Duties

The major duties of this position fall under multiple core Cybersecurity functional areas: Cybersecurity Compliance, Cybersecurity Operations, Cybersecurity Policy, and Training. This position is responsible for governance, risk, and cybersecurity compliance directly pertaining to network security monitoring, cybersecurity architecture planning, research and development, vulnerability management, incident handling, and a cybersecurity program oversight to meet Commission regulatory compliance and Federal Information Security Modernization Act (FISMA) mandates. This non-supervisory position works under the direction of the Chief Information Security Officer (CISO).
Compliance

• Manages, plans, and executes annual security assessments following the PRC Security Assessment and Authorization (SA&A) process for all PRC systems including FedRamp Authorized services and recommend efficiencies as needed.
• Advises, assists, and supports the CISO is developing, overseeing, maintaining, and improving the Commission's Cybersecurity Program.
• Responsible for monitoring and maintaining an up-to-date Plan of Action and Milestone (POA&M) repository, enter new POA&Ms as needed, and send a monthly POA&M report to the CISO and Authorizing Official.
• Manages and applies all updates to ensure the Commission's National Institute of Standards and Technology (NIST) 800-53 worksheets algins with current NIST Revision.
• Monitors, conducts research, recommends action, and responds to developments in cybersecurity, including directives through Executive Order, Office of Management and Budget (OMB), Cybersecurity and Infrastructure Security Agency (CISA), and any other applicable guidance. Assists with data entry and assessment for all Cyber compliance reporting, including input into CyberScope.
• Conducts comprehensive research, develops, and updates comprehensive information security system and application policies, guidelines, standards, requirements, and procedures. Recommends ways to protect the organization's information and information systems.

Cybersecurity Operations

• Attains and maintains technical expertise of Commission's cybersecurity tools, including CrowdStrike, Microsoft SCCM Patch Manager (SCCM). Shall attain proficiency with the QualysGuard Cloud Platform including Vulnerability Management, Detection and Response (VMDR), Hardware Asset Management (HWAM), Software Asset Management (SWAM), Continuous Monitoring, and Policy modules within one year.
• Manages vulnerability reporting, monitors, and generates security vulnerability reports, and assists the support team to remediate software flaws within Commission timeframes.
• Manages logging solution that complies with Federal directives and investigates, analyzes, and provides notification for security events.
• Serves as a member of the Incident Response Team. Assists with investigation, analysis, and response to vulnerabilities and cyber incidents.
• Reviews secure baselines using Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) or other baselines as needed for full compliance, excluding exceptions that are approved by the CISO for operational reasons.
• Responsible for monitoring all accounts, configurations, and systems for policy compliance, including but not limited to Change Requests, adherence to the concept of Least Privilege, password policies, and rules of behavior.
• Serves as member of Contingency team, assists with testing, log capture, recommendations, and assists with continuity of operations planning and execution by implementing, configuring, and ensuring availability of an alternate processing site in the event of a contingency. Monitors and ensures backup data is available to the Commission in the event of a loss of data.
• Understands, recommends, and applies rules for data security standards, including encryption algorithms, (e.g., ensure all communication in transit is protected by Federal Information Processing Standards (FIPS) 140-2 validated encryption modules), host/network access control mechanisms, rules for ports, service, and firewall rules, sanitization of data, personally identifiable information (PII) and controlled unclassified information (CUI) data security standards.
• Develops and maintains current diagrams, flow charts, and system procedures as directed by the CISO.
• Monitors and responds to its internal security reports and notifications through the Commission's external Vulnerability Disclosure Policy.

Requirements

Conditions of Employment

• Relocation expenses are not authorized.
• Employees are required to participate in direct deposit.
• You will be required to serve a probationary period of 1 year.
• Fair Labor Standards Act (FLSA) Status: Exempt
• You must be a U.S. citizen or national to be eligible for this position.
• You must successfully pass a background investigation.
• This position may require you to submit a Public Financial Disclosure Report (OGE 278) upon entry and annually thereafter.
• The Commission uses E-verify, an internet based system, to confirm the eligibility of all newly hired employees to work in the United States. Learn more about E-Verify, including your rights and responsibilities.

Qualifications

This position requires experience in Cybersecurity Compliance, Cybersecurity Data Analysis, vulnerabilities mitigation and Cybersecurity Policy/Training.

Special qualification requirements include extensive experience in NIST guidance with working knowledge in performing SA&A as defined in NIST SP 800-37 and 800-53. The candidate must have experience in the field of Security Operations. Highly-qualified candidates will have experience with Continuous Diagnostics and Mitigation Program (CDM) provided security tools such as QualysGuard and CrowdStrike and understand how to use these tools for network vulnerability scanning, malware, HWAM/SWAM, application scanner, configuration monitoring, and continuous monitoring. Experience in developing cybersecurity policy and providing security training, incident training, and contingency training.

Highly-qualified candidates will have specialized experience in cloud technology, architectures, and service levels, as well as Microsoft 365 services such as SharePoint, PowerBI, and Teams.

Generally accepted industry certifications such as Information Systems Audit and Control Association (ISACA), International Information System Security Certification Consortium (ISC2) are preferred but not required.

Additional information

Work Environment
This position is in the Office of the Secretary and Administration (OSA) which handles all Commission operations, including Administrative Services, Information Technology, Finance (Budget, Accounting, Procurement), Human Resources, Data Management, Strategic Planning, Facilities, Health and Safety, Records Management, Privacy, and more. As a result of these expansive responsibilities and small number of staff, OSA team members tend to possess entrepreneurial spirits, wear multiple hats, and engage in high levels of cooperation to ensure the Commission operates effectively and efficiently. This position is eligible for remote work.
Ethics Requirements
The Commission is committed to government ethics. As a Commission employee, you will be subject to the Standards of Ethical Conduct for Employees of the Executive Branch and the criminal conflict of interest statutes. Commission employees are also subject to Commission-specific ethics rules (39 C.F.R. subpart A of part 3001 and supplemental standards of ethical conduct [5 C.F.R. part 5601]). The supplemental standards prohibit Commission employees, as well as their spouses and dependent children, from owning any securities issued by entities that are identified on an annually published prohibited securities list. As an employee of the Commission, you must complete initial ethics training within three months of your appointment and, depending on your position, complete required financial disclosure forms within 30 days of your appointment.

Receiving Service Credit or Earning Annual (Vacation) Leave: Federal Employees earn annual leave at a rate (4, 6 or 8 hours per pay period) which is based on the number of years they have served as a Federal employee. The Commission may offer Federal employee's credit for their job-related non-federal experience or active duty uniformed military service. This credited service can be used in determining the rate at which they earn annual leave. Such credit must be requested and approved prior to the appointment date and is not guaranteed.