Overview Credence Management Solutions, LLC (Credence) is seeking a seasoned Security Control Assessor/Analyst to provide Security Control, ISSO and Security Authorization Maintenance Support Services for a wide range of FBOP and DOJ IT General Support Systems and major applications. Responsibilities Security Control Assessor Support (primary tasking): Provide support to customer's Information System Continuous Monitoring (ISCM) program to ensure information system cybersecurity risk remains acceptable throughout the system life cycle Provide independent comprehensive assessment related to the management, operational, and technical security controls and control enhancements employed within or inherited by a DOJ information technology system Determine to the extent that control mechanisms are implemented correctly, operating as intended, and producing the desired outcome Conduct comprehensive reviews of security authorization documentation, ensuring that the appropriate security guidelines are used during system assessment and the selection of security controls are appropriate for system categorization Assess the effectiveness of selected security controls, validating that the Information System controls are implemented and findings are documented within the DOJ's CSAM repository Draft statements of preliminary or residual security risks for system operation Perform risk analysis (eg, threat, vulnerability, and probability of occurrence) whenever a system has undergone a significant change Validate closure of liens and update POA&Ms, as applicable Perform ongoing security reviews at part of continuous monitoring and identifying security gaps in security architecture resulting in recommendation for inclusion in DOJ and/or customer risk mitigation strategy Assist with review and the strengthening of Business Continuity and Contingency Plan documentation Support development and submission of memoranda for the Authorizing Official Perform continuous assessment approach on security controls in support of ATO packages ISSO Support & Security Authorization Maintenance (secondary tasking): Provide ISSO support for the review of security assessments and associated documentation, and capture IT security changes of relevance and maintain IT system profiles in the DOJ's Cyber Security Assessment and Management system (CSAM) repository both on premises and cloud instances Develop IT Security Plan of Action and Milestones (POA&Ms) from CSAM and aid planning and implementing migration strategies, as necessary, and perform annual security assessments, including NIST SP 800-53 assessment and independent security assessments, as required Develop and maintain an IT System Security Compliance Schedule that address: POA&M Action Items Required ITSS reports/updates Change Control Board Meetings Scheduled Vulnerability Scans Updates to System IT Security Documentation Collaborate with O&M support teams to develop and coordinate authorization documentation associated with the DOJ and customer processes including the Systems Categorization, Systems Security Plan, and Systems risk assessment Review information system infrastructure and application architecture to assess security requirements, and confirm Security Authorization Scope, including identifying the hardware and software components to be covered by the Security Authorization Package Conduct assessments of assigned information systems security requirements, evaluate current security posture and recommend priorities for remediation. Assess and plan the engagement, leveraging relevant work completed for other systems to achieve schedule cost savings and minimize impact on customer staff resources Update System Security Plans (SSPs) for IT system and complete the appropriate activities in CSAM to permit the generation of a complete SSP; coordinate distribution of SSP for review by project teams and track progress; and revise applicable areas in the CSAM tool as required Update and maintain associated security plans using DOJ templates for contingency plan; configuration management plan; incident response plan; and a security awareness, training, and education plan Complete security test and evaluation (ST&E) of IT system using DOJ's CSAM Tool: verify ST&E using test case; coordinate distribution of ST&E for review by project teams and track progress; and revise ST&E as required Complete risk assessment for IT systems: verify risk assessment using test case; coordinate distribution of risk assessment for review by project teams and track progress; and ensure that accurate risk information is entered CSAM Perform Independent Verification and Validation (IV&V) of controls as required Complete Certification Statement: Review SSP, ST&E, and RA; and include vulnerabilities revealed in SSP, ST&E, and RA Draft, approve, and validate POA&Ms while ensuring they are kept up-to-date, accurate, and represent a true plan to mitigate identified security weaknesses Assess NIST SP 800-53, Rev 4. Controls and document results in DOJ's CSAM repository. Ensure that CSAM contains quality data and that it is consistent with DOJ requirements Review and conduct NIST-based self-assessments, identifying any weaknesses which need to be addressed, and developing a POAM for each of those weaknesses based on industry best practices Support and document security controls tests, assist in remediation, and ensure that POAMs are being appropriately managed Evaluate and strengthen standard SA&A Documentation, Security Assessment Reports and provide security infrastructure recommendations (ie IDS, firewalls, vulnerability scan tools, etc.) Using CSAM, generate the C&A package Assist with review and strengthening of Business Continuity and Contingency Plan documents Develop and submit memorandums from Certification Official, and Designated Approving Authority Qualifications Top Secret (TS) security clearance is required Bachelor's degree is required 5+ (five plus) years of expertise in Cyber Security 6+ (six plus) years specialized in Classified Programs, National Security Systems, The Committee on National Security Systems (CNSS) Instruction No 1253, NIST SP 800-53A Must be able to function resourcefully and independently and work with a diverse team of IA/cybersecurity practitioners Strong written and verbal communication skills required Experience working within DOJ Offices, Boards, and Divisions (OBDs), with an understanding of unique organizational security policies and security controls implementations within specific IT environments is desired