Information Assurance (IA) RMF Expert

  • Full-time

Company Description

MUST BE A U.S. CITIZEN

A3T, a fast growing firm, specializes in Defensive Cyber Security Services, Enterprise Information Technology (IT) Solutions, and Professional Services driven by customer requirements. Our client’s customers are the focal point of all decisions and actions. A3T provides customer-centric services and focus resources to meet operational requirements, exceed expectations, and sustain organizational growth while mitigating risk.  

Join A3T and watch your career soar! A3T is a small, agile, company looking for incredible talent to support the United States Government in many important national security roles.  A3T is looking to bring on an experienced 
Information Assurance (IA) RMF Expert with “Next-Level Thinking” who is ready to take their career to a new level with A3T.

Job Description

The successful Information Assurance (IA) RMF Expert shall provide support in ensuring that the Cyber Security Program and information systems adopt and institute DoD and NIST standards and methodologies.  The effort will include RMF support for System Managers and the RMF Team in security categorization, security plan, implementation of security controls and conducting risk assessments.  The effort will also include consulting support by providing RMF recommendations, training and guidance on all aspects of RMF.  The successful IA Engineer SME shall have the ability to complete accurate documentation in all Microsoft product formats and provide information to the government project manager to use in briefing agency management, CS managers, and system and program managers as well as their supporting Information System Security Managers (ISSM) and Information System Security Officers (ISSO) on CS-related topics is required.  This includes performing the below risk management framework support services. 

Duties/Responsibilities:

  • Schedule system’s security categorization events.  Analyze security categorizations, conduct workgroup sessions, provide training, guidance/suggestions to ensure correct categorization decisions and capture results of vet in Security Categorization rubric.

  • Draft organizational security categorization guidance and procedures to allow consistent security categorization across systems.  

  • Draft security control tailoring processes and procedures.  

  • Develop and conduct training to stakeholders on tailoring concepts and processes. 

  • Participate in the tailoring process at the organization and system level ensuring correct conduct and documentation of tailoring decisions.

  • Assist in drafting IT Risk Management strategy, guidance and procedures.  Strategy and guidance must align, interact and support higher level DoD and Enterprise risk management and continuous monitoring programs and guidance.

  • Analyze system security plans for existing and new systems.  Document results, and submit recommendations for action by System Managers and RMF Team members.

  • Develop guidance, processes and procedures for security plan development, vetting and
    approvals. Disseminate and train process to key stakeholders such as the SM, ISSM and SP approvers, Authorizing Official (AO) Representative and senior ISSM.

  • Respond to questions on security controls, documenting response in Security
    Controls Frequently Asked Questions.     

  • Provide guidance and instructions for security control families. Utilizing a Security Control Catalog.  to provide enhancements as needed to facilitate correct implementation of security controls at the program and system level.

  • Conduct risk assessment training on proper conduct of risk assessments in accordance
    with DoD and NIST guidance for conducting risk assessments, utilization of the Risk Assessment worksheet and determination of final risk determination and recommendation.  Utilize Risk Assessment analysis worksheet to provide enhancements as needed to ensure correct conduct of risk assessments.  

  • Evolve organizational Continuous Monitoring (CM) Program, strategy and guidance by vetting current continuous monitoring activities and drafting changes providing recommendations on security controls to include review frequency, criticality, methods, reporting and tracking.  

  • Provide guidance and recommendations for continuous monitoring technologies, leveraging current available technologies and recommending solutions to address gaps.  

  • Schedule and conduct meetings with key stakeholders providing guidance and direction, identifying and disseminating key milestones and actions, then track milestones to completion.    

  • Develop tracking mechanism for systems continuous monitoring strategy development and
    approvals.  

  • Develop and disseminate processes and procedures to ensure timely and accurate analysis and approval of the strategy.

  • Develop system level guidance and procedures for Information Owner’s, System Managers and Information System Security Managers (ISSMs) for RMF steps 1, 2, 3 and 4.  Process is to ensure further facilitation of correct and timely implementation of RMF steps and prepare for successful RMF Assess & Authorize event.  Develop process and tracking mechanism for the dissemination of guidance and procedures.  Develop, schedule and conduct training and workgroup discussion sessions with system teams to ensure understanding and correct implementation of guidance and procedures

  • Develop and implement system level and organization processes and procedures to facilitate, monitor and manage continuous monitoring tasks.  Implement to include developing and conducting training.

  • Throughout the life of the contract develop and/or conduct training on RMF topics.  

  • Provide recommendations concerning training that should be developed based on lessons learned.

  • Develop system RMF system project plans and support completion of activities on time.  Track milestone dates and status of systems working through RMF Steps via existing RMF Tracker.  Updates to occur no less than twice a week.

  • Perform annual review of RMF related policies, procedures and templates.

  • Draft updates to procedures and templates based off of annual review and lessons
    learned

    Management and maintenance of systems from initiation to decommission to include requirements to satisfy the “assess and authorize”events utilizing:

      • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, current edition

      • NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems

      • NIST SP 800-30 Guide for Conducting Risk Assessments, current edition

      • NIST SP 800-39 Managing Information Security Risk, current edition

      • Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, March 15, 2012 as amended. 

      • Subchapter III of chapter 35 of Title 44, United States Code (also known as the Federal Information Security Management Act (FISMA of 2002)  

      • NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems Organizations, current edition

Qualifications

Clearance:  Secret

Certifications:  

  • Information Assurance Management (IAM) level III.  Certified Information Systems Security Professional (CISSP) or other Equivalent DoD 8570.01-M

Experience:

  • Must have minimum 10 years of experience in cybersecurity documentation and system
    authorization artifacts (System Security Plan, Continuous monitoring plan, Security Assessment Report, Plan of Action and Milestones, Interconnection Security Agreement, Risk Assessment, etc.).

  • Must have working knowledge of the DoD CS policy requirements set forth in DoDI
    8500.01, “Cybersecurity,” and DoDI 8510.01, “Risk Management Framework (RMF)
    for DoD Information Technology,” and their successors. Available at http://www.dtic.mil/

  • Must have strong critical thinking/analytical skills, creativity, a proven drive for quality, and excellent oral and written communication skills.

  • Must have strong technical writing skills.

  • Able to work under only general direction and be able to independently determine and develop an approach to information system security solutions, only needing review upon completion for adequacy in meeting objectives.

  • Knowledge in reviewing, analyzing and documenting the secure implementation of logical controls, physical controls, environmental controls, personnel security and incident handling.

  • Strong organizational skills and an ability to stay focused while managing multiple tasks concurrently.

  • Experience with DoD security hardening, collection and assessment tools (STIGS, ACAS SCAP, Nessus, etc.) and experience with security architectures, firewalls and network access.  

Additional Information

We offer a competitive benefits package to include: paid holidays, paid time off, medical, dental, vision, company paid long and short term disability and life insurance, referral bonuses, certification reimbursement program, etc.

It is the policy of A3T to provide equal opportunity in recruiting, hiring, training, and promoting individuals in all job categories without regard to race, color, religion, national origin, gender, age, disability, genetic information, veteran status, sexual orientation, gender identity, or any other protected class or category as may be defined by federal, state, or local laws or regulations.

We maintain a drug-free workplace and perform pre-employment substance abuse testing to include background checks.

eVerify employer.

CC