Risk Assessor - MID - Zermount, Inc
Arlington, VA
About the Job
RISK ASSESSOR, MID.
MILITARY FRIENDLY & PREFERRED - HOH SPONSOR
Zermount Inc. is seeking a Risk Assessor MID who will be responsible for preparing for Risk Assessments (RA), conducting RA, developing reports and providing solutions to mitigate risk. Conduct assessments of systems, technologies, designs, configurations, and capabilities to identify the potential adverse impacts to the client's mission, operations, systems, and data. Responsible for providing leadership with the information needed to determine appropriate courses of action in response to identified risks and ability to make data driven decisions. Conduct assessments to assist the organization in identifying and modifying their overall security posture and to enable security, operations, organizational management, and other personnel to collaborate and view the entire organization from an attacker's perspective. Assist leadership with determining the value of the various types of data generated and stored across the organization and ensuring it is properly protected. You will be providing a critical service to measure the client's security posture, and validate they are compliant with federal requirements, laws, directives, standards, guidelines, and industry best practices.
Duties & Responsibilities:
- Conduct assessments to identify threats to the organization (i.e., operations, assets, or individuals); vulnerabilities internal and external to the organization; impact that may occur given the potential for threats exploiting vulnerabilities; and determine the likelihood that harm will occur.
- Develop qualitative risk analysis based on the outcome of the RA performed and provide justification and details supporting the analysis and solutions to mitigate.
- Conduct comprehensive security RAs based on industry standards, regulatory requirements, and client's policies.
- Evaluate the effectiveness of security controls and their alignment with best practices and security frameworks (e.g., National Institute of Standards and Technology (NIST) 800-37, 800-30, 800-39, Risk Management Framework (RMF), & Cybersecurity Framework (CSF), Zero Trust (ZT), PCI, ISO 27001, HIPAA, etc.).
- Identify and assess potential threats, vulnerabilities, and risks to the client's systems, networks, apps, & data assets.
- Provide actionable recommendations to mitigate risks, including technical, procedural, and administrative controls.
- Collaborate with cross-functional teams to develop risk treatment plans, prioritize remediation efforts, and track the implementation of recommended controls. Keep up to date with evolving security requirements / industry trends and ensure that RAs align with the changing threat landscape.
- Define and implement appropriate risk response strategies, such as risk acceptance, risk transfer, or risk avoidance.
- Conduct detailed assessments of security controls, including mechanisms, technologies, capabilities, policies, and procedures. Assessments include interviews, examinations, and manual and automated testing methods.
- Evaluate the design and effectiveness of security measures in protecting against threats, detecting potential incidents, and responding to security breaches. Assess the security posture of third-party vendors and partners, such as cloud environments (AWS, Azure, GCP, etc.).
- Assist in the development / maintenance of security policies, SOPs, & guidelines based on compliance requirements and RA outcomes. Document RA findings, observations, & recommendations in clear & concise reports.
- Prepare executive-level summaries and presentations to communicate RA outcomes and recommendations.
- Maintain accurate and up-to-date records of risk assessments, remediation plans, and progress tracking.
- Conduct assessments to ensure controls are implemented and operating as intended and functioning properly.
- Conduct technical assessments to identify potential security weaknesses and recommend remediation measures.
- Provide actionable / risk-based recommendations for improving cybersecurity principles and associated controls, addressing non-compliance issues, and enhancing the overall security posture.
- Review Requests for Change (RFC) / upgrades and provide impact assessments on potential cybersecurity major or minor changes and overall cybersecurity impacts; analyze and document results and present recommendations.
- Evaluate emerging technologies being considered by the Organization, conduct an Analysis of Alternatives (AoA) to determine compliance with federal mandates and requirements.
- Conduct vulnerability assessments, and analyze results from Authorization to Operate (ATO) assessments, penetration tests, or ad hoc RAs from tools, such as Tenable, AppDetective, WebInspect, AppScan and Nipper and create Findings Matrices from results.
- Conduct Audit of Privileged Accounts (APA) and annually review ISSO Privileged Account Audits.
- Review network infrastructure & coordinate with other stakeholders / contractors to perform network assessments that include but is not limited to reviewing circuits, connections, bandwidth, traffic, & routing protocols.
- Perform complex risk analyses which also include risk assessment to identify compliance with federal requirements (e.g., EO 14028, OMB M 22-09, M21-31, A-130, TIC 3.0, NIST SP 800-37, 800-53, FIPS 199, and FIPS-200, etc.), and security requirements based upon the analysis of people, processes, and technologies.
- Follow the Zermount assessment methodology which has been adopted by the client. Utilize structured mini teams.
- Serve as the Security Assessor for system Security Authorization (SA), annual assessments, Ongoing Authorization (OA) assessments, and conducting risk assessments for changes to the systems. Assess all applicable security controls defined in the mandated Agency Compliance Tool and applicable to the systems under their purview.
- Ensure objective/fact-based results (findings) are documented completely and accurately in the mandated Agency Compliance Tool at the operating system, application, and database levels.
- In view of the remote nature of the contract, an individual Weekly Status Report (WSR) and WSR Briefing are required for tasks assigned. Must effectively develop WSRs, that are consistent, well structured, answer to all the assigned management requirements, aligned with area of support, and are relevant to the reporting period.
- Must ensure deliverables meet a level of accuracy that does not require "return for correction" for typographical and grammatical errors.
- Prepare briefings / reports and present and explain in detail to management and/or government client.
- Assist and support as required and as directed by the Program Manager.
Qualifications:
- Experience and knowledge of EO's (e.g., EO 14028), OMB Memorandums (e.g., M 22-09, M 21-31), Federal, DoD and CISA Technical Reference Architectures, Maturity Models, NIST guidance, FISMA, Cloud, and RMF.
- Strong understanding of ZT principles and how they can be applied to various types of information systems.
- Proficient in risk assessment methodologies and security architecture frameworks.
- Experience with cloud-based environments and technologies.
- Knowledge of common cybersecurity threats, risks, and vulnerabilities and how to mitigate them.
- Excellent communication skills, with the ability to explain complex concepts in a clear, concise manner.
- Technical knowledge of IT systems and implementation of security controls.
- Strong problem-solving skills, proactive attitude towards identifying potential issues and implementing solutions.
- Must be able to conduct system analysis to detect issues with performance.
- Well versed in developing and implementing IT solutions to resolve technical challenges.
- Ability to work independently and as part of a team.
- Knowledge of NIST Guidelines and FISMA Cybersecurity compliance requirements
- Technical knowledge of IT systems
- Knowledge of and experience using relevant cybersecurity and analysis tools such as Archer, Nessus Security Center, Splunk, etc.
- Experience communicating effectively, both oral and written, with technical, non-technical, and executive-level customers.
- Coordinate and/or perform additions and changes to network hardware and operating systems, and attached devices; includes investigation, analysis, recommendation, configuration, installation, and testing of new network hardware and software.
- Provide direct support in the day-to-day operations on network hardware and operating systems, including the evaluation of system utilization, monitoring response time and primary support for detection and correction of operational problems.
- Troubleshoot at the physical level of the network, working with network measurement hardware and software, as well as physical checking and testing of hardware devices at the logical level working with communication protocols.
- Maintain network infrastructure standards including network communication protocols such as TCP/IP.
- Provide technical consultation, training and support to IT staff as designated by the government.
Education and/or Experience:
- Minimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field and 5 years of IT Cybersecurity experience including direct support of the US government and 4 years acting as an ISSO, assessor, or compliance analyst.
- Without a B.S. degree, a minimum of 7 years of IT cybersecurity experience including direct support for the US Government will be accepted
Certifications:
- A minimum of at least one of the following certifications is required: Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO) or any certification compliant with DoD 8570 IAM Level II or higher.
Clearance level:
- Minimum of an active Secret Clearance.
Work Location:
- Primarily Remote (Onsite work in Arlington, VA or in the United States may be occasionally required).
Hours of Operation:
- Business Hours: 8:00 am EST - 4:30 pm EST.