CISSP, CISM, CISA, CAP, CEH, or equivalent.
• Extensive experience with the NIST RMF and independently leading security control assessments from start to finish using the NIST Framework.
• Experience in several of the following areas is required:
  • Understanding of IT security practices and procedures.
  • Knowledge of current security tools available.
  • Different communication protocols.
  • Encryption techniques/tools.
  • Secure system architecture.
  • System engineering.
  • System administration.
  • Configuration management.
  • Agile application development experience.
• Must be fully cloud proficient (AWS, Azure, Google).
• Experienced performing FedRAMP assessments and assessments of systems hosted in the cloud.
• Experience creating, reviewing, and updating/editing security artifacts (i.e., Security Plans, Contingency Plan, Contingency Plan Test, e- Authentication workbook, FIPS 199 workbook, etc.)
• Proficient at interpreting scan results from various vulnerability and compliance tools such as MicroFocus Fortify SCA and WebInspect, Tenable Nessus and TIO, Prisma Cloud, SonarQube.
• Must be capable of providing corrective actions for weaknesses discovered during the assessment.
• Must have experience with SIEM tools and performing audit log reviews.
• Experience creating and validating remediation of POA&Ms.
• Technical writing ability is required.
• Must be a US Citizen able to obtain an agency-specific suitability clearance prior to starting.
• Must reside within a commutable distance to our client's location in Camp Springs, MD in order to work onsite at least 2 days/week.
• Must be able to pass a comprehensive background check.
• Must be fully vaccinated for COVID-19, unless a medical exemption or religious accommodation is approved. Individuals are considered fully vaccinated two weeks after their last dose of their vaccine. Confirmation of vaccine is required.

Desired Experience and Qualifications:

• Knowledge of container platforms (EKS, OpenShift, Docker) and microservice architecture.
• Development or programming experience.
• Familiarity with Nipper, Burp Suite Pro, Kali Linux, SolarWinds, Telos IACS, SPLUNK.
• Penetration Testing experience.