Security Controls Assessor (Special Access Programs) - Pueo Business Solutions

This role is responsible for leading evaluations and ensuring the effectiveness of security controls for classified information systems and Platform Information Technology (PIT) in accordance with the Risk Management Framework (RMF). Assigned systems will process up to, and including Alternate Compensatory Control Measures (ACCM), Special Access Programs (SAP), Controlled Access Programs (CAP), and Sensitive Compartmented Information (SCI) data. The technical functions encompass a range of tasks aimed at assessing, testing, and validating security measures to identify vulnerabilities and enhance overall security posture. Here are the technical functions typically associated with ensuring the integrity, confidentiality, and availability of data within these highly restricted programs.

Roles & Responsibilities

• Accountable for managing and overseeing the assessments and authorization activities for systems within the assigned portfolio.
• Lead relevant program & project team meetings in coordination with stakeholders to establish RMF assessment criteria and conduct system and program level cyber security testing.
• Identify possible improvement actions to enhance the SAP SCA team performance and ensure quality and consistency of team execution against targeted portfolio initiatives.
• Oversee the development and execution of assigned projects from concept development through implementation and decommissioning.
• Provide accurate interpretations of supplemental guidance and security controls applications as described in the Joint Special Access Program Implementation Guide (JSIG). Must be knowledgeable in the categorization of information systems, to include protection levels and applicable Joint SAP Cyber Security Working Group approved overlays.
• Develop and modify agency and community policies governing the management and protection of SAP data.
  Provide analysis of intelligence products which provide insight to intrusion/attack techniques that can potentially be utilized to conduct attacks on protected organizational assets.
• Provides subject matter expertise for issues dealing with IT device management, automated IT device management, Active Directory, LDAP, system imaging and BIOS management, PKI management and security, data encryption techniques, and data-at-rest management.
• Analyze and interpret security policies, guidelines, and regulations governing classified systems and data, including Department of Defense (DoD) directives, Intelligence Community Directives (ICDs), and other government regulations.
• Ensure compliance with stringent personnel security requirements and clearance levels.
• SAP Security Controls Assessment Planning: Direct and support the development of comprehensive assessment plans tailored to the unique characteristics of SAPs. Define assessment objectives, scope, methodologies, and success criteria based on established security standards and best practices specific to SAP environments.
• Sensitive Compartmented Information Facility (SCIF) and Special Access Program Facility (SAPF) Review: Conduct thorough reviews of SCIFs and SAPFs to assess compliance with physical security and technical specification requirements for storing and handling classified information. Evaluate access controls, intrusion detection systems, and environmental controls within SCIFs and SAPFs.
• Access Control Assessment: Review and evaluate physical and logical access control mechanisms implemented within SAPs to enforce strict access restrictions based on security clearances, need-to-know principles, and compartmented access requirements. Assess the effectiveness of access control policies, authentication mechanisms, and audit trails.
• Cyber Security Testing: Test and evaluate cyber security controls within SAP environments to ensure the confidentiality, integrity, and availability of classified information. Assess the effectiveness of encryption, data protection, and security monitoring mechanisms.
• Physical Security Assessment: Conduct physical security assessments of SCIFs and SAPFs, including data centers, secure rooms, and storage areas. Evaluate physical access controls, surveillance systems, and perimeter security measures to prevent unauthorized access and intrusions.
• Security Configuration Review: Review and analyze security configurations for systems, devices, and applications within SCI and SAP environments. Ensure compliance with security baselines, secure configuration guidelines, and industry best practices.
• Security Documentation Review: Review documentation related to SCI and SAP security, including system security plans, risk assessments, configuration guides, and operating procedures. Ensure that documentation accurately reflects implemented security controls and operational processes.
• Compliance Assessment: Assess compliance with regulatory requirements, government directives, and contractual obligations applicable to SCI and SAP environments. Ensure adherence to specialized security standards such as Intelligence Community Directives (ICDs) and DoD SAP Manuals.
• Security Risk Assessment: Conduct risk assessments to identify and prioritize security risks associated with SCI and SAP information and systems. Evaluate the impact of potential threats and vulnerabilities on the confidentiality, integrity, and availability of sensitive information within SCI and SAP environments.

Qualifications

• Active TS/SCI clearance
• Experience: 7 years of cyber security related experience or the equivalent combination of professional support, education, and professional training. 2 years of prior experience as a Security Control Assessor (SCA). 4 Years prior experience in DoD or IC Special Programs.
• Education: Bachelor's degree from an accredited institute in an area applicable to the position in Cybersecurity, Computer Science, Software Engineering, Systems Engineering, Information Systems, or a related technical discipline.
• Certifications: Certification in DoD 8570.01-M Cybersecurity workforce, compliance with DoD Directive 8140 Cyberspace Workforce Management, and IAT Level III (CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH, CCSP).

Skills

• Strong independent work ethic, exceptional oral and written communication skills, and the ability to work unsupervised and within a team environment.
• Focuses on the consistent execution and updating of organizational processes and procedures to drive SAP RMF efforts.
• Ability to conduct briefings of senior level government personnel and professionally collaborate with external agency mission partners.

Preferred Qualifications

• Current Counter-Intelligence Polygraph
• Experience with Protection Level (PL)3 technologies, which bind security attributes to data objects.
• Experience conducting cyber security assessment of complex SAP, CAP, ACCM, and SCI systems.
• Experience with technologies such as cloud computing, encryption, Public Key Infrastructure (PKI).
• Background and understanding of the organizational relationships between the Intelligence Community (IC), DoD SAP community, and DIA.
• Knowledge of networking technologies and protocols.
• Knowledge of the hardening process for operating systems and applications.