Principal Information System Security Engineer (TS/SCI Required)
Principal Information Security Engineer, Springfield, VA Tau Six is an agile small company, delivering cutting edge cybersecurity and systems integration services to the US National Security market, has an immediate need for a driven, mission-focused Principal Information Security Engineer for work in Springfield, VA. Clearance Requirement: TS Clearance with SCI eligibility Position Description: The Information Systems Security Engineer (ISSE) supports the Information Technology (IT) Architecture and Engineering (A&E) team as the Subject Matter Expert (SME) in the System Security Engineering (SSE), Cyber Resiliency, and the overall information system security engineering processes. The ISSE works directly with the Activity's Information Security Architect (ISA), Enterprise Architects, and System Engineers (SSEs)to ensure that SSE and Cyber Resiliency objectives, techniques, approaches, and design principles are fully represented and included in all systems engineering and development efforts. The ISSE's involvement is ever present through-out the systems development life cycle (SDLC) to include requirements definition, design, engineering, implementation, testing, validation, verification, continuous monitoring, and on-going vulnerability remediation for all information systems under the cognizance of the Activity's Chief Information Officer (CIO). The ISSE is ultimately responsible for protecting the CIO's information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability. Responsibilities of the ISSE include, but are not limited to: Discover Information System Protection Needs through analyzing the Activity's mission; identifying legal and regulatory requirements; identify classes of threats; determining impacts against risk; identifying security services; documenting the protection needs; and identifying design constraints. Define System Security Requirements by developing the system security context, Security Concept of Operations (CONOPs), and Security Requirements Baselines from the gathered Customer and Stakeholder requirements. Design System Security Architecture by working with SEs in areas of functional analysis and allocation by analyzing candidate architectures, allocating security services, and selecting security mechanisms. The ISSE identifies components or elements, allocates security functions to those elements, and describes the relationships between the elements. Develop Detailed Security Design by analyzing design constraints, analyzing trade-offs, generating detailed system and security design, with life-cycle support consideration. Implement System Security from the hands-on approach to participation in a multidisciplinary examination of all systems issues that provides input to the Certification and Accreditation(C&A) process activities. Assess Information Protection Effectiveness by focusing on the effectiveness of the information protection whether the system can provide confidentiality, integrity, availability, authentication, and nonrepudiation for the information it is processing that is required for mission success. Evaluate Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) technologies - systems, applications, and services -against the Activity's INFOSEC and Cybersecurity requirements and needs. Conduct INFOSEC and Cybersecurity assessment testing and reporting in accordance with the RMF and NIST 800 53; identifies deficiencies and documents them as Plans of Actions and Milestones (POA&Ms) and provides recommendations for solutions in line with best practices and security industry standards. Supports the A&E SEs in the implementation, testing, and operational control (OPCON) transfer of INFOSEC and Cybersecurity related solutions the Activity's respective IT Operations and Maintenance (ITOM) teams. Support the Activity's IT Change Management process by performing technical reviews of proposed and planned changes from the context of INFOSEC and Cybersecurity to identify risks and threats and support the remediation or mitigation prior to implementation. Provides SME consulting services and escalated support to all aspects and groups of the Activity's IT organization, Stakeholders, and customer base in the specialty focus of SSE and Cyber Resiliency. Provides mentorship and on the job training (OJT) to junior and/or lesser experienced personnel. Position Qualifications: Shall be Comp TIA Advanced Security Practitioner (CASP+) or ISC2 Certified Information Systems Security Professional (CISSP) (or Associate) certified. Shall have 7 or more years of progressive experience successfully leading the employment of SSE techniques, methodologies, processes, and practices to securely architect, design, engineer, implement, test, validate, verify, and deliver a variety of enterprise-grade IT solutions across multi-platform (ie, Microsoft and *nix based) information systems in a secure manner. Shall have 5 or more years of progressive experiencing personally driving Customer and Stakeholder system security requirements gathering exercises to discover, capture, analyze, and decompose the information protection needs such that formal system security requirements can be developed. Shall have 5 or more years of experience in ingesting INFOSEC and Cybersecurity risks and threats, categorizing and classifying the risk and threat, evaluating remediation and mitigation alternatives, proposing, and defending your recommendation, implementing the final remediation, and testing and verifying the implemented remediation/mitigation addresses the identified threat to a Customer acceptable level. Shall have 5 or more years of experiencing with supporting SSE activities in secure processing environments which must adhere to US Government (USG) Information Assurance and Security standards such as the Defense Information Systems Agency (DISA) Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs). Shall have 3 or more years of hands-on experiencing using common INFOSEC and Cybersecurity tools in direct support of USG and Department of Defense (DOD) security and compliance efforts such as Tenable Nessus and Security Center, McAfee ePolicy Orchestrator (ePO), DISA's Security Compliance Checker (SCC) and Security Content Automation Protocol (SCAP) content. Shall meet the minimum credential requirements for a Cyber IT/Cybersecurity Workforce (CSWF) position as defined in Section 6, Table 3. Desired Qualifications: Strongly desired to be ISC2 CISSP -Information Systems Security Engineering Professional (ISSEP) certified. Technical certifications in industry standard enterprise level operating systems (OS), applications and technologies such as Microsoft, Nutanix, Red Hat, Splunk, and VMware are a plus. Demonstrated experience employing Cyber resiliency engineering practices to include the methods, processes, modeling, and analytical techniques use to identify and analyze proposed cyber resiliency solutions. Demonstrated experience working with the and securing current Microsoft technologies such as Active Directory Domain Services, Windows, Windows Server, Exchange, SQL Server, and IIS Server. Demonstrated experience working with and securing current Red Hat technologies such as Red Hat Enterprise Linux, Satellite, Kickstart, and Ansible. Demonstrated experience leveraging scripting (eg, PowerShell, Python) and/or technologies (eg, Ansible, Chef, Puppet, PowerShell Desired State Configuration (DSC) to automate the implementation, testing, verification, validation, and monitoring of system security configurations. Demonstrated experience working with McAfee ePolicy Orchestrator and other enterprise-level McAfee products (Endpoint Security (ENS), Management for Optimized Virtual Environments (MOVE), VirusScan Enterprise for Storage (VSES), etc.) to secure USG DOD multi-platform information systems. Demonstrated experience working with DevSecOps Engineers, Software Developers, and Software Engineers and a combination of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to secure application and coding practices. Demonstrated experience working closely with Information System Security Officers (ISSOs) to support inspection, investigation, validation, and C&A activities. Experienced directly supporting the DoDI 8510.01, Risk Management Framework (RMF) for Department of Defense (DOD) IT. Familiarity with National Institute of Standards and Technology (NIST) Special Publication 800- 160 Volume 1: Systems Security Engineering. Familiarity with NIST Special Publication 800-160 Volume 2: Developing Cyber Resilient Systems. Familiarity with the NSA Information Assurance Technical Framework (IATF).