SUMMARY:

• Cyber security professional, with more than 30 years of professional work experience in the Information Technology Security industry. Experience includes Risk Management Framework (NIST SP ), System Security Plans (SSP), Contingency Plans (CP), Risk Management/Information Assurance, System Test and Evaluation, and Security Testing. Provided security network enhancements simulations for global security initiatives including experience with strategic crisis management planning, Risk Assessment Analysis, and the development of Disaster Recovery Plans using security policies.
• Expert knowledge with National Institute of Health (NIH) Assessment and Authorization, System Security Plan, Plan of Action and Milestones (POA&M), Risk and Vulnerability Management, Leading Security Assessment, Security Control Assessment and Testing, Privacy Impact Assessment/Privacy Threshold Analysis (PTA/PIA), FIPS 199, Security Assessment Report, Risk Ask Assessment Report (RAR), Security Assessment and Authorization, Contingency Plan, HP Webinspect, Tanium, Trend Micro, SPLUNK, Nessus, McAfee Vulnerability Manager, CSAM, FISMA, FedRAMP, Cloud, Sharepoint, Compliance Documents, NIST Special Publications (especially NIST SP Rev 1, 30, 37, 39, 53 Rev 3, Rev 4, and 53A.), FISMA Data Call, eVMS, NSAT and IT Auditor.

PROFESSIONAL EXPERIENCE:

Confidential

Sr. Information Assurance Analyst/Sr Risk Management Framework Lead

• Received recognition of outstanding performance and Senior Lead Cyber Security Analyst, where I have become one of the most dependable forces on the Census TI RMF team by sharing my knowledge, expertise, and enthusiasm with those around me, causing me and my team continue to demonstrate excellence in the workplace.
• Conduct 2020 Census Bureau Risk Management Framework ATO Training to new employee.
• Created and briefed Census Bureau CISO, Census Bureau Directors, and TREX Corporation on the following onsite policies and guidance to ensure consistency amongst the Census Authority To Operate (ATO) Team: ATO/ATT Process, Standard Operating Procedures (SOP) for Census 2020 ATO Team for onboarding new employee’s. Other developed ATO related documentation created to ensure team consistency are: ATO Process Training Presentation, Kick Off Briefing Slide deck, Risk Management Framework Introduction Memo for TI - Infrastructure team, Steps for Pre-Assessment and Assessment, Steps to Request Bridge line, Splunk, Trend Micro, and Tanium access, System Security Plan with Census evidence requirements, Evidence Screenshot Template, Evidence compliance Matrix and etc. Demonstrated a detailed understanding of NIST SP controls, NIST Risk Management Framework requirements as it relates to the Census Project for Release A, C, E2 and ACD
• Collaborate, track and monitor Census 2020 systems and components with the Infrastructure, Architecture, Office Information System Security Engineer and Office Information Security Assessor teams to ensure issues, concerns and delays are addressed and Authority to Operate (ATO) or Authority to Test(ATT) is granted.
• Ensure Census 2020 Systems and Components security controls are compliant per the NIST SP 800 Series, Risk Management Framework, FedRAMP and FISMA.
• Successfully coordinated, analysis, assessed and developed ATO documentation for the following components from end to end: Vormetric, Oracle 12C, Cisco Router, Cisco Firewall, Cisco Switch, Cisco Router, AppsDynamics, Moloch, AZURE, Cylance, Privilege Account Manager (PAM) Splunk, GitHub, Artifactory, SonarQube, Artifactory, ControlUp, IPTS, Privilege Account Management, NETWIX, 9 VMware products and Mobile Airwatch ATO documentation and integrate transition component to AWS Cloud or Bowie Computering Center (BCC).
• Provide oversight and review of Fifty (50) plus team members identified Census components end to end ATO documentation.
• Responsible for performing first cut vulnerability analysis assessments. e.g, review vulnerability assessment reports, meet with team to validate findings, explain findings along with security engineering, and track the finding remediation progress.

Confidential

Sr. IT Security Analyst

• Received Joint Polar Satellite System ( JPSS) Program Team Group Achievement Award for exceptional leadership, persistence, hard work and unique experience leading up to the successful launch of the JPSS-1 mission.
• Analyzed client’s requirements regarding applicable security disciplines (physical, personnel, information, communications, and network.
• Assists in preparing oral or written briefing for management or SAMHSA and at the conclusion of the discussing findings, recommending corrective action and suggesting improvements in operations.
• Developed JBS Security IT Policies and Procedures to protect JBS and its infrastructure confidentiality, integrity, and availability of the sensitive data, PII and PHI using the Risk Management Framework, NIST SP .
• Conducted gap analysis on the information systems security posture to ensure system safeguards are meeting organizational defined policy.
• Responsible for the full range of Information Assurance (IA) activities, specializing in Assessment and Authorization (A&A). Performed security analysis and risk/vulnerability assessments and update security authorization documents to include System Security Plans (SSP) and Security Assessment Package (SAP) documentation
• Monitor mitigation and remediation progress; draft, updated or created Risk Assessment, System Security Plan and Plans of Action and Milestones (POA&Ms) for DSI Web Systems include Ideas Exchange, Learning Management System, and five phplist-based mailing list applications and Project Management Registration Systems (PM-Reg) that belong to the Substance Abuse and Mental Health Services Administration (SAMHSA) of the Department of Health and Human Services (HHS).
• Escalates problems to appropriate teams based on established guidelines and procedures.
• Developed Privacy Impact Assessment/Privacy Threshold Analysis and Federal Information Processing Standard Publication 199 for Medication-Assisted Treatment Prescription Drug and Opioid Addiction (MAT-PDOA)
• Updated and converted the JBS IT Security Policy and Procedure document to ensure compliances with the Risk Management Framework nineteen (19) security control families and National Institute of Standards and Technology (NIST)
• Developed and conducted the National Institute on Aging (NIA’s) Enterprise Resource Planning (ERP) Information Security Contingency Plan(ISCP) Table Top Exercise to include Lessons Learn and ISCP Test Plan and Results Report.

Confidential

Sr. Security Control Assessor/A&A Project Lead

• Implemented the Risk Management Framework (RMF) across the National Institute of Health with transition from NIST Rev3 to Rev 4 compliance with ISSO and System Owners.
• Conducted Risk Assessments and security audits on FISMA reportable systems in accordance with agency standards and federal guidelines.
• Conducted document reviews of NIST, OMB, FISMA, HHS, and NIH policy documents, and vendor publications related to enterprise technologies and recognize, modify and update procedures resulting from the new guidance.
• Demonstrated knowledge of audit principles and familiarity with the Plan of Action and Milestone process (POA&M) from weakness creation to closure
• Knowledge of Contingency Planning and Disaster Recovery concepts.
• Provided senior level security consulting to Federal customers in addition to guidance and support to Department ISSOs/System Owners on the FISMA and NIST Security Assessment and Authorization process.
• Created, reviewed, updated Security Assessment documentation, validate, and provide constructive comments that will guide multiple IT systems to compliance.
• Generated NSAT custom reports and dashboards in support of the Assessment and Authorization process
• Implemented and tracked continuous monitoring functions to maintain Authorizations to Operate (ATO).
• Created, reviewed, and managed security assessment and authorization (SA&A) information and artifacts. in the NIH Security Assessment Tool (NSAT).
• Prepared authorization analysis, reports and recommendations to the client.
• Developed and presented information security processes and related training materials/documentation.
• Demonstrated knowledge of Federal Risk and Authorization Management Process (FEDRAMP).

Confidential

Security Control Assessor

• =Provided IA support to the networks.
• Developed SOP documentation using NIST, FIPS, Department of Transportation (DOT) and FAA guidance as well as IA community doctrine and best practices.
• Enforced IA policy, guidance, and training requirements per this regulation and identified BBP.
• Ensured all ISs within their (System Owner) area of responsibility are certified, accredited and reaccredited.
• Used the NIST Risk Management Framework to research, verify and document information security controls in order for systems accreditation.
• Ensured that the security controls are effectively implemented through established verification techniques and procedures and gives Federal Aviation Administration (FAA) officials confidence that the appropriate safeguards and countermeasures are in place to protect the FAA's information system.
• Analyze and advise on the risk and remediation of security issues based on reports from vulnerability assessment scanners, patch management tools, and emerging threat information.
• Work independently and collaborate closely with System Owner, Information Steward, application developers and engineers in in updating Plans of Action and Milestones (POA&M reducing or eliminating the information system vulnerabilities
• Prepared, distributed, and maintained plans, instructions, and SOPs concerning system system security to include the following documents: FIPS Pub 199, System Security Plan, E-Authentication (if applicable), Information System Security Policies and Procedures, Configuration Management (CM) Plan, Control Implementation Summary (CIS), ISCP Information Security Contingency Plan (ISCP), Incident Response Plan (IRP), Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA), Rules of Behavior (ROB), Business Impact Analysis (BIA).
• Ensure the rigorous security standards of FISMA are applied while introducing efficiencies to the process for cloud systems per FedRAMP’s standards. Also, Increased consistency and confidence in the security of cloud solutions using NIST and FISMA defined standards

Confidential

Project Manager/Sr. Security Engineer/Team Lead

• Liaison and facilitator for USGS OEI Deputy and Chief Information Security Officer (CISO), responsible for providing oversight for Agency Enterprise Infrastructure and ensure systems and assets are certified and accredited in accordance with NIST, Departmental, and Bureau directives prior to being placed into operational status.
• Lead efforts to establish and maintain a standardized and repeatable process in support of the USGS 106 Science Services (SSS) Centers throughout the entire security Assessment and Authorization (A&A) program, previously known as Certification and Accreditation (C&A) as well as the Continuous Monitoring for Ongoing Authorization program. Such activities included, but are not limited to the following:
• Documentation reviews and other data gathering activities, e.g., conducting interviews with system owners, testing and validating security controls and Asset Security Managers (ASM)
• Security controls analysis and assessment
• Security planning/Standard Operation Procedures (SOPs)
• Risk analysis and the development of recommended risk mitigation solutions
• Mitigation of USGS System Service Centers FY Outstanding Weakness
• Provided technical engineering services for the support of integrated security systems and solutions. Which included, but is not limited to the following:
• Security requirements development and analysis
• Evaluation of potential risk created by proposed system changes
• Security architecture and solutions review
• Development of security-specific policies and procedures
• Other security-related, system support activities
• Updated USGS 18 control families Standard Operating Procedures (SOPs) with Department of Interior (DOI) Foundation Cloud Hosting Contract (FCHC) and FedRAMP security requirements.
• Worked directly with System Engineer with the IBM Endpoint Manager (IEM ) Client Deployment (via SCCM).
• Maintained and Tracked Status of SSS Plan of Action and Milestones (POA&Ms), Federal Information Security Management Act (FISMA) Data Call and eVMS reports for USGS.
• Leverage the Cyber Security Assessment and Management (CSAM) system as the repository for A&A related data and documentation management for USGS SSS
• Managed key projects to achieve critical success for USGS by meeting time sensitive targets in the key areas Access Control, Risk Mitigation, Assessment and Authorization process, and mitigating FY sub-Plan of action and milestones (POA&M) weaknesses.
• Managed four (4) resources and created security team sub-POA&M weakness data collection methodology process to increase efficiency, effectiveness, quality and compliance with U.S. G.S Asset Security Managers.
• Reviewed Information Technology Security Operation Team (ITSOT) systems for vulnerabilities or unauthorized privileges reports and provide integrity checks.
• Participated in the development of Agency Risk Assessment template, Assessment and Authorization process, Security Awareness Training and conduct gap analysis between NIST SP Rev and Rev 4
• Demonstrated and executed understanding of the NIST Risk Management Framework, FISMA, FedRAMP, Federal Information Processing Standard (FIPS) 199 and NIST Special Publications.
• Support USGS systems Pre-OIG audits activities which includes review of system and common control standard operating procedures (SOP) and evaluating the NIST SP 18 security control families.
• Support security system upgrades and installations; assist with and coordinate installations and changes to automated operations (InTrust, Inventory, IEM, Cloud Hosting and FedRAMP security controls)
• Participate in weekly team meeting and provide detail weekly status reports to Sr. Management regarding issues and progress.
• Managed four (4) resources and created security team sub-POA&M weakness data collection methodology process to increase efficiency, effectiveness, quality and compliance with U.S. G.S Asset Security Managers.
• Recommended and applied security countermeasures to mitigate identified risks.

Confidential

Project Manager/Sr. Security Analyst

• Developed team methodology and process for conducting an Initial Product Review (IPR) for veterans and the agency. Provided oversight for completion of 183 products review and approved by the government.
• Demonstrated experience in the evaluation of packages and technologies.
• Researched market constantly to gain knowledge of latest trends in security system implementation and possible security threats.
• Recommended installations of new/ latest security products or a possible up-gradation in existing systems or product.
• Obtained authorization for changes to the project cost, schedule, or performance; responsible for the overall success of the IPR IATRS project; own the project schedule.
• Actively engaged with client and ITARS teams to facilitate the tasks and activities of the team and properly understand the business needs, dependencies on other initiatives, and effectively deploy the solution from product assessment.
• Prepared client Monthly Team IPR report.

Confidential

IT Security Specialist

• Developed comprehensive security program at the Joint Polar Satellite System Program, including technology, business process, and training methodologies.
• Provided foundation for current network and security architecture by upgrading firewalls, routers and accrediting the system by the use of NIST Rev1, Risk Management Framework.
• Developed the first NIST SP Rev 1 Assessment and Authorization package for NOAA/NESDIS/NASA Government Resource for Algorithm Verification, Independent Testing, and Evaluation (GRAVITE) and Joint Polar Satellite System (JPSS) Major Applications (MA) to include development or updating the Security Authorization Package which consisted of the FIPS 199, FIPS 200, Business Impact Analysis (BIA), Privacy Threat Analysis (PTA), System Security Plan (SSP), Interconnection Service Agreement (ISA), Memorandum of Agreement/Understanding (MOA/MOU), Contingency Plan (CP), and Contingency Plan Results Test Plan (CPTRTP)
• Identified, assessed, prioritized, and monitored the progress of corrective efforts for security weaknesses found in programs and systems in a Plan of Action and Milestone (POA&Ms).
• Attended and participated in weekly Technical Security Working Group, Engineer Review Board, Change Control Board meetings, delivered status reports and provided and met all deliverables as required.
• Created IT Security Policies and Procedures which maps to the NIST Special Publication (SP) Security Control 18 Families for GRAVITE and the JPSS system. Each document outlined the policies, procedures and standards to guide security efforts to protect departmental personnel, property, and facilities.
• Developed a continuous monitoring plan for GRAVITE system that tracked the security impacts of the information systems according to an outlined schedule developed from planned and unplanned changes to hardware, software, firmware, or operational environments.

Confidential

Sr. Security Engineer

• Provided C&A in support of the System Security Life Cycle (SSLC) covering the full scope of obtaining certification and accreditation of the DoDEA systems and applications.
• Responsible for building and effective DoDEA Information Assurance Program (IAP) and it’s Components that supports the growing business needs and at the same time assures the protection of DoDEA IT asset.
• Created, Updated and Reviewed security documentations (SIP, DIP, DIACAP Scorecard, Contingency Plans, CAP and Plan of Action and Milestones (POA&M) along with other DoDEA documentations)
• Reviewed, edited and developed documents related to information assurance policies and standards for security training.
• Developed Connection Approval Packages (CAP) for systems that require connectivity to the SIPRNET terminals
• Developed system security plan (SSP) and perform the security testing and evaluation (ST&E).
• Performed independent verification and validation (IV&V), and independent audits on DODEA system and applications.
• Created policies and procedures within the division that reflects NIST and DODEA compliance.
• Gathered, analyzed and organized technical information about the security posture of an organization’s application and infrastructure, existing security products and ongoing security initiatives.

Confidential

Security Control Assessor/Sr. Security Engineer

• Provided Certification & Accreditation support as Team Lead, to the United States Coast Guard (USCG) Information Assurance Program using DITSCAP, DIACAP, NIST 800 series, Department of Homeland Security (DHS) and USCG Instruction for classified and sensitive but unclassified (SBU) systems.
• Provided technical expertise in all areas of FISMA IT compliance and security planning throughout the System Life Cycle for General Support Systems, Major Applications, Privacy Sensitive and Financial Systems.
• Developed, evaluated and performed quality control reviews of the client’s systems security C&A documentation to support the Certification and Authorization process of Major Applications and General Support Systems per NIST Risk Management Framework (SP Rev 1).
• Provided security oversight and communicated security polices to the facility’s Information System Security Officers and support personnel to ensure that security controls are in compliance with the federal minimum security control standards as outline in NIST publication and Department of Homeland Security directives.
• Performed activities to support the certification and accreditation process which included documenting Risk Assessments (RA), System Security Plans (SSP), Contingency Plans (CP), CP Test Plans and Results, Security Assessment Reports (SAR), Interconnection Security Agreements (ISA), Privacy Impact Assessments, Certification recommendations and Security Test & Evaluation (ST&E) reports used in the authorization of all information systems.
• Documented Comprehensive and Executive DIACAP packages.
• Conducted security vulnerability assessments of networked and stand-alone information systems and communicating recommendations to the system owners/ISSO.
• Performed annual training sessions for all USCG IT support personnel throughout the USCG on an annual basis.

Confidential

Information Security Engineer

• Exceeded company security requirements, reaching stringent PCI standards as confirmed by security audit by implementing industry-standard network security and intrusion prevention measures.
• Ensured the Host Based Security System (HBSS) baseline COTS application provide network administrators and security personnel with mechanisms to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all DoD networks and information systems.
• Reviewed and updated E-Authentication (E-Auth) and Privacy Impact Assessment (PIA) was documented after a positive Privacy Threshold Analysis (PTA) was created.
• Reviewed, updated and developed the FIPS 199, FIPS 200, Security Test & Evaluation (ST&E), Incident Response Plan, SORN, Security Assessment Report (SAR), Contingency Plan and Contingency Plan Test was conducted annually.
• Participated in exit conferences to summarize key findings and recommendations.
• Generated, reviewed and updated the System Security Plans (SSP) against NIST rev3 requirements.
• Created and edited, standardize, or changes to the information assurance material prepared by other staff or vendors.

Confidential

Sr. Security Engineer/Information Assurance Analyst

• Reviewed existing and proposed systems security documentation in order to determine potential risks and mitigation strategies to support the Certification and Accreditation process of applications and systems.
• Applied security assessments and analysis against design aspects to identify and mitigate risks associated with network infrastructure and web applications of a public-facing web portal.
• Developed and reviewed Privacy Impact Analysis documents and worked with the Privacy and Compliance Office to ensure full compliance to the information privacy principles of the Privacy Act.
• Assessed and evaluated security requirements and technologies during the systems development lifecycle (SDLC) and change management process.
• Developed and created the DHIMS DIACAP artifacts to include the System Identification Profile (SIP), DIACAP Implementation Plan (DIP), System and Application Scorecard, Memorandum of Agreement (MOA)/Memorandum of Understanding (MOU), Concept of Operations (CONOPS), System Design Document (SDD), IT Security Plan of Action and Milestones (POA&M), other supporting certification Documentation.