Compliance Officer - Zermount, Inc
Arlington, VA
About the Job
COMPLIANCE OFFICER SR.
MILITARY FRIENDLY & PREFERRED - HOH SPONSOR
Zermount Inc. is seeking a Senior Compliance Officer who will perform complex risk analyses and ensure systems and technologies satisfy Information Assurance (IA) and Cybersecurity requirements, based on federal requirements, laws, mandates, policies, procedures, standards, and guidelines (e.g., EOs, OMB, BODs, NIST, and agency specific requirements). The Compliance Officer will provide Plan of Actions and Milestones (POA&M) management, conduct FISMA Compliance meetings, and work with Information Systems Security Officers (ISSO), System Owners (SO), stakeholders, and leadership to meet performance and scorecard metrics. The Compliance Officer will conduct regular (e.g., daily, weekly, monthly) system security compliance meetings for assigned systems of responsibility, provide feedback and recommended mitigations to ensure systems meet the minimum requirements and security posture. Support customer at the highest levels to ensure the implementation of doctrine and policies.
Duties & Responsibilities:
The Senior Compliance Officer will provide the following support and services:
- Perform Compliance reviews and analyses to verify compliance with federal requirements (e.g., EO, OMB Memos, A-130, NIST SP 800-37, 800-53, FIPS199, and FIPS-200, etc.).
- Perform analyses of security implementations for assigned systems pertaining to people, processes, and technologies, identify gaps and recommend solutions.
- Conduct daily, weekly, monthly compliance monitoring of assigned systems for all RMF steps.
- Conduct compliance assessments of assigned systems, based on the Zermount approved Compliance Support Services Framework.
- Execute day to day FISMA compliance monitoring, ensuring that all FISMA activities, including Information Security Continuous Monitoring (ISCM), Continuous Diagnostic and Mitigation (CDM), and FISMA program activities assigned are prioritized correctly, completed on schedule, and are in accordance with Agency and organizations policies.
- Research major obstacles related to the ever-changing FISMA requirements, which customers will need to overcome and provide recommendations.
- Track system ATO status, security documentation expirations (Contingency Plan, Contingency Plan Test, Configuration Management Plans, Incident Response Plans, etc.) Information Security Vulnerability Management (ISVM) compliance, DHS Performance Plan requirements, audit efforts, and CDM support efforts.
- Conduct analysis of system level POA&Ms and provide guidance and recommendations on potential mitigation to close current or delayed POA&Ms.
- Track and report on whether assigned systems have mitigated their weaknesses on time using the appropriate processes and reporting timelines.
- Track and report on whether mandated FISMA activities are being executed in accordance with the current DHS Information Security Performance Plan (ISPP) for the fiscal year.
- Provide compliance monitoring metrics and reporting to Agency leadership.
- Review the DHS Scorecard, for each assigned system, conduct analysis, and generate "Get to Green" reports.
- Conduct Get-to-green meetings with SOs and ISSOs, provide status, deficiencies, recommendations, and document action items with estimated completion dates (ECDs) with the goal of improving system scores within the DHS Scorecard.
- Manage ISVM alerts and bulletins for TSA systems to include tracking, distributing, and providing reports.
- Support systems of responsibility to ensure all ISCM and CDM requirements are met and mitigations for failing requirements are identified and discussed to ensure a plan is established to meet all requirements defined. Provide monthly reports with action items for stakeholders and leadership.
- Create briefings and reports, as required for, but not limited to the following items: high valued assets, ISVMs, POA&Ms, system scores (FISMA & ISCM).
- Provide input into the GRC presentations for monthly ISSO Townhall training, as required by management or the Communications & Training Team Lead.
- Provide updates and input to the GRC SharePoint sites to include document uploads, page updates, access requests, permissions, etc. on an ongoing basis.
- Create or update existing templates for memos, risk assessments, disposal packages, to standardize and simplify the process.
- Conduct system compliance assessment to identify progress on ATO conditions, develop extension packages as required annotating analysis of system data / progress.
- Conduct POA&M management activities, to include processing, reviewing, verifying, and validating creation and closures.
- Report on expiring and overdue POA&Ms and ensure compliance with all DHS POA&M metrics and requirements as outlined in agency policy and the DHS ISPP.
- Review waiver and risk acceptance requests for compliance with the Agency's Policies and Procedures.
- Provide Quality Reviews of security documentation to ensure accuracy and compliance throughout the RMF process.
- Support systems of responsibility to ensure all Ongoing Authorization (OA), requirements are met, and any deficiencies are identified and tracked. Monitor activities and ensure all deficiencies exceeding 30 days are identified as requiring a POA&M.
- Assist with conducting review and analysis of Requests for Change (RFC) and providing recommendations to conduct risk assessment (as applicable) based on the change and/or Security Impact Assessment (SIA).
- Support Security Control Assessors (SCAs) as required for assigned systems.
- Provide input and assist with all audits, data calls, and queries relating to assigned systems.
- Stay current with the latest developments in cybersecurity, information assurance, GRC, and related cybersecurity trends.
- Create or update existing templates such as memos, risk assessments, disposal packages, to standardize and simplify GRC processes.
- Assist in completing customer's Management Control Objectives Program (MCOP) reporting requirements.
- Provide Weekly status reporting to leadership
- Assist and support other team members as required by the Program Manager.
Qualifications:
- Experience and expert knowledge on NIST guidelines, FISMA, Cybersecurity principles and methodologies, Executive Orders (EO's), Office of Management and Budget (OMB) Memorandums, Federal, DoD and CISA Technical Reference Architectures, Maturity Models, Risk Management Framework (RMF), Cybersecurity Framework (CSF), technical knowledge of IT systems, and cloud security (is preferred).
- Knowledge of and experience using relevant cybersecurity and analysis tools such as Archer, Nessus Security Center, Splunk, etc.
- Experience with cloud-based environments and technologies is preferred.
- Knowledge of cybersecurity threats, risks, and vulnerabilities and how to mitigate them.
- Excellent communication skills (written and verbal), with the ability to explain complex concepts in a clear, concise manner.
- Strong problem-solving skills, proactive, ability to adapt to changes in priorities, attention to detail and organization skills, and possesses good problem solving and decision- making skills.
- Must be able to conduct system analysis and quality reviews to detect performance issues.
- Well versed in developing compliance solutions to resolve weaknesses or challenges.
- Ability to work independently and as part of a team.
- An analytical mind with excellent problem-solving ability is required.
- Design, develop, engineer, and implement solutions to MLS requirements.
- Perform complex risk analyses which also include risk assessment.
- Establish and satisfy information assurance and security requirements based upon the analysis of user, policy, regulatory, and resource demands.
- Support customers at the highest levels in the development and implementation of doctrine and policies.
- Apply know-how to government and commercial common user systems, as well as to dedicated special purpose systems requiring specialized security features and procedures.
- Perform analysis, design, and development of security features for system architectures.
Education and/or Experience:
- Minimum of a Bachelor of Science (or higher) in one of the following: computer engineering, computer science, IT, cyber security, or a related field and 7 years of IT Cybersecurity experience including direct support of the US government and 4 years acting as an ISSO, Assessor, or Compliance Analyst.
- Without a B.S. degree, a minimum of 10 years of IT cybersecurity experience including direct support for the US Government will be accepted
Certifications:
- A minimum of at least one of the following certifications is required: Certified Authorization Professional (CAP), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Chief Information Security Officer (CCISO) OR equivalent according to the DOD 8570 approved certification list.
Clearance level:
- Minimum of active Secret Clearance.
Work Location:
- Primarily Remote (Onsite work in Arlington, VA or in the United States may be occasionally required).
Hours of Operation:
- Business Hours: 8:00 am EST - 4:30 pm EST.