Cloud Security Technical Compliance Analyst - Gunnison Consulting Group Inc

Location: Remote

*Candidates must be US Citizens.

We are seeking an experienced Cloud/FedRAMP Technical Compliance Analyst to support our HHS client.

Duties and Responsibilities:

• Manage assigned Cloud Service Providers (CSPs) through the Continuous Monitoring of their Plans of Action and Milestones (POA&M) and Monthly Continuous Monitoring Reports
• Prepare for and lead Monthly Continuous Monitoring and SAR Debrief/Annual Assessment Meetings for assigned CSPs
• Complete Annual and Triennial Re-authorization Assessments to maintain an Authority to Operate (ATO)
• Review POA&Ms and ensure CSPs remediate, mitigate and close findings
• Lead HHS FedRAMP Authorization Process Review Meetings with HHS Operating Divisions, Staffing Division, and/or Cloud Service Providers interested in received an ATO Letter from HHS
• Guide HHS Operating Divisions, Staffing Divisions, and interested Cloud Service Providers through the HHS FedRAMP Authorization Process
• Review ATO package, e.g., System Security Plan (SSP), POA&M, Security Assessment Report (SAR), Information Security Contingency Plan (ISCP), Disaster Recovery Plan (DRP), Incidence Response Plan (IRP), etc., for new software/cloud service offerings/legacy systems going through the HHS FedRAMP Authorization Process
• Identify vulnerabilities and risks to external accreditation boundary diagrams
• Ensure network boundary components in customer deployments are accurately described and implemented based on the appropriate FedRAMP security controls
• Provide oversight on the initial independent and subsequent annual security audits of the security controls to ensure compliance with cloud requirements and governance models
• Leverage internal security operations procedures for efficient operation and protection of cloud applications while maintaining security integrity
• Update the status of deliverables in weekly task trackers on an ongoing basis

Required Qualifications:

• Understanding of cloud service models (IaaS, PaaS, SaaS, XaaS) and cloud deployment models (Public, Private, Hybrid and Community)
• Strong understanding of and experience with cloud computing platforms (AWS, GCP or Azure), architecture, design, and security evaluation
• Experience with one or more of the following:
  • Active Directory, bastion hosts, virtual networks, DNSSEC, identity management and encryption
  • Container technology (i.e., Docker, AWS Fargate, and Kubernetes)
  • Configuration baselines for system components, DISA STIGs and CIS Benchmarks
  • Audit logs, networking components (switches, routers, NIC etc.), network security tools (proxies, IDS/IPS, firewalls), and various operating systems in a cloud environment
  • Designing, configuring, and maintaining a network
• Experience reviewing the following documentation: Security Assessment and Authorization (A&A), including SSP, POA&M, SAR, ISCP, DRP, IRP, and other artifacts required for the ATO package referencing NIST SP 800-18, NIST SP 800-53A, NIST SP 800-115, and NIST SP 800-34
• Knowledge of Plans of Action and Milestones (POA&M)
• Experience with requesting, reviewing, and validating artifacts, such as a screenshots and other documentation
• Experience with technical documentation writing and knowledge of cloud and security concepts
• Experience with multitasking, including managing multiple Cloud Service Providers or client organizations
• Strong written and spoken communication skills

Desired Qualifications:

• Experience with FedRAMP, assessing systems, and/or Third-Party Assessment Organizations (3PAOs)
• Experience with conducting meetings with Cloud Service Providers and 3PAOs
• Experience with vulnerability remediation
• Experience with Incident Response scenarios and Tabletop Exercises for incident handling
• Experience with identifying and reviewing vulnerability remediations, mitigations, standard operating procedures, root-cause analysis procedures, and, when necessary, applied mitigation techniques
• AWS- or Cloud-related certifications
• ISC2 certifications
• Security+
• IAT Level I and/or II Certification(s)

Education Requirement: Bachelor's degree required, BS in computer science, Information Technology, or a related field preferred.

Clearance Requirement: Ability to obtain and maintain a Public Trust.

• 3 weeks of Personal Leave your first year
• 11 paid Holidays each year
• 5 days of Flexible Time Off each year
• 401(k) company match at 50% up to 10% of your salary
• Medical, Dental and Vision Insurance
• Life and Disability Insurance
• Public Transportation Subsidies
• Certifications and Training Allowance - $2,500/year!

Why Join Gunnison?

• Gunnison takes on ambitious projects. We target fun, challenging work that requires creative thinking and innovation.
• Quality is our top priority.
• Gunnison employee benefits meet or exceed what other companies in the Washington, D.C. metropolitan area offer.
• There is a great sense of camaraderie at Gunnison. This is an atmosphere we will maintain as we continue to grow.
• We are growing rapidly and the opportunity for individual professional growth with Gunnison is outstanding.
• We hire for careers at Gunnison, not to fill a position.

Equal Opportunity/Affirmative Action Employer. Must be eligible for employment in the United States. We are unable to sponsor candidates at this time.

In 1994 Gunnison Consulting Group began serving the greater Washington, D.C. metro area, focused on tackling our customers' most ambitious technology projects. By creating a culture dedicated to enabling our customers and employees to achieve more than they ever thought they could, the company has thrived for over 25 years.