Security Analyst

  • San Antonio, TX, USA
  • Full-time

Company Description

ProSol is a dynamic small business providing high-quality professional services to the federal government. We specialize in the critical areas of intelligence operations and analysis, IT support, contact center support and program/ project management. Our mission is to create value for our customers before, during and after service delivery while maintaining the highest moral code. As a result, we have quickly built a reputation for service excellence, integrity and speed.

Job Description

The Air Force Acquisition training Office (AFATO) is seeking technical expertise to complement the existing civilian work force that comprises the current ACMS team. This technical expertise will assist with web/software development, system/database administration tasks and cybersecurity services. We Will provide the technical expertise in the areas of web/software development, system/database administration and cybersecurity for all current and future ACMS information technology initiatives.  Activities consist of analysis, design, documenting, developing and maintaining public and private websites and web-based information systems, assisting in the management and administration of operating systems and relational databases and assisting in cybersecurity and information security requirements.

The candidate must have the ability to operate effectively under pressure adhering to the ProSol Core Values of Agility: rapid adaptation to the changing requirements and environment of our clients; Excellence: Service quality that exceeds the expectations of our clients; Integrity: Accountability and honesty−always doing the right thing; and Long-Term Commitment: Unquestioned loyalty and dedication to our clients, partners and employees.

Responsibilities:
The Contractor shall provide Cybersecurity and information security support for the Air Force Assessment & Authorization (A&A) process in accordance with DoD’s Risk Management Framework process based on National Institute of Standards and Technology (NIST) standards and guidelines, re-certification and re-accreditation, annual reviews of information systems/applications and security assessments.
•    The Contractor shall ensure that personnel performing cybersecurity activities obtain, and remain current with, required technical and/or management certifications IAW DoD 8570-01.M, Information Assurance Workforce Improvement Program and AFMAN 17-1303, Cybersecurity Workforce Improvement Program, March 2015, IAM Level II. 2.
•     Use the Enterprise Mission Assurance Support Service (eMASS) and the Information Technology Investment Portfolio Suite (ITIPS) systems as necessary, or any other A&A tool required by the AF and/or DoD, and follow and meet the deliverable expectations of the AF A&A process by developing and maintaining documentation to achieve a favorable accreditation decision (i.e., Interim Approval/Approval To Operate, Interim Approval/Approval To Test, etc.) and meet DoD Information Security-related documentation requirements in accordance with DoDI 8510.01.
•    Provide assistance in the Information System Categorization process using Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, and Federal Information Processing Standards Publication (FIPS PUB) 199, Minimum Security Requirements for Federal Information and Information Systems, as a part of the Risk Management Framework (RMF) activities to meet security strength requirements during the Assessment and Authorization process. 
•    The contractor will require SIPRNet access to accomplish/complete A&A daily duties. SIPRNet access requires the contractor have a minimum level of a secret security clearance.
•    Use the existing NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and NIST SP 800-53A, Rev 4, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, and privacy overlays to apply the appropriate security controls and functional requirements to the system in eMASS and document the implementation of these controls in the System Security Plan, through privacy awareness training and the rules of behavior. 
•    Assist the Program Manager with creating/updating documents within the Contractor’s span of control and providing inputs to other/new documents as required. Documents include but not limited to:
o    System Security Plan, 
o    Risk Assessment, 
o    Privacy Impact Assessment (PIA), 
o    Contingency Plan, Incident Response Plan (IRP), 
o    Configuration Management (CM) plan, security configuration checklists, 
o    POA&M, 
o    Amazon Web Services (AWS) support document, and any system interconnection agreements. 
o    The PIA is a requirement to meet security assurance requirements.
•    Complete assessment of selected security controls to support the Security Control Assessor (SCA) Representative (SCAR) in preparing a complete Security Assessment Report (SAR). This includes associating the results of all Security Technical Implementation Guides (STIGs), and the AF automated scanning tool, currently Assured Compliance Assessment Solution , (ACAS) / Security Content Automation Protocol, (SCAP) Tool findings to the applicable security controls.
•    Contractor shall ensure applicable Plan Of Action and Milestones (POA&M) entries are completed for any non-compliant findings. Periodic review of the POA&M is also a requirement to verify compliance of controls when re-mediated.
•    Using the RMF guidance provided in National Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, Contractor shall assist in the selection of common security controls, if required, and the preparation and documentation of best practices for a comprehensive continuous monitoring strategy and determine the impact of any changes to the system and its environment that might generate an update to the A&A process and related documents. Any updates will require documentation detailing the security impact to the system along with a determination of system security status.
•    The Contractor shall attend meetings with internal Directorates and external agencies providing Authorization & Accreditation advice as a Subject Matter Expert (SME).
•    The Contractor shall ensure that all system deliverables comply with DoD and AF Cybersecurity policy, specifically DoDI 8500.01, Cybersecurity, and AFI 17-130, Cybersecurity Program Management. To ensure that Cybersecurity policy is implemented correctly on systems, Contractors shall ensure compliance with DoD and AF A&A policy, specifically DoDI 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) and AFI 17-101, Risk Management Framework (RMF) for Air Force Information Technology (IT). 
•    The Contractor shall also support activities and meet the requirements of DoDI 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, in order to achieve standardized, PKI-supported capabilities for biometrics, digital signatures, encryption, identification and authentication.
•    The contractor shall provide a candidate that has a minimum of 5 years of experience as a Security Analyst with the following skills.

Qualifications

Education and Experience:
•    IAM Level II Certification, such as Security +, CAP, or higher level certification such as CISSP will be accepted and preferred. 
•    Bachelor’s degree required; BS in Computer Science or related.
•    Experience working with the Enterprise Mission Assurance Support Service (eMASS), the Air Force’s automated authorization and assessment tool, and experience using the Information Technology Investment Portfolio Suite (ITIPS).
•    Experience working the Information System Categorization process using Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, and Federal Information Processing Standards Publication (FIPS PUB) 199, Minimum Security Requirements for Federal Information and Information Systems, as a part of the Risk Management Framework (RMF) activities during the Assessment and Authorization process. 
•    Experience with the existing NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans. 
•    Experience creating/updating/ security accreditation documents, such as System Security Plan, Risk Assessment, Privacy Impact Assessment (PIA), Contingency Plan, Incident Response Plan (IRP), Configuration Management (CM) plan, security configuration checklists, Plan of Action and Milestones (POA&M), service level agreements, cyber orders and any system interconnection agreements. 
•    Experience completing assessments of selected security controls to support the Security Control Assessor (SCA) Representative (SCAR) in preparing a complete Security Assessment Report (SAR). This includes associating the results of all Security Technical Implementation Guides (STIGs), and the AF automated scanning tool (currently Automated Configuration Assessment System ACAS) / Security Content Automation Protocol (SCAP) tool findings to the applicable security controls. 
•    Experience using the RMF guidance provided in National Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. 
•    Experience using DISA Security Technical Information Guides, (STIGs) and the associated viewer tool. The ability to upload STIGs into eMASS is essential for determining compliance with system security settings and controls. 
•    2+ years of experience with Assured Compliance Assessment Solution, (ACAS), the USAF network vulnerability scanning and remediation tool. The ability to read reports generated by ACAS is essential. 
•    1+ year of experience as an Information Systems Security Manager (ISSM). 
•    Strong written and oral communication skills.
 

Security Clearance: Secret; Top Secret preferred

Additional Information

Disclaimer:
The above information on this description has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities, and qualifications required of employees assigned to this job. 

Additional information:
ProSol is an equal opportunity employer, all interested qualified applicants are encouraged to apply, EEO/D/M/V/F. ProSol welcomes and encourages diversity in the workforce. All your information will be kept confidential according to EEO guidelines.