WORK EXPERIENCE:

Confidential, Leesburg, VA

Sr. Security Controls Assessor

Responsibilities:

• Lead RMF projects and teams (six persons) of moderate size and complexity, or one or more work streams in a larger project.
• Provide services as security controls assessors (SCAs) and perform as an integral part of the Assessments and Authorizations process implementing the RMF, to include A&A scanning, penetration testing, documentation, reporting and analysis requirements to meet RMF requirements.
• Perform operating system, network and application security STIG reviews.
• Perform host and network based certification assessments, determine residual security risks, prepare certification test reports, and provide formal authorization recommendations.
• Track previously identified vulnerabilities and discrepancies, coordinate response with NGA and external organizations. Recommend and validate corrective actions to ensure vulnerabilities are eliminated and discrepancies are resolved as defined either internally or externally by organizations including but not limited to the USCC and/or the IC - IRC.
• Perform mobile device and mobile application security reviews.
• Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to Confidential security, Information Security Management, and A&A.
• Support the security requirements definition of new, upgraded, and reconfigured AISs for implementation of Service Oriented Architecture (SOA) and system virtualization.
• Test and enforce IS security policies. Conduct scanning via NGA accepted scanning tools (software and hardware) used either remotely or locally on the systems to ensure compliance and to identify security holes, risks, threats and gaps. Review and analyze the findings that identify security issues on the system. The final report shall provide analysis for the Information System Security Engineer (ISSE), System Administrator (SA), and PM for remediation and informational purposes.
• Review System Security Plans (SSPs) (described in ICD 503), test the documented systems and recommend systems found to be acceptable for authorization.
• Provide technical services for installation, operation, maintenance and authorization of hardware and software to support NGA missions. Ensure all equipment is on Hand Receipt Holder (HRH) accounts and standalone laptops are maintained for anti-virus, software patches and security compliance.
• Support comprehensive cyber incident handling and forensic analysis of compromised systems in coordination with the following NGA organizations - NGA CERT and Cyber Counter-intelligence and coordinate action across IA functional areas, producing incident reports as necessary
• Scan for malicious code, spyware, adware, and other unauthorized forms of software.
• Constantly monitor, log, and track all NGA systems for vulnerabilities. Certification and vulnerability scans shall be run with minimal to zero impact on network and systems performance. Monthly scans shall be random and shall be coordinated with the responsible system administrator or operations centers such as the ESC.
• Scan each Enterprise network monthly for IAVM compliance and produce a noncompliance machine report (NMR).
• Scan for network security compliance in accordance with DISA STIGs.
• Conduct wireless scanning for the presence of unauthorized devices operating illegally at NGA facilities.
• Liaison with DISA, DNI, and other offices and Agencies for coordination of community support and upgrades of software and hardware for all network-borne VA tools.
• Provide scanning support to Red and Blue Team.
• Provide on-site and/or remote testing in support of FISMA through certification scans and penetration testing at industrial and NGA hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.

Confidential, Scott AFB, IL

Sr. Information Assurance (IA)/Security Specialist/ISSO

Responsibilities:

• Developed Enterprise Vulnerability Management, Continuous Monitoring, and Security Controls Audit policies, and working on other policies and procedures to cover current Risk Management Framework (RMF) and Confidential 800-53/ICD 503 control requirements.
• Evaluate system requirements, reviewing IA and functional specifications, products, applications and systems meet IA specifications.
• Develop and maintain system IA documentation supporting system Certification and Accreditation requirements transitioning from the DoD Information Assurance Certification and Accreditation Process (DIACAP) to the RMF. Maintain documentation in the DISA Enterprise Mission Assurance Support Services (EMASS) system.
• Conduct IA related technical research and analysis necessary to provide recommendations to the system management team to assess possible system/configuration changes.
• Perform reviews of system IA products (audit logs, ACAS reports, security assessments, etc) to ensure the system remains current and satisfies certification requirements with regards to IA related FRAGO, security scans, patches, STIGs, logging and security configurations.

Confidential, Arnold, MO

Information Assurance Lead/Project Delivery Manager

Responsibilities:

• Lead RMF projects and teams (20 persons) of moderate size and complexity, or one or more work streams in a larger project and train team members (45 persons).
• Determine enterprise information assurance and security standards to meet RMF requirements..
• Develop and implement information assurance/security standards and procedures.
• Coordinate, develop, and evaluate security programs for an organization. Recommends information assurance/security solutions to support customers’ requirements.
• Identify, report, and resolve security violations.
• Establish and satisfy information assurance and security requirements based upon the analysis of user, policy, regulatory, and resource demands.
• Support customers at the highest levels in the development and implementation of doctrine and policies.
• Apply know-how to government and commercial common user systems, as well as to dedicated special purpose systems requiring specialized security features and procedures.
• Perform analysis, design, and development of security features for system architectures.
• Analyze and define security requirements for computer systems which may include mainframes, workstations, and personal computers.
• Design, develop, engineer, and implement solutions that meet security requirements.
• Provide integration and implementation of the computer system security solution.
• Analyze general information assurance-related technical problems and provides basic engineering and technical support in solving these problems.
• Perform vulnerability/risk analyses of computer systems and applications during all phases of the system development life cycle.
• Ensure that all information systems are functional and secure.
• Communicate project delivery schedule and milestones while maintaining productive and professional relationships with client.
• Develop new practices or modify pre-established practices to execute work appropriately in order to achieve efficiency and increase performance.
• Improve the operational systems, processes, and policies in support of the client’s mission through the management and guidance of multiple work streams, teams, and clients.
• Support engagements related but not limited to Operations & Maintenance, Helpdesk Operations, Software and Application Development and Maintenance, Financial Operations, and Project and Acquisition Management.
• Provide input to key deliverable structure and content, as well as facilitating buy-in of proposed solutions from top management levels.
• Direct timely delivery of quality work products for the client.
• Manage engagement risk.
• Provide professional development of junior staff performing the role of counselor and coach, as well as providing leadership and support.

Confidential, Arnold, MO

Sr. Security Controls Assessor

Responsibilities:

• Provide services as security controls assessors (SCAs) and perform as an integral part of the Assessments and Authorizations process implementing the RMF, to include A&A scanning, penetration testing, documentation, reporting and analysis requirements to meet RMF requirements.
• Perform operating system, network and application security STIG reviews.
• Perform host and network based certification assessments, determine residual security risks, prepare certification test reports, and provide formal authorization recommendations.
• Track previously identified vulnerabilities and discrepancies, coordinate response with NGA and external organizations. Recommend and validate corrective actions to ensure vulnerabilities are eliminated and discrepancies are resolved as defined either internally or externally by organizations including but not limited to the USCC and/or the IC - IRC.
• Perform mobile device and mobile application security reviews.
• Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to Confidential security, Information Security Management, and A&A.
• Support the security requirements definition of new, upgraded, and reconfigured AISs for implementation of Service Oriented Architecture (SOA) and system virtualization.
• Test and enforce IS security policies. Conduct scanning via NGA accepted scanning tools (software and hardware) used either remotely or locally on the systems to ensure compliance and to identify security holes, risks, threats and gaps. Review and analyze the findings that identify security issues on the system. The final report shall provide analysis for the Information System Security Engineer (ISSE), System Administrator (SA), and PM for remediation and informational purposes.
• Review System Security Plans (SSPs) (described in ICD 503), test the documented systems and recommend systems found to be acceptable for authorization.
• Provide technical services for installation, operation, maintenance and authorization of hardware and software to support NGA missions. Ensure all equipment is on Hand Receipt Holder (HRH) accounts and standalone laptops are maintained for anti-virus, software patches and security compliance.
• Support comprehensive cyber incident handling and forensic analysis of compromised systems in coordination with the following NGA organizations - NGA CERT and Cyber Counter-intelligence and coordinate action across IA functional areas, producing incident reports as necessary
• Scan for malicious code, spyware, adware, and other unauthorized forms of software.
• Constantly monitor, log, and track all NGA systems for vulnerabilities. Certification and vulnerability scans shall be run with minimal to zero impact on network and systems performance. Monthly scans shall be random and shall be coordinated with the responsible system administrator or operations centers such as the ESC.
• Scan each Enterprise network monthly for IAVM compliance and produce a noncompliance machine report (NMR).
• Scan for network security compliance in accordance with DISA STIGs.
• Conduct wireless scanning for the presence of unauthorized devices operating illegally at NGA facilities.
• Liaison with DISA, DNI, and other offices and Agencies for coordination of community support and upgrades of software and hardware for all network-borne VA tools.
• Provide scanning support to Red and Blue Team.
• Provide on-site and/or remote testing in support of FISMA through certification scans and penetration testing at industrial and NGA hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.
• Augment the Cyber Penetration Testing Branch in the planning, execution, and reporting of Red Team Assessments consisting of identifying and exploiting vulnerabilities on NGA systems.
• Coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in NGA networks.

Confidential, Hazelwood, MO

Cyber Security Assessment Specialist

Responsibilities:

• Leads team of four persons, conducts vulnerability assessments and penetration testing.
• Analyzes architecture and system functionality for a broad range of technologies.
• Conducts automated scanning and manual testing.
• Evaluates system security configurations. Performs exploit analysis and authors exploitation tools/techniques.
• Evaluates findings and performs root cause analysis. Prepares and presents technical reports and briefings. Conducts customer remediation reviews.
• Supported performance of Information Assurance, Cybersecurity engineering and analysis of the Ground and Training Systems
• Evaluated and verify Information Assurance System Requirements
• Performed Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) scans and analysis of computer systems.
• Performed vulnerability scans using the DISA Assured Compliance Assessment Solution
• Performed Vulnerability Assessment of computer systems
• Supported performance of Penetration Testing of computer systems
• Supported performance of Static Code Analysis of Software Development Projects
• Examined and evaluated Ports, Protocols and Processes of engineering computers
• Examined Software Assurance Reports for software development efforts
• Prepared technical briefings and discussion papers

Confidential, Arnold, MO

Sr. Security Controls Assessor

Responsibilities:

• Provide services as security controls assessors (SCAs) and perform as an integral part of the Assessments and Authorizations process implementing the RMF, to include A&A scanning, penetration testing, documentation, reporting and analysis requirements to meet RMF requirements.
• Perform operating system, network and application security STIG reviews.
• Perform host and network based certification assessments, determine residual security risks, prepare certification test reports, and provide formal authorization recommendations.
• Track previously identified vulnerabilities and discrepancies, coordinate response with NGA and external organizations. Recommend and validate corrective actions to ensure vulnerabilities are eliminated and discrepancies are resolved as defined either internally or externally by organizations including but not limited to the USCC and/or the IC - IRC.
• Perform mobile device and mobile application security reviews.
• Provide support to OCIO at internal/external meetings, conferences, and technical exchange meetings, and working groups for all activities with regard to Confidential security, Information Security Management, and A&A.
• Support the security requirements definition of new, upgraded, and reconfigured AISs for implementation of Service Oriented Architecture (SOA) and system virtualization.
• Test and enforce IS security policies. Conduct scanning via NGA accepted scanning tools (software and hardware) used either remotely or locally on the systems to ensure compliance and to identify security holes, risks, threats and gaps. Review and analyze the findings that identify security issues on the system. The final report shall provide analysis for the Information System Security Engineer (ISSE), System Administrator (SA), and PM for remediation and informational purposes.
• Review System Security Plans (SSPs) (described in ICD 503), test the documented systems and recommend systems found to be acceptable for authorization.
• Provide technical services for installation, operation, maintenance and authorization of hardware and software to support NGA missions. Ensure all equipment is on Hand Receipt Holder (HRH) accounts and standalone laptops are maintained for anti-virus, software patches and security compliance.
• Support comprehensive cyber incident handling and forensic analysis of compromised systems in coordination with the following NGA organizations - NGA CERT and Cyber Counter-intelligence and coordinate action across IA functional areas, producing incident reports as necessary
• Scan for malicious code, spyware, adware, and other unauthorized forms of software.
• Constantly monitor, log, and track all NGA systems for vulnerabilities. Certification and vulnerability scans shall be run with minimal to zero impact on network and systems performance. Monthly scans shall be random and shall be coordinated with the responsible system administrator or operations centers such as the ESC.
• Scan each Enterprise network monthly for IAVM compliance and produce a noncompliance machine report (NMR).
• Scan for network security compliance in accordance with DISA STIGs.
• Conduct wireless scanning for the presence of unauthorized devices operating illegally at NGA facilities.
• Liaison with DISA, DNI, and other offices and Agencies for coordination of community support and upgrades of software and hardware for all network-borne VA tools.
• Provide scanning support to Red and Blue Team.
• Provide on-site and/or remote testing in support of FISMA through certification scans and penetration testing at industrial and NGA hosted sites both CONUS and OCONUS. Work will be authorized and coordinated by the Government on a trip by trip basis.
• Augment the Cyber Penetration Testing Branch in the planning, execution, and reporting of Red Team Assessments consisting of identifying and exploiting vulnerabilities on NGA systems.
• Coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in NGA networks.

Confidential, Arnold, MO

Delegated Authorizing Official Representative

Responsibilities:

• Provides services and analytical support for assisting the government in identifying and assessing security risk and mission tradeoffs in support of security risk acceptance decisions. DAO Representatives serve as principal advisors on all RMF matters, technical and otherwise, involving the security of his or her assigned information systems.
• This includes providing senior level analysis and review of security considerations in context of NGA missions, interpreting Security Assessment Reports (SARs), risk assessment, and providing critical thinking in applying security controls to system design and risk determination.
• Received accolades from customer on quickly responding to priority tasking. Developed monthly activity report format.
• Risk Management Services Support Understand and apply ICD 503, Confidential Special Publication 800 - 53, and CNSSI 1253. Perform and provide the risk tradeoff analysis to implement the policies, processes, models, assessments, and standards needed to recommend risk acceptance authorization for complex systems and mission enablement. Document recommendations for authorization that shall consist of detailed rationale for acceptance. Document rejections back to information system owners (ISO's) with detailed and constructive recommendations for correction, along with references to appropriate government regulations and explanations for why and desired specific outcome(s) of the corrections. In interfacing with programs on feedback, Speak with the ISO to ensure clear understanding of changes needed. Conversations may occur via phone, VTC, or in person and shall be documented.
• Primary peer reviewer for Security Impact Determination Requests (SIDRs), monitoring more junior DAORs work, guiding and directing actions.
• Propose categorization of information systems, with input from ISSEs and working in partnership with Information Systems Owners (ISO's).
• Determine appropriate level of security controls by working in concert with Program Managers (PM) and by identifying and prioritizing risks based on mission goals and types of information processed by the system. Assist in determination of impacts in support of risk prioritization.
• Provide guidance to program managers for securing their information systems and to understand and promote applicability of Enterprise Security Services in accordance with ICD 503, CNSSI 1253, and Confidential SP 800-39, 800-137, 800-53 and 800-37.
• Review Plan of Actions and Milestones (POA&Ms) to ensure programs are making progress in mitigating risk to systems; work with programs to ensure POA&Ms are updated every 90 days at a minimum, and more frequently for high risk systems or action items. Advise the NGA Program Manager (PM) of any issues/delays in the POA&Ms.
• Ensure risk mitigation strategies, recommendations, and applicable security controls are documented indicating cost effectiveness and reasonability for the mission goals; risk mitigation is determined in context of mission and cost.
• Assist in the development and oversight of security policy implementation in accordance with current Federal, Community, and Agency Policies.
• Assist in monitoring the implementation of security policies and documenting to the government when policies and appropriate security controls are not being implemented including information as to the reason for non-compliance and decision recommendations.
• Assist in controlling and managing the Agency central repository for all authorization documentation. Currently, NGA uses the XACTA software.
• Maintain and update the A&A standards tool (Uncle) for consistently applied authorization decisions.
• Maintain and update A&A tools used for categorization, control selection, or authorization decisions.
• Oversee security testing and review evaluations to ensure evaluations are completed detailing results of testing including documenting any issues resulting in failed testing, and are written clearly and concisely to be understood by OCIO leadership, security control assessors, program managers, and system administrators.
• Monitor the assessment and authorization activities and solutions to guarantee these actions are collaborated with the necessary offices and agencies.
• Provide senior level analysis, reports, and metrics to OCIO leadership concerning overall agency system authorization status.
• Confidential 800-53/ICD 503 Controls and Risk Assessment:

Confidential, Las Cruces, NM

Information Systems Security Manager

Responsibilities:

• Ensures Confidential and network nodes are operated, maintained, and disposed of in accordance with security policies and practices.
• Perform ISSM functions and ISSO duties in support of in - house and external Detachment 4 customers.
• Performs duties as the alternate Information Systems Security Manager (ISSM) for the ADF-SW.
• Reviews and develops Confidential accreditation/certification support documentation
• Notifies customer when changes occur that might affect Confidential accreditation/certification
• Performs system and network self-inspections; provides security coordination and review on all system test plans
• Attends Integrated Project Team (IPT) and Change Control Review Board (CCRB) meetings
• Identifies Automated Information System ( Confidential ) vulnerabilities/countermeasure implementation
• Represents customer on various technical review teams
• Conducts security surveys at subordinate facilities and gathers pertinent security documentation for inclusion into system accreditation packages
• Coordinates, prepares and tracks Confidential inspections, reports and responses
• Maintains Confidential security records
• Advises on and prepares Co-utilization Agreements for network nodes operating in subordinate government and contractor facilities
• Receives direction from the ADF-SW ISSM and government Program Security Officer (PSO)

Confidential, Las Cruces, NM

Sr. Advanced Engineer - Information Assurance

Responsibilities:

• Ensure Information Systems (IS) are operated, maintained, and disposed of in accordance with internal security policies and practices outlined in the Systems Security Plans.
• Identify legal, regulatory and contractual requirements and organizational policies and standards ( Confidential 800 series, ICD - 503) and other IS security directives to maintain compliance on all assigned systems.
• Detect and prevent computer security compromises by developing and implementing risk awareness program conducting training to ensure stakeholders understand risk and contribute to the process to promote a risk aware culture.
• Collect information and review documentation to ensure identified risks are evaluated.
• Identify potential threats and vulnerabilities to systems and processes, associated data and supporting capabilities to assist enterprise risk evaluation.
• Identify and report compliance risks to initiate corrective action and meet regulatory requirements. Analyze risks, incidents, and interdependencies to determine impact on objectives.
• Identify, evaluate, review, and apply risk response options and provide management and other stakeholders with decision information.
• Validate efficiency, effectiveness, and economy, apply risk criteria, develop profile, and assist in creation of risk response action plans.
• Identify IS control performance measurement metrics and key process indicators.
• Assess and recommend automated IS controls in consultation with process owners to ensure alignment with needs and objectives.
• Monitor controls and implementation process to mitigate risk, ensure effectiveness, timeliness, cost, and scope.
• Provide progress reports, ensure deviations are addressed, and keep stakeholders informed.
• Ensure controls are tested to verify effectiveness and efficiency before implementation and documentation, and provide training to ensure it.
• Oversee system vulnerability scanning supporting IS evidence control and conclusion support and effectiveness, and provide status to decision making stakeholders.
• Facilitate resource identification needed to implement and operate optimal IS controls.
• Use preventive and or negation of malicious code Commercial-of-the-Shelf (COTS) logical scanning tools.
• Translate technical security information (jargon) into comprehendible language for other support ISSOs.
• Update and maintain all security related databases.
• Ensure system recovery processes are monitored and security features appropriately restored.

Confidential, Las Cruces, NM

Senior Information Systems Security Engineer

Responsibilities:

• Provided protection for assigned automated information systems (IS) with multiple operating systems for one of the most complex United States networks.
• Supports system security on multiple multi - billion dollar platforms while providing crucial data to senior Department of Defense policymakers.
• Identified legal, regulatory and contractual requirements and organizational policies and standards ( Confidential 800-53, ICD-503, DCID 6/3, NISPOM) and other IS security directives to maintain compliance on all assigned systems. Identified potential threats and vulnerabilities to systems and processes, associated data and supporting capabilities to assist enterprise risk evaluation.
• Identified and reported on compliance risks to initiate corrective action and meet regulatory requirements.
• Analyzed risks, incidents, and interdependencies to determine impact on objectives.
• Detected and prevented computer security compromises by developing and implementing risk awareness program, conducted training to ensure stakeholders understood risk and contributed to the process to promote a risk aware culture.
• Performed critical in-depth system security plans, and A&A documentation reviews, oversees certification performance tests, conducts system inspections, audit log reviews, and develops and tracks performance metrics.
• Identified, evaluated, reviewed, and applied risk response options and provided management and other stakeholders decision information.
• Validated efficiency, effectiveness, and economy, applied risk criteria, developed profile, and assisted in creation of risk response action plans.
• Identified IS control performance measurement metrics and key process indicators.
• Assessed and recommended automated IS controls in consultation with process owners to ensure alignment with needs and objectives.
• Monitored controls and implementation process to mitigate risk, ensured effectiveness, timeliness, cost, and scope.
• Provided progress reports, ensured deviations were addressed and kept stakeholders informed. Ensure controls are tested to verify effectiveness and efficiency before implementation, and provide documentation and training to ensure it.
• Planed, supervised, and oversaw IS Control testing to verify effectiveness and continued efficiency before implementation and documentation and training were provided to ensure effectiveness.
• Collected data and reviewed documentation to identify risks and deficiencies were identified and evaluated.
• Reviewed policies, standards and procedures for requirement verification, and accessed/recommended tools and techniques to automate IS control processes.
• Wrote and edited Concept of Operations (CONOPS) documents, reviewed Request for Changes (RFC) and Change Implementation Notices (CIN) for applicable networks and systems.
• Provided network security policy counsel and guidance, and system security engineering expertise facilitating the ongoing confidentiality, integrity, and availability of classified networks.
• Conducted software reviews to determine suitability for network use.