Security Engineer

Description

 DSG is a minority-owned government contractor with expertise in the information technology field. DSG specializes in health information management with contracts in the Department of Defense.

Security Engineer 

Location: Bethesda, MD

Clearance Requirement: Secret

Work model: In-office 100%

Position type: W2 or 1099

Responsibilities 

Lead and perform Defense Health Agency (DHA)-specific Risk Management Framework (RMF)-related tasks throughout all stages of a system’s lifecycle including: 

• Stakeholder engagement and development of A&A or Threat Management Team project plans 
• preparation and maintenance of FIPS-199 system security categorization, the performance of risk assessments, analysis of risk remediation and mitigation options and strategies, development, review, and submission of Assessment & Authorization (A&A) system security packages, selection and documentation of applicable NIST 800-53 rev. 4 security controls in systems’ Security Controls Traceability Matrices (SCTM), collection, development, and analysis of NIST 800-53 rev 4-related security controls artifacts, participation in and organizational oversight of Independent Verification & Validation (IV&V) activities, development of and status tracking for Plans of Action & Milestones (POA&M), the performance of Continuous Diagnostics and Monitoring (CDM)-related activities, and status tracking and reporting to leadership and organizational stakeholders 
• Supports the year-round work of maintaining security posture to meet DoD RMF requirements.

Manage system security packages in DOD Enterprise Mission Assurance Support System (eMASS) throughout system authorization cycles, including: 

• system registration 
• uploading and maintenance of system security packages, Plans of Action & Milestones (POA&M) entry and tracking, and system decommissioning 

• Conduct technology assessments, reviews, and technical inspections to identify and mitigate potential security weaknesses and to ensure all applicable security features and functionality are implemented and function as intended and required. 

• Work in partnership with System and Network Administrators to perform self-assessment and hardening of workstations, servers, network devices, and clinical devices including the application of Secure Technical Implementation Guidelines (STIG) and running hardening and security artifact collection scripts and Security Content Automation Protocol (SCAP) and Assured Compliance Assessment Solution (ACAS) scans. 

• Develop and maintain cybersecurity-related training materials and delivery of training for users and System Administrators (SA). 

• Possess and maintain a comprehensive understanding of federal security regulatory requirements and security frameworks including DoD/DHA IT Security and IA policies, RMF, NIST SP 800-series, FISMA, FIPS, FedRAMP, policies, directives, publications, etc. 

• Proactively maintain awareness and understanding of current and emerging threats and vulnerabilities and their potential impact on organizational mission accomplishment, patient safety, and security of patient data. 

• Apply security patches, IAVAs, STIGS, and updates for all assigned systems 

• Provide support for the escalation and communication of status to agency management and internal customers and clearly communicate technical information to both technical and non-technical personnel 

• Implement and manage disaster recovery and COOP plans, systems, and operations. 

• Works collaboratively with the team to ensure the following; Maintenance of baseline system security according to organizational policies, cyber threats and vulnerabilities are mitigated, and information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, and encryption) are adhered to. 

• Provide configuration management and accurately assess the impact of modifications and vulnerabilities for each system. 

• Maintain a thorough understanding of NIST 800-53 controls, determine which controls are applicable to the application, as well as document implementation in Security Controls Tractability Matrix (SCTM). 

• Oversee the monitoring and resolving Plan of Action and Milestones (POA&M) to mitigate system vulnerabilities on assigned Information Systems. 

• Ensures technical system documentation required for A&A packages is complete and clearly supports validation and ATO in accordance with system security requirements. 

• Performs comprehensive A&A tasks including package development, controls analysis, risk assessment, contingency planning, security test & evaluation, risk mitigation analysis, and technology assessments. 

• Utilizes application NIST and FIPS standards and guidance documents to register and complete accreditation packages in the DISA eMASS system. 

• Leads the RMF accreditation lifecycle for assigned systems from cradle to grave, managing stakeholder engagement, lifecycle progression, schedule development, accreditation package review, submission, and validation. 

• Maintains and supports current and ongoing A&A packages to ensure uninterrupted delivery of information technology systems for the organization. 

• Creates, manages, and maintains setup documentation and security policies for compliance and accreditation purposes for all programs, and projects, including SOPs, Policies, Procedures, Plans, guidelines, checklists, presentations, training guides, etc… in alignment with the DOD/DHA IT organizational cybersecurity needs or in accordance with RMF guidelines. 

• Reports on assessment process status, participates in Independent Verification & Validation (IV&V) activities, conducts/oversees IV&V testing as required, and assists system certifiers during evaluations. 

• Reviews regulatory security policies, as well as best practices, and develops the technical solution required in order to implement those requirements on servers, routers, firewalls, and other LAN/WAN equipment. 

• Works with System and Network Administrators to monitor the security posture of all networked systems and applications and take appropriate steps to quickly deal with any vulnerabilities. 

• Provides system, network, and Security Engineering expertise and guidance for all aspects of information assurance, including those systems required to meet DoD regulations and requirements. 

• Manages the cybersecurity program to minimize risk and exposure across projects. 

• Oversee a team performing self-assessment and hardening of system servers, applying STIGs, SCAP and ACAS scans, and other scripts 

• Comprehensive understanding of DoD MHS services and programs, and other usability standards, as well as user interface design methodologies. 

• Other duties as assigned as related to the Cybersecurity Division. 

Requirements

Qualifications 

• 6+ years of relevant experience supporting system security authorization processes in compliance with DOD’s and DHA’s NIST RMF-related policies and requirements. 
• 5+ years of technical experience related to system and/or network administration and/or cybersecurity operations. 
• The minimum certification level of CompTIA Security+ CE or equivalent certification required in accordance with DoDI 8140 / DoDD 8570 requirements (IAM/IAT Level 2) 
• CISSP, CAP, CYSA, CISM, MSCE, or equivalent certification required 
• Knowledge and experience with DOD RMF A&A artifacts, network architecture, network and security management and monitoring tools, and penetration test tools. 
• Four-year college degree in Cybersecurity, Information Technology, Computer Information Systems, Computer Science, Computer Engineering, or equivalent. (Additional years of experience may serve in lieu of a degree) 
• Experience with deploying & hardening Windows Server 2012 R2, Server 2016, Server 2019 
• Experience with Powershell, Tanium, SCAP, NMAP, SQL Developer, Forescout, and/or Splunk 
• Large Enterprise-level IT experience with maintenance of servers, storage devices, and applications 
• Strong problem-solving and critical-thinking skills. 
• Strong planning & organizational skills. 
• Strong verbal and written communication skills including delivery of presentations and communication of technical concepts to non-technical personnel that may span organizations and functional groups. 
• The Contractor shall assist the Government in providing proactive technical oversight and administrative support to the command. The contractor shall also assist in all activities below.