Security Controls Assessor (Cross Domain Solutions) bei Pueo Business Solutions

OVERVIEW:

The Cross Domain Solutions(CDS) SCA conducts a comprehensive assessment of the security controls employed within or inherited by an CDS Information System (IS) to determine their overall effectiveness, and submits the Body of Evidence (BoE), composed of the System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), and draft Authorization to Operate (ATO) Letter, to the Authorizing Official (AO) or Delegated Authorizing Official (DAO) for review and authorization decision. The SCA also advises key stakeholders, such as the Program Office, Data Owner and Authorizing Official/Delegated Authorizing Official concerning the security categorization and impact levels for confidentiality, integrity, and availability for the information on a CDS system.

• Support the Assessment and Authorization (A&A) Risk Management Framework process for all client managed systems, networks, and enclaves (all security domains); ensure validity and accuracy review of all associated documentation; support remote sites when required.
• Advise ISSOs on categorization and selection of security controls (RMF steps 1 and 2) and conduct Technical Exchange Meetings (TEMs) where they collaborate with other security professionals.
• Communicate finding impacts through presentations and written deliverables.
• Stay up to date with the latest trends and technologies related to IC policy to continuously refine security inspection protocols.

REQUIRED QUALIFICATIONS:

• Expert knowledge and hands-on experience with RMF, NIST 800-series guidelines, FIPS, Security Assessment & Authorization (SA&A) requirements and processes, Continuous Monitoring Framework experience and its tools, Plan of Action & Milestones (POA&M) policies, and vulnerability/patch management.
• Expert with documenting and or reviewing of security materials such as; system security plans (SSP), Security Assessment Report (SAR), and Security Assessment Plan (SAP), and other documents per NIST 800 guidelines. Knowledge is Cross Domain Solutions to included but not limited to:
• Evaluating the security controls of systems that handle the transfer of information between different security domains or levels of classification. Their technical functions encompass a range of tasks aimed at ensuring the integrity, confidentiality, and availability of data across disparate domains. Here are the technical functions typically associated with this role:
• CDS Architecture Review: Conduct in-depth reviews of cross domain solutions architecture to understand the design, components, and data flows between different security domains. Evaluate the effectiveness of data isolation mechanisms, data filtering techniques, and boundary protection controls.
• Security Policy Analysis: Analyze security policies, guidelines, and regulations governing the transfer of information between security domains. Ensure that CDS solutions comply with relevant security requirements, including government regulations, industry standards, and organizational policies.
• Security Controls Assessment Planning: Develop comprehensive assessment plans tailored to the unique characteristics of cross domain solutions. Define assessment objectives, scope, methodologies, and success criteria based on established security standards and best practices.
• Data Diode and Guard Evaluation: Assess the security posture of data diodes, guards, or other mechanisms used to enforce one-way data transfers between security domains. Verify the integrity and effectiveness of data transfer mechanisms while maintaining strict data separation.
• Data Filtering and Sanitization Testing: Test data filtering and sanitization mechanisms implemented within CDS solutions to prevent the transfer of malicious content or unauthorized data. Evaluate the effectiveness of content filtering rules, data validation techniques, and malware detection capabilities.
• Interoperability Testing: Verify interoperability between different CDS components, systems, and networks to ensure seamless data transfer across security domains. Identify and resolve compatibility issues, protocol mismatches, and configuration conflicts that may impact data exchange.
• Cross Domain Access Control Review: Review access control mechanisms implemented within CDS solutions to enforce fine-grained access restrictions based on user privileges, roles, and security clearances. Assess the effectiveness of access control policies, authentication mechanisms, and audit trails.
• Security Incident Response Testing: Simulate security incidents, data breaches, or unauthorized data transfers to evaluate the responsiveness of CDS solutions. Test incident detection, alerting, and response capabilities to ensure timely mitigation of security incidents.
• Security Documentation Review: Review documentation related to CDS solutions, including system architecture diagrams, security plans, configuration guides, and operating procedures. Ensure that documentation accurately reflects implemented security controls and operational processes.
• Security Risk Assessment: Conduct risk assessments to identify and prioritize security risks associated with cross domain information transfer. Evaluate the impact of potential threats and vulnerabilities on the confidentiality, integrity, and availability of sensitive data.
• Compliance Assessment: Assess compliance with regulatory requirements, government directives, and contractual obligations related to cross domain information sharing. Ensure adherence to standards such as the Committee on National Security Systems (CNSS) policies and Defense Information Systems Agency (DISA) guidelines.

• Skills:
  • Solid interpersonal and communication skills to interact with various stakeholders and team members effectively.
  • Expert hands-on experience interrupting compliance and vulnerability scanning tool reports from (XACTA, STIGS, ACAS, PRISMA, Splunk, Trellix (HBSS), and/or other vulnerability scanners)
  • Some experience leading security projects and initiatives.
  • Team-player with collaboration qualities and experience working in mixed technical teams.
• Possess a master's degree, with 12+ years of total experience/equivalent certifications.
  • Master's degree may be substituted with a bachelor's degree and 5+ years of additional experience/equivalent certifications, for a total of 13+ years.
• Certifications:
  • Obtain an IAT-III or Maintain IAT Level III Certification in compliance with DoD 8570.01-M and DoD Directive 8140 Cyberspace Workforce Management.
  • CASP+ CE
  • CCNP Security
  • CISA
  • CISSP (or Associate)
  • GCED
  • GCIH
  • CCSP

CLEARANCE:

• Top Secret Security Clearance with SCI eligibility and ability to Pass CI Poly.