JOSEPH F. TOHER, JR.

acrtzx@r.postjobfree.com

443-***-****

SUMMARY:

•A&A/ C&A Subject Matter Expert (NIST/DIACAP), Information Security/vulnerability assessments and mitigation strategies. Network security architectures, assessments, policy, Security Management, Strategic Security Plans, complete A&A packages, POA&M and continuous monitoring management, Counterterrorism experience.

•Evaluation and resolution of problem programs. Extensive experience with handling security issues and coordination with flag rank, C-level officials, and government senior level executives. Saves time and money.

•Cybersecurity customer requirements analysis, risk assessments, counterterrorism assessments and operations, system security audits, policy, and implementation.

PROFESSIONAL ACCOMPLISHMENTS:

Cornerstone Engineering Associates/Cornerstone Advisory Group (May 2006-present)

FISMAFEDRAMP Subject Matter Expert supporting SAP federal cloud offering. Worked with SAP engineers in design of FEDRAMP compliant cloud, and provided advice on resolving discrepancies from FEDRAMP audit.

FISMA manager for Federal Communications Commission. A&A SME and Information Systems Security Officer for 11 major applications. Prepared six complete A&A packages for submission in six months. Redesigned process for A&A to address expired systems. Worked with developers to introduce security testing as part of routine software development. Primary systems were the FCC Integrated Spectrum Auction System, which handles multi-billion dollar spectrum auctions, and the FCC financial system of record, GENESIS.

Barling Bay, LLC. (October 2012-June 2013)

•Program Manager for Bureau of Indian Affairs. A&A SME/Senior Security Engineer for BIA Office of Information Security. Manages All BIA systems Security Controls Assessment efforts. Implemented Continuous Monitoring solution using SPLUNK, NESSUS and other COTS products. Implemented ITIL processes to enhance team work assignments and efficiencies. Developed and implemented standardized procedures for A&A efforts, POA&M management, and implemented new QA systems for deliverables and A&A artifacts. Specified security requirements for centralized data center, and implemented new NIST-compliant authorization boundary architectures (major applications, infrastructure, enterprise, and physical and environmental). Repaired problem contract, realigned staff, and saved client funding with no loss of efficiency or profitability.

Cornerstone Engineering Associates/Cornerstone Advisory Group (May 2006-Present)

•C&A/A&A Subject Matter Expert for NOAA CIO. Designed, wrote, and implemented new methodology to ensure consistent security artifacts and deliverables across 8 contractors and 117 systems. Included assessment methodology, QA process, deliverable management, NIST compliance, POA&M management, etc. Designed NIST compliant A&A process, ensuring SDLC compatibility. Aligned processes with Risk Management Framework architecture. Wrote draft RFI, PWS, and other acquisition documents for CIO contract aligning A&A methodologies.

•Specified NOAA requirements for FEDRAMP implementation. Coordinated front-end software solution for server/storage provisioning. Reviewed security controls for FEDRAMP implementation, and specified System Security Plan requirements. This implementation involved moving large amounts of data, coordinating interconnection security agreements, MOU/SLA, etc.

•Information Assurance Subject Matter Expert for Pension Benefits Guarantee Corporation (Financial management of Pension plans). At client request, completely realigned Enterprise Security program to NIST requirements. Implemented NESSUS and Accunetix vulnerability scanning, vulnerability mitigation strategies, and risk management efforts. Conducted COOP testing and evaluation, developed complete tracking metric for organization. Specified COTS security tools. Brokered sensitive investigations concerning security violations, and recommended mitigation and corrective actions. Conducted IV&V on COOP testing at two sites.

•A&A Subject Matter Expert for USDA FSIS. Developed security policies, and implementation plans. Developed methodology for FSIS field inspectors to update software remotely. Developed policy tracking effort to be used in FISMA reporting. Developed A&A strategy for major applications authorization, and worked with CIO office for implementation.

•Certification and Accreditation Subject Matter Expert for the Veteran’s Affairs Web Operations project in which the entire VA network operations required C&A support. Wrote all documents (ST&E, FISMA risk analysis, Configuration Management Plan, Security Plan, Contingency Plan, Incident Response Plan, Privacy Impact Assessment, etc.). Instituted routine systems auditing, configuration/change management, enhanced network security operations, and interconnection security agreements. Instituted NIST compliance where none existed.

•Certification and Accreditation Subject Matter Expert for National Weather Service Historical Climate Monitoring System upgrade. Wrote all C&A documents, developed security processes for program.

•Certification and Accreditation Subject Matter Expert for Centers for Medicare and Medicaid Electronic Health Records project. Wrote all C&A documents, initiated configuration management process, security auditing.

•Conducted the first U.S. Navy Platform IT Certification and Accreditation effort for a complex Homeland Defense System using modified DIACAP methodology. Directed the entire information assurance testing of the system.

•Developed and conducted training for Center for Medicare and Medicaid for Certification and Accreditation, CIO manager’s briefing and training, and others. Used various NIST guidelines (NIST 800-53, 800-53A, 800-37,various FIPS publications) to assess security controls and recommend mitigation strategies.

Improsive Technologies Inc. (Aug 2003-April 2006)

President of Improsive Technologies Inc.

Targeted, closed, and directed operations of $9 million small business.

•Worked at the request of Assistant Secretary of Defense in establishing oversight and independent assessment of Defense Security Service operations. Directly supported the Directors of DSS and the Office of Personnel Management. Efforts included vulnerability assessments (NIST 800-53, 800-53A, DITSCAP, various FIPS guidelines), establishment of critical operations call center, revamping entire security clearance process automation, establishing business analysis of DSS operations, independent verification and validation of other contractor software.

• Grew the company from zero to $9 million in under three years.

Lucent Technologies (Jan 2003-Aug 2003)

Principal, Lucent Technologies Government Services Group.

•Developed support contract for Lucent’s efforts in support of rebuilding IRAQ, identifying partner companies, established negotiations, and drafted proposals.

Seidcon, Inc. (June 2002-Jan 2003)

Program Manager, NASA ISEM Security

•Conducted risk and vulnerability assessments of NASA HQS networks, including ISS scans of networks. Conducted wireless network evaluations, identified system vulnerabilities, and implemented mitigation strategies. Wrote Security Plans for NASA HQS networks (including financial, administrative, operational, and public access). Evaluated all networks at NASA HQS for inclusion into the new “one NASA” program mandated by the NASA CIO, and recommended migration strategies (including product, software and hardware evaluation). Coordinated NASA HQS Contingency/Disaster Recovery Plan, and conducted all training on NASA HQS Contingency Plan. This involved teaching NASA systems administrators, system owners, and system developers.

•Worked in the security design and operations planning for a new NASA video teleconferencing system currently being developed. Conducted vulnerability and risk assessments on the system design, and recommended system modifications.

Dimensions International, Inc. (April 2002 –June 2002)

Senior Certification and Accreditation Engineer

•Conducted and coordinated all C&A activities at Army Materiel Command HQS. Wrote the security test and evaluation plans, SSAA, configuration management plans, security plans, and disaster recovery plans for the Army Materiel Command HQS networks. Evaluated network architectures for C&A, provided feedback to systems administrators on the network architecture, and documented the networks using VISIO and other tools. These networks had never been documented nor had a comprehensive risk assessments performed before. Wrote all necessary C&A documentation for administrative, financial, operational, executive, and Internet networks. Wrote the command’s contingency plan/disaster recovery plan, and authored test scripts for the plan’s testing.

•Requested by the AMC CIO to evaluate subordinate command’s C&A packages before receiving accreditation and approval to operate.

KPMG (Aug 2001-June 2002)

Manager, Information Risk Management

•Developed Public Health Assessment methodology for Texas Commissioner of Health for hospital readiness for biological warfare attack, involving HIPAA compliance, counterterrorism vulnerability assessments, and implementation strategies. Developed assessment methodology for hospital operational networks, plans for connectivity to National Guard, local law enforcement, Centers for disease Control, National Institute of Health, and other agencies, and recommended HIPAA compliance methodology for systems accreditation. Provided checklists for biological/chemical agent recognition, and wrote hospital procedures for mass casualty operations.

•Conducted Counterterrorism Assessments at major telecommunications companies, which involved physical, network, personnel, and executive security operations. Wrote methodologies for executive evacuation, operations personnel relocation, recovery operations, and backup plans. Identified serious vulnerabilities in network architectures, and recommended mitigation strategies. Wrote training scenarios for corporate testing and evaluation, and wrote the evaluation methodology for these tests.

•Defined HIPAA requirements and methodologies for University Medical centers and major urban hospitals in Dallas. These hospital complexes were being combined into one large network, with dissimilar software, hardware, administration, and operations. Identified several systems vulnerabilities, and provided mitigation strategies and plans.

Network Security Corporation/Timeplex Federal Systems

Director, Information Security Services

•Provided information security evaluations to large retailers (global operations), assessed vulnerabilities in hand-held pricing and inventory devices, demonstrated network intercept techniques, and recommended mitigation strategies. Evaluated network security at a large food production corporation (global market), and recommended mitigation strategies during a large corporate acquisition that combined three companies into one.

Federal Data Corporation

Director, Information Systems Security Services.

•Developed, signed and directed a $10 million Department of Justice contract to perform Independent Verification and Validation on C&A work done by various departments and bureaus including FBI, U.S. Marshalls, Bureau of Prisons. Established the plan for conducting IV&V on DOJ systems, and wrote the methodology for feedback and coordination.

•Defined common policy security requirements for Assistant Attorney General, DOJ Director of Information Security (INFOSEC), and Director of DOJ Justice Management Division.

•Developed methodology to manage security operations and security software functionality for the CASSINI spacecraft for Director of INFOSEC, Jet Propulsion Laboratory, Pasadena, CA. These methodologies ensured the operational information security of the spacecraft during a near-earth flyby. Performed risk assessments for the JPL -managed Defense Nuclear Threat Reduction Agency.

GRC International, Inc.

Business Development/Operations.

•Wrote the DoD policy for securing network perimeters for the Assistant Secretary of Defense.

•Conducted a $3 million effort that prepared and tested the AT&T portion of DISN for Certification and Accreditation (passed with no problems). Effort included complete revision of entire C&A package, writing a new STE, new security plans, new network documentation, and establishment of a viable SSAA.

Intermetrics, Inc.

Director Baltimore/Washington INFOSEC services group

•Team leader and director of $2.5M contract providing policy, Certification and Accreditation efforts, and Intrusion Detection for the Pentagon Single Agency Manager (SAM) program. In this contract, wrote the methodology for the SAM INFOSEC office to evaluate C&A packages from the entire National Capital Region. Conducted risk/vulnerability assessments on Pentagon networks.

•Security team leader and director of $8 million contract managing all INFOSEC, C&A (including SSAA, ST&E, Policies, Configuration Management, etc), network architectures, field deployments, policy, and library work for the Bosnia Command and Control Augmentation (BC2A) initiative (DISA, NSA, DARPA), which deployed new information and intelligence capabilities to tactical troops in Bosnia. Supported first operational Predator UAV deployment. Prepared the entire system for STE and wrote the security plans for global operations. Guided the program through C&A for accreditation at three levels (Secret, NATO Secret, and International forces), and developed methodologies using DITSCAP and NATO C&A regulations.

•Wrote draft methodologies and was awarded a $45M contract for DISA Defense Telecommunications Megacenters, providing INFOSEC support at DISA regional centers worldwide. This involved providing migration from mainframe to networked architectures, intrusion detection, risk assessments, and security program implementation. Wrote templates for subordinate units to use in preparation of their C&A packages, and developed package assessment guidelines for DISA headquarters.

Aaron B. Floyd Enterprises

INFOSEC Program Manager/Business Development and Senior Communications Security Engineer

•Established the company’s first INFOSEC department. Specifically requested to oversee program security for BC2A program ($2M), and to evaluate and prepare the program for C&A. Prior to arrival on the program, no INFOSEC plans or operations had been established.

Defense Information Systems Agency

Computer Specialist

•Directed, wrote, and coordinated Defense Information Systems Agency (DISA) INFOSEC services contract ($1.7 billion) which included C&A support for DOD networks. Wrote STE test scenarios, Source Selection criteria, and negotiated a small business set-aside for the contract.

•Established the first joint NSA/DISA customer requirements database for information security. Developed and conducted customer interviews to establish common requirements. These requirements were used to guide the development of NSA INFOSEC products for the entire U.S. Government.

U.S. Navy/U.S. Army

Senior INFOSEC/Cryptologic Officer

•Chief, Counterterrorism Target Development Branch at NSA. Directed and led a team of professionals in developing new methodologies to identify terrorist threats. During this classified program, directed and performed operations worldwide.

•Project Manager for NSA business development council responsible for requirements processing for State Department, DOD, Department of Transportation, Federal Aviation Administration, the White House, FBI, and various drug enforcement agencies. Recommended programs for NSA funding, engineering support, and established level-of-effort for all of these programs.

•Conducted INFOSEC assessments at several government facilities, including U.S. Naval stations, National Institute of Health, Naval Weapons ranges, and others. These assessments included threat and vulnerability evaluations, security operations, and reports recommending specific mitigation strategies for these organizations.

•Prepared, trained, directed, and operated with specialized intelligence teams conducting specified operations (intelligence gathering, communications security, and others) for national authorities on several naval vessels. Described as “essential to the war-fighting abilities” of these vessels by commanding officers.

Executive Officer, Naval Security Group Activity (NSGA) at Keflavik, Iceland; Operations Officer at NSGA Terceira, Azores; Cryptologic Officer at NSGA Rota, Spain; and Senior INFOSEC Officer at NSA.

•Directed INFOSEC/Intelligence Threat Assessment for DOD facilities. Directed and performed National Security operations and Intelligence analysis.

Senior Linguist/Intelligence Analyst

•Conducted linguistic operations including voice intercept, translation, and processing of foreign languages (German and North Vietnamese) for Army and National programs. During this time, served at the 7th Radio Research Field Station in Thailand, the Defense Language Institute, and at the National Security Agency.

EDUCATION:

•BA, Anthropology and Linguistics, University of Maryland, College Park, Maryland.

•Certificates in North Vietnamese and German, Defense Language Institute, Monterey, California.

•Certificates in Signals Intelligence Reporting, Advanced German Translation, Cryptologic Management, INFOSEC Management, National Cryptologic School, Fort Meade, Maryland.

•Certificates in Total Quality Management Techniques, Process Action Team Operations, Statement of Work Preparation, DISA, Arlington, Virginia.

•Certificate in Counterterrorism Analysis, Defense Intelligence Agency (DIA), Washington, D.C.

•Certificate in Military Justice for Commanding/Executive Officers, Naval Justice School, Newport, R.I.

•CISM expected June 2016

Contact this candidate