Security Control Assessor (SCA)
Description:
Job Description
Description:
Job Title: Security Control Assessor
Location: On-site in Arlington, VA
Department: Cyber Security Services
Reports To: Management
FLSA Status: Full Time/Non-exempt
Apavo is at the forefront of cybersecurity, providing services to military, defense, and critical infrastructure industries. Joining the Apavo team means becoming part of a company rooted in the principles of quality, and communication. We value positive, candid interactions and the belief that everyone has valuable contributions to make. Apavo stands out for its commitment to a work-life balance and fostering a growth mindset among all team members. If you are looking to make a meaningful impact in the cybersecurity world while growing professionally in a supportive environment, Apavo is the place for you.
Job Purpose:
The security control assessor (SCAs) supports a critical, objective role to evaluate the effectiveness of implemented controls in mitigating security risks. The SCA will support a critical mission within the intelligence community. In the role as a SCA, you are expected to use automated scanning tools, manual techniques, and specialized testing methodologies to identify weaknesses and vulnerabilities. The SCA is expected to be a collaborative member of the RMF program of the organization, to provide intelligent input to system security architectures in order to align with RMF principles and guidelines. This includes ensuring to guide the RMF process so that security controls are integrated seamlessly into system designs to provide comprehensive protection against threats and vulnerabilities.
This role supports a long-term contract (currently in year 4 of 10) within the Intelligence Community.
Duties & Responsibilities:
The SCA's specific duties include:
Advise the Information System Owner (ISO) concerning the impact levels for Confidentiality, Integrity, and Availability for the information on systems.
Ensure security assessments are completed for each IS.
Initiate a POA&M with identified weaknesses and suspense dates for each IS based on findings and recommendations from the SAR.
Evaluate security assessment documentation and provide written recommendations for security authorization to the CISO and AO.
Assess proposed changes to Information Systems, their environment of operation, and mission needs that could affect system authorization.
Serve as a cybersecurity technical advisor to the CISO and AO under their purview.
Be integral to the development of the monitoring strategy. The system-level continuous monitoring strategy must conform to all applicable published DoD enterprise-level or DoD Component-level continuous monitoring strategies.
Determine and document in the SAR a risk level for every noncompliant security control in the system baseline.
Determine and document in the SAR an aggregate level of risk to the system and identify the key drivers for the assessment. The SCA's risk assessment considers threats, vulnerabilities, and potential impacts as well as existing and planned risk mitigation.
Develop the continuous monitoring plan specific to the information system.
The SCA is responsible for the RMF deliverables associated with Step 4 of DOD and IC RMF Policies for assigned systems. This includes, but is not limited to:
Security Assessment Plans (SAP) tailored to specific systems control requirements
Security control assessment input, which includes narratives for the review of controls and artifacts
Security Assessment Reports (SAR)
ATO recommendations or ATO with Condition Memorandums
Conduct initial remediation actions once a security assessment has been completed to ensure proper hand off to the ISSM and ISSOs.
Assessment of selected controls IAW continuous monitoring strategy
The SCA is expected to have additional duties as assigned in support of corporate cyber security services. Additional details are reviewed in accordance with company policies.
Required Skills & Experience:
Strong knowledge of Risk Management Framework (RMF) 800-37 and continuous monitoring 800-137
Expert knowledge and hands-on experience with FISMA Systems, NIST 800-series guidelines, FIPS, Security Assessment & Authorization (SA&A) requirements and processes, Continuous Monitoring Framework experience and its tools, Plan of Action & Milestones (POA&M) policies, and vulnerability/patch management, risk management, project management, proficient with Microsoft products - Word, Excel, PowerPoint.
Proficient with vulnerability and scanning tools and well-versed in interpreting risk posture resulting from assessment reports.
Experience in project management and tracking, and the Microsoft suite of office products
Experience of assessing cloud-based security authorizations (FedRamp, AWS & Azure) as well as the NIST control responsibilities
Experience with SAP/JSIG
Expert with documenting and or reviewing of security materials such as; system security plans (SSP), Security Assessment Report (SAR), Security Assessment Plan (SAP), and other documents per NIST 800 guidelines.
Other:
This is typical office or administrative work, and there is no exposure to adverse environmental conditions.
This position requires sedentary work. Sedentary work is defined as: Exerting up to 10 pounds of force occasionally and/or a negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects, including the human body. Sedentary work involves sitting most of the time. Jobs are sedentary if walking and standing are required only occasionally and all other sedentary criteria are met.
Apavo Corporation provides equal employment opportunities to all applicants and employees and strictly prohibits any type of harassment or discrimination in regards to race, religion, age, color, sex, disability status, national origin, genetics, sexual orientation, protected veteran status, gender expression, gender identity, or any other characteristic protected under federal, state, and/or local laws.
Consistent with the Americans with Disabilities Act (ADA), it is the policy of Apavo Corporation to provide reasonable accommodation when requested by a qualified applicant or employee with a disability, unless such accommodation would cause an undue hardship. The policy regarding requests for reasonable accommodation applies to all aspects of employment, including the application process. If reasonable accommodation is needed, please contact Apavo Human Resources at or
Employment with Apavo Corporation is on an at-will basis, meaning either you or the Company can terminate the employment relationship, at any time, for any or no reason, and with or without cause or notice. As an at-will employee, your employment with Apavo Corporation is not guaranteed for any length of time.Requirements:
Qualifications
Bachelors Degree in Computer Science or a related technical discipline
Masters Degree preferred.
Minimum 8-10 years of experience.
Must currently possess an active TS/SCI with the ability to obtain and maintain a CI polygraph.
DOD 8140 IAM Level II (CAP, CASP, CISM, CISSP, GSLC, CCISO) is required
Systems Security Engineering background preferred.
Effective communication skills to collaborate with cross-functional teams and stakeholders on implementing security measures organization-wide.
Strong analytical skills for identifying system vulnerabilities and documenting control remediation recommendations through collaboration on System Impact Analysis and Documented Risk Acceptance.
Detail-oriented with the ability to manage multiple tasks and prioritize effectively.
Comprehensive knowledge of RMF activities at a senior level (ability to articulate to Executive audiences preferred).
Familiarity with federal regulatory requirements, contractual obligations, and industry standards related to information security. Evaluate adherence to standards such as Privacy, GDPR, and HIPAA
Full-time