Information Assurance Engineer, Senior

Gray Tier Technologies is seeking an Information Assurance Engineer with an active Secret-level clearance to support our DOI OCIO Cybersecurity Branch.

• Minimum 10 years of experience
• Master’s Degree (MA/MS) required
• Subject Matter Expert, Lead/Manager, Provide Information Assurance expertise in tracking, reporting, and guiding FISMA, DIACAP, NIST-800 SPs, ISO: 17799 and DCID 6/3 standards and policy control grouping.
• Provide senior guidance on the development of and acceptance by civilian and defense Government agencies on Information Assurance plans; system evolution; capabilities; compliance with FISMA, DIACAP, DCID, NIST 800 SP, FIPS, and legal or statutory requirements.
• Serve as advisor to CIO, CTO, CISO, Program Director, Systems Owner, or Operations Managers to develop, implement, and manage Information Assurance as a core competence.
• Must have extensive experience in the design, testing, evaluation, certification, and accreditation of systems.
• Must also possess a strong background in Cross Domain Solutions and cross contamination avoidance methodologies.
• Core skills in requirements analysis, requirements writing, development of security architectures, secure network protocols, secure authentication technologies, intrusion detection systems, information assurance standards and policies, and forensic analysis.

Job responsibilities may include:

• Facilitate development and communication of agency-wide policies and guidance for implementation of emerging mandates and other government-wide initiatives related to Cybersecurity Risk Management (i.e., Cybersecurity & Infrastructure Security Agency (CISA) Directives and Office of Management and Budget (OMB) Mandates)
• Develop and support processes for consolidating DOI-wide Cybersecurity risk information and incorporating into the DOI Enterprise Risk Register.
• Update and maintain DOI-wide Cybersecurity Rick Management Strategy and Guidance documentation (i.e., Cyber Risk Strategy, Continuous Monitoring Strategy, C-SCRM strategy, etc.)
• Develop and maintain processes to enable Cybersecurity Risk analysis from an agency-wide perspective. This includes but is not limited to IT hardware and software vulnerabilities, exceptions to egress network access and filtering policies, IT acquisitions and exceptions to required DOI IT configuration management standards.
• Support development, maintenance and tracking of DOI enterprise C-SCRM implementation plan.
• Develop and maintain Standard Operating Procedures (SOPs) and required supporting materials for C-SCRM program operations.

Examples include but are not limited to:

• Enterprise Cybersecurity Supply Chain Risk Assessment Standards

• Processes for integrating/tracking C-SCRM data in the DOI Cybersecurity GRC tool. (Xacta360 or similar)
• C-SCRM Control Implementation Standards
• C-SCRM Planning Guidance
• Counterfeit Detection Reference Guide
  
• Support development and management of agendas for monthly and ad-hoc DOI C-SCRM working group meetings.
• Support development and management of agendas for monthly DOI HVA Program Managers working group meetings.
• Develop and maintain SOPs and required supporting materials for HVA Program Operations. Examples include but are not limited to:
  
• DOI HVA program Managers Handbook
• HVA Identification and Prioritization
• Annual HVA Data Collection and Reporting
• HVA Assessment Planning Guidance and Checklists
  
• Support HVA Data Collection and Reporting Processes
  
• CISA BOD-18-02 data call (annual)
• HVA FISMA Metrics (quarterly)
• Federal Information Technology Acquisition Reform Act (FITARA) (annually)
• CISA HVA Vulnerability Remediation Status Reports (monthly)
  
• Deliverables for Cybersecurity Risk Management Program Support include, but are not limited to the following:
  
• Agency Cybersecurity Policy, Strategy, Guidance and Process documents
• Cybersecurity Risk Management presentations and training documents
• Cybersecurity Project Management Plans
• Quarterly/Annual HVA and other Cybersecurity Compliance Reports
• Meeting agenda and logistics plans
• Risk Analysis/Assessment Reports
• Cybersecurity Risk Registers