Responsibilities:

• Provide cybersecurity consultancy support to Federal agencies, performing security program analysis, identifying opportunities for program improvement to reduce risk and increase compliance
• Develop processes, procedures, templates, and training to support efforts aligned with the NIST Risk Management Framework (RMF)
• Support Security Assessment and Authorization (SA&A) activities throughout the System Design Life Cycle (SDLC) process, including performing risk analysis and providing risk management guidance to support the remediation of vulnerabilities identified during Software Assurance, Continuous Monitoring, and Security Testing and Evaluation (ST&E)
• Provide security engineering guidance to development and operations teams (e.g., secure configuration, vulnerability management, incident handling, and contingency planning)
• Provide documentation development support for system security artifacts (e.g., Privacy Impact Assessment [PIA], Security Impact Analysis [SIA], System Security Plan [SSP], Contingency Plan [CP], Plans of Actions and Milestones [POA&M], and Authority to Operate [ATO] packages)
• Support oversight of agency’s SA&A activities, including maintaining systems’ security inventory and related artifacts in the agency’s Governance Risk and Compliance (GRC) tool
• Document and delivers status reports, meeting agendas/minutes, presentations, IT security metrics, etc
• Review security and privacy legislation, policies, procedures, guidance, and NIST draft publications to provide feedback and plan for agency implementation
• Establish goals and plans to meet project and mission objectives
• Shall oversee, evaluate, and support the documentation, validation, and accreditation processes necessary to assure that systems meet the organization’s security requirements
• Shall ensure appropriate treatment of risk, compliance, and assurance from internal and external perspectives
• Shall provide security advice and recommendations to leadership and staff based on NIST and Federal Information Processing Standard (FIPS) guidelines as well as CMS and HHS policy and other approved guidance
• Shall coordinate with the Data Guardian, Senior Information Security Officer (SISO), Business Owner, and Cyber Risk Advisor (CRA) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the information security and privacy impacts, and manage information security and privacy risk
• Shall report compliance on secure protocol use in websites periodically as defined within the NIST 800 controls
• Shall submit recommendations to the CRA for system configuration deviations from the required security baseline
• Shall coordinate with the CIO, Chief Information Security Officer (CISO), Senior Official for Privacy, SISO, Data Guardian, and website or system Owner/Administrator to ensure compliance with control family requirements on website or system usage, web measurement and customization technologies, and third-party websites and applications
• Shall coordinate with the Data Guardian, SISO, Business Owner, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) in accordance with the Privacy Act, E-Government Act, and all applicable guidance
• Shall maintain current system information (e.g., points of contact [POC], and artifacts) in the Treasury FISMA Controls Tracking System to support organizational requirements, Information System Security and Privacy Policy (IS2P2), and prescribed processes (e.g., communication, contingency planning, training, and data calls)
• Shall coordinate with the Business Owner, SISO, and CISO to ensure that all requirements specified by the NIST Controls and the Risk Management Handbook (RMH) are implemented and enforced for applicable information and information systems
• Shall develop and review security and privacy artifacts and required activities through all phases of the Target Life Cycle (TLC) in accordance with the Treasury controls for ISSOs
• Shall provide the status of systems security posture regarding the remediation of security and privacy findings and the progress of Authority To Operate (ATO) tasks

Requirements:

• At least one professional security certification (e.g., CISSP, CISA, CAP, GSEC, or Security+)
• At least 3 years of experience in information security, with a concentration in RMF support
• Knowledgeable in FISMA, NIST RMF, NIST SP 800 Series, and industry leading Software Assurance, Vulnerability Analysis, and GRC tools
• Extensive experience in analyzing and implementing security requirements at all levels
• Expertise in developing options and presentations
• Involved in the design, development, and testing Systems to Requirements
• Worked as an ISSO dealing with control assessments and supporting the team
• Security certification, preferred CAP
• Experience in working with Federal Government Clients/systems
• Bachelor's degree in Computer Science, IT, or related discipline with 5 years of related experience
• CISSP or equivalent certification is required

EEO Employer:

RELI Group is an Equal Employment Opportunity / Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, ancestry, citizenship status, military status, protected veteran status, religion, creed, physical or mental disability, medical condition, marital status, sex, sexual orientation, gender, gender identity or expression, age, genetic information, or any other basis protected by law, ordinance, or regulation.

HUBZone:

RELI Group is an established SBA certified HUBZone and 8(a) small business. We encourage all candidates who live in a HUBZone to apply. You can check to see if you address is located in a HUBZone by accessing the SBA HUBZone Map.

O75rKDxUER