Sign in

Security Management

Herndon, VA, 20170
April 15, 2016

Contact this candidate


Dr. Edgar Carmenatty, CISSP, ITIL Foundations v.*

***** ******* ****** ***. ***

Herndon, VA 22304

Phone : 703-***-****


Excellent problem solver, with strong communication, teamwork, and interpersonal skills. For more than 23 years, acknowledged for capacity to tackle challenging issues, analyze viable alternatives, and provide innovative solutions. Had accumulated an extensive and diverse technical experience in IT Field, emphasizing in management, computer security, network administration, programming, and PC support. Have a master in computer security management (Summa Cum Laude), CISSP and ITIL v3 certifications.

Persistence, personal integrity, and channeled energies are major strengths consistently cited by managers praising team spirit, independent work habits, and the determination to conquer technical challenges.

• DIACAP (VMS, eMass, Xacta, Gold Disk, and Retina)

• DIACAP (C&A package dev. management)

• Incident Management

• ITIL Foundations - V3

• Policy Development and Implementation


• Exposed to FedRAMP



Experience supporting C level senior executives.

Experienced Security Manager.

Certified Information Systems Security Professional (CISSP).

OS Platform: Windows NT 4.0/ 2000/ 2003 Servers

Knowledge on eMass, Xacta AI Manager, Gold Disk, Retina, MS-Office (Word, Excel, PowerPoint, Outlook, Publisher), 97-2010, MS Project and MS Visio.

Collaborates with other departments (e.g., Risk Management) to direct compliance issues to appropriate existing channels for investigation and resolution.


PhD, Information Technology,

Capella University, Minneapolis, Minnesota

GPA: 3.42, graduation date, March 2015

Master of Science, Computer Science, Computer Security Management, December 2009

Strayer University, Alexandria, Virginia

GPA: 3.92, Summa Cum Laude

B.S., Computer Science, Computer Programming, Minor: Accounting, June 1985

Interamerican University, Guaynabo, Puerto Rico

GPA: 3.21, Major GPA: 3.53


Top Secret


Summa Cum Laude. Strayer University, December 2009.

Outstanding Performance Award. Command Information, Washington, DC, March 2008.

Appreciation for Contribution. Anvicom, Washington, DC, 2008.


Experience supporting C level senior executives, Computer/Network Security, team building and leading, customer Needs Assessment, Team Development/Motivation and Technical Support.


Raytheon Blackbird Herndon, VA Oct. 2015 – Present

Quality and Compliance Manager

In charge of developing and revising the United States Postal Service (USPS) enterprise-wide cyber security strategy, policies, governance structure, compliance program, and risk management framework. USPS is an organization with 486,822 career employees, 31,662 Postal Service-managed retail offices and annual revenue of 67.9 billion.


Interface with the CISO team and other leaders to ensure that security goals and policies are supported by well-defined processes, with measurable results, in strict compliance with applicable laws, regulations, and policies.

Ensure that key configuration change procedures are exercised, measured, and monitored to ensure predictable results.

Coordinate regularly with leadership supporting the CISO.

Serve as key resource in promoting quality and policy compliance.

Contribute to development of training resources.

Work with vulnerability assessment manager to collect measures of policy and configuration compliance.

Measure progress and success, as well as identify weaknesses and remediation.

Provide ongoing status to CISO using accurate and current data.

Contribute to policy development and implementation as it relates to NIST guidance.

Coordinate across organization to ensure that all leadership is aware of goals and requirements.

Provide customer with an end-to-end capability.

Manage policy and policy implementation

RedPort-Information Assurance (USSS) Washington, DC Oct. 2014 – 2015

Compliance Officer

My responsibility as a Compliance Officer includes the reviews of policies and procedures. Assist in the review of FISMA accreditation and authorization (A&A) compliance reports, questionnaires, procedures, certifications and the evaluation o A&A documents.

Additional duties comprise the following:

Gain a thorough understanding of the company’s systems. Learning who has access and where weak points of the systems are. Recommend ways to improve and update the security of the company’s computers. Recommend ways to improve a system’s security, through both hardware and software solutions.

Develop, implement, maintain, and revise policies and procedures for the general operation of compliance processes and its related activities and manages day-to-day Accreditation and Authorization (A&A) operation issues.

Act as part of the CISO’s independent review and evaluation body to ensure that A&A process complies with FISMA requirement and address compliance concerns that may exist within the organization.

Design, monitor and oversee the implementation of a SharePoint A&A portal and application that is been used to coordinate all FISMA compliance activities for the client's systems portfolio such as:

oPOA&M management

oAssessment and Authorization documentation management

oHardware and software inventory

oPolicy Management

oSystems boundary

oAnalysis of scans results on a per boundary basis

oGroups Weekly Actions Reports

oChange request


This portal is been used to identify trends and to measure and improve processes performance.

Identify potential areas of compliance vulnerability and risk; develops/implements corrective action plans for resolution of problematic issues, and provides general guidance on how to avoid or deal with similar situations in the future.

Blue Canopy Herdon, VA Oct. 2013 – Oct. 2014

Sr. Consultant

My responsibility as a consultant was to resolve any security issue that may surface. It does not matter if I am coaching a person, facilitating a meeting, leading a training class, dealing with NIST Risk Management Framework issues or I am dealing with some IT Governance challenge, I will adapt to the needs of my client. My obligation as a consultant was to understand the business problem or need, develop appropriate recommendations, and present the pros and or cons and trade-offs to the executive. He or she must have all available information to help him or her to make an informed decision.

As part of my responsibilities, performed the following duties:

Participate on security control assessments for a federal (civilian) General Support Systems (GSS) and Mayor Applications (MA) to ensure compliance with FISMA security framework controls using CMS Information Security Acceptable Risk Safeguards (ARS) 2.

Verify that that systems owned or managed by the federal agency meet specific security requirements on the following classes of security controls: operational, management and technical.

Determine completeness and compliance of the following documents: System Security Plans (SSP), Contingency Plans (CP), Incident Response (IR) plans, and artifacts.

Verify that the agency security controls and requirements had been satisfied.

Work on reports, presented to ISSOs, CISO, Cyber Security Team, and CIO that depict vulnerabilities and suggested mitigations that could be used to improve the system(s) security posture.

This role also requires interviewing Federal employees and/or contractors with security responsibilities in any of the three security classes (management, operational and technical) during systems security assessments.

RedPort-Information Assurance (DOT) Washington, DC Aug. 2012 – Sept. 2013

IMC/Security Manager (Sr. Security Manager) Manage a team of 21 employees

Gain a thorough understanding of the company’s systems. Learning who has access and where weak points of the systems are. Recommend ways to improve and update the security of the company’s computers.

Recommend ways to improve a system’s security, through both hardware and software solutions.

Revise and set user policies and protocols, monitor them, and enforce them. They must also set up countermeasures that protect the system when an unauthorized user attempts to gain access to the system.

As a member of the team supporting the DOT Office of the Secretary (OST) senior executives under the Information Assurance Office (SSO) I am executing managerial responsibilities as the IMC (Incident Management Center) and Security Manager. In charge of providing an integrated approach to IT security services for monitoring and responding to Infrastructure and Network Incidents throughout the DOT COE (Common Operations Environment) with over six thousand (6,000) users.

In charge of creating and developing a comprehensive set of operational procedures and guidelines that will help DOT the mission and ensure compliance to Federal and DOT security requirements following the: DOT Cyber Security Compendium, FISMA, Computer Security Act of 1987, The Clinger-Cohen Act, OMB Circular A. 130, NIST SP 800-18, SP 800-37, SP 800-53, and FIPS 199 series and Act as a consultant to support information assurance policies, standards, directives and requirements initiatives.

Assisted ISSO:

oOn the implementation of applicable cyber security policies for the information system and those aspects of information system-related physical security.

oVerifying and certifying that operational security posture is consistent with DOT’s security policy.

oOn the distribution of cyber security, notices and advisories are distributed to appropriate personnel and that vendor-issued security patches issues were reported.

oAs the manager of the Incident Management Center serves as a focal point for cyber security incident reporting and subsequent resolution for assigned information systems

oOn each phase of the SDLC security-related documentation at each phase meets all identified security needs.

oTo maintain the security assessment and authorization documentation (formerly C&A) for information systems according to Department of Transportation Cyber Security Compendium.

oOn the selection of NIST SP 800-53r3 baseline security controls are appropriate for the information system based on the FIPS 199 security categorization guideline, NIST SP 800-53 guidance, and supplemental Department of Transportation policy and the Departmental Cyber Security Compendium.

oRecording all known security weaknesses of assigned information systems in the POA&M in accordance with Department of Transportation policy and procedures.

oTracking all security education and awareness training conducted for personnel and contractors, as required by Departmental Cyber Security Compendium.

oOn required updates that were performed to key documents in accordance with NIST SP 800-37 for continuous monitoring as supplemented by Departmental Cyber Security Compendium.

oIdentifying changes to the information system that may affect security controls, performing the security impact assessment of proposed changes, reporting any change in risk posture, and providing recommendations for risk mitigation.

oDeveloping an FISMA Compliance Database (MS Access) that it is used as part of the Continuous Monitoring Strategy to monitor and track vulnerability findings from Plan of Action & Milestones (POA&M), identifying vulnerabilities that can be quickly resolved and to follow up with Subject Matter Experts (SMEs) to update current POA&M status. This application manages meetings, agenda/minutes, and dashboard, organize an artifact repository, organize data collection for audits, and research support in addressing POA&M findings.

oVerifying and ensuring that external connections to/from information systems and networks are provided by an approved Trusted Internet Connection Access Provider (TICAP) or DOT-approved Managed TIC Provider Service (MTIPS).

oEnsuring that the information on the security management system (CSAM) accurately contains required information system inventory, categorization, POA&Ms and other security metrics required by the CIO through this policy and the Departmental Cyber Security Compendium for the system(s) for which the ISSO is responsible.

oCompleting mandatory annual specialized information security training.

Managed several projects such as Improvement of the Incident Management Center, POA&M management, and resolution that included the development of an Access Database as part of the vulnerabilities resolution strategy.

TWD & Associates (NAVY) Washington, DC Feb. 2012 – Aug. 2012

HQ Operations Project Services Team PM (Managed a team of 11 employees) – Promotion from prior position.

Responsible for DIACAP and project management teams that provide security engineering, operations and maintenance support to NAVSEA systems.

Responsible for managing the schedule, technical execution, contractual compliance and customer satisfaction in coordination with an internal program management office (PMO), government senior program management and technical points of contact, and subcontractors

Responsible for Project Control team that ensures that HQ NAVSEA IT systems conform to the DoD/DoN Governance Chain. The Chain’s “links” include FISMA, DITPER-DON, DIACAP Certification and Accreditation Process, NMCI Certification, DADMS and SAHRAP Registration and Approval Process, CARS and LNS Initiatives, and a growing number of subordinate requirements and procedures. Project Control performs other duties such as maintaining NAVSEA Server and Software Portfolio in DADMS; producing NMCI and other technical documents that support HQ NAVSEA systems; and assisting system owners by conducting and documenting FISMA Annual Security Reviews, Security Controls Tests, and Contingency Plan Tests.

Provide security guidance in Information Assurance (IA), Certification and Accreditation (C&A), network security, security life cycle management, risk management, and security awareness.

Assist in the review of DIACAP documentation to support systems accreditation.

Ensured that Department of the Navy, DoD, DIACAP and NIST security requirements and processes are properly implemented on Navy computers, systems and networks and thoroughly documented for formal system accreditation.

Developed and implemented two applications, one for C&A package verification with canned findings and a weekly/ monthly status report used to justify TWD and Associates presence.

C&A Projects Managed:

oEnhancement of the Incident Management Center

oVoice Over Internet Protocol

oProgram Executive Office Integrated Warfare Center Integrated Data Environment


oDigital Signage and IPTV

oVideo Teleconference

oSecured Video Teleconference

TWD & Associates (NAVY) Washington, DC Nov. 2011 – Feb. 2012

Configuration Management Analyst 4 (Supervised one employee) – Promoted to the next position

Assists in the maintenance and control of the configuration of identified items such as baselines, documentation, drawings, specifications, and associated documentation within approved Configuration Management parameters.

Check DoD DIACAP C&A packages for quality control.

Delta Resources (DISA) Alexandria, VA May 2011 – Nov. 2011

Senior Information Systems Analyst/ Alternate IAM

Support the IAM on oversight of information systems security for automated information systems assigned to the PEO-MA directorate through participation in working groups and with individual users.

Responsible for understanding, implementing, and complying with all policies and procedures identified in DoDD 8500.1, DoDI 8500.2, DoDI 8570.1 and the DoD Information Assurance Certification and Accreditation Process (DIACAP).

Responsible of developing and maintaining the organization of DoD information system-level IA program that identifies IA architecture, IA requirements, IA Security Plan, IA objectives, and policies. Additionally, the support includes: reviewing, commenting, tracking, and maintaining the DISA repository for all PEO-MA IA certification and accreditation documentation; ensuring that all systems, associated Information Assurance Vulnerability Assessments (IAVA) and Security Readiness Reviews (SRR) results are recorded and in the Vulnerability Management System (VMS); track and report on all IA management review items; monitor IAVA compliance in VMS and prepare weekly IAVA compliance reports.

Support the Directorate IMO in providing automation support to the end users. The IMO’s duties and responsibilities include developing and publishing the Directorate Information Management Plan (IMP); identifying, tracking, recommending automation equipment requirements; developing procedures to validate and manage information requirements; communicating, collecting and reporting data calls related to Action Information Management System (AIMS) suspense’s; researching, responding, and reporting on Requirements Identification Documents (RIDS). The IMO is the first contact for the Help Desk for end-user automation support and is the designated representative to request automation support.

Support the Directorate Equipment Custodian in receiving, tracking, issuing, and disposing of all Automated Data Processing Equipment (ADPE).

Alion Science and Technology (NAVY) Alexandria, VA August 2010 – May 2011

Senior Data Security Analyst

Experience with DIACAP process. Software used for documentation and evaluation of systems: Xacta AI Manager (User and Administrator), Gold Disk, and Retina.

Develop, implement, enforce, and communicate security policies or plans for data, software applications, hardware, telecommunications, and information systems security education/awareness programs.

Carry out all phases of information systems/networks security program that involves access to computers and computerized data enabling company to meet contractual requirements for network security.

Research, evaluate, test, recommend, communicate, and implements new security software or devices.

Conducted regular audits to ensure that systems are being operated securely, and information systems security policies and procedures are being implemented as defined in security plans.

Conducted investigations of computer security violations and incidents, reporting as necessary to the management. Identifies and recommends solutions to security exposures.

Developed, tested, and operated firewalls, intrusion detection systems, enterprise anti-virus systems, and software deployment tools.

Worked with commercial computer product vendors in the design and evaluation of state-of-the-art secure operating systems, networks, and database products.

Coordinated with project teams in system consolidation, information security software upgrades, and contingency management planning and execution.

Responded to queries and requests for computer security information and reports. May prepare security reports to regulatory agencies such as Departments of Defense or Energy.

Provided guidance to less skilled Data Security Analysts.

Unisys (TSA) Reston, VA June 2009 – August 2010

Network Design Engineer 4

Analyzed local and wide area network systems, including planning, designing, evaluating, selecting operating systems and protocol suites and configuring communication media with concentrators, bridges and other devices.

Oversee network communications for Cisco routers and switches. Fulfill requested security changes (port security) following contract and change control procedures.

Resolved interoperability problems to obtain operations across all platforms including E-Mail, file transfer, multimedia, teleconferencing and the like.

Configured and harden systems for secure user environments.

Supported acquisition of hardware and software as well as subcontractor services as needed.

Unisys (Census Bureau) Reston, VA February 2009 - June 2009

Consultant 2

Member of the Unisys Training team, in charge of evaluating, modifying training materials for the Census, Office Computing Environment (OCE), and the Mobile Computing Equipment (MCE).

My main responsibility as a member of the team was Puerto Rico’s Spanish documentation validation and QC. This included to verify the correctness in the translation of:

o Personal information and identification (PII) data protection while gathering information.

oInstructions on how to manage government equipment (computers) that contains PII.

Beacon Hill (Census Bureau) Largo, MD November 2008 - February 2009


Member of the Unisys Training team, in charge of evaluating, modifying training materials for the Census, Office Computing Environment (OCE), and the Mobile Computing Equipment (MCE).

My main responsibility as a member of the team was Puerto Rico’s Spanish documentation validation and QC. This included to verify the correctness in the translation of:

oPersonal information and identification (PII) data protection while gathering information.

oInstructions on how to manage government equipment (computers) that contains private information

Anvicom/CommandInformation (FAA) Washington, DC May 2006 - November 2008

Helpdesk Manager

Help Desk Manager at FAA, responsible for providing advice to end-users on software and hardware related problems. Computer imaging, AD management, and support to users, printers, and tape library and enforcement of department policies as:

Enforced established policies on physical access to data processing equipment.

Enforced access control policies into network drops.

Magnetic media management protection and destruction.

Did on the spot training on how to identify and protect PII media and data.

Access control to digital resources in digital media.

On the spot training on software usage, access control, phishing, malware, email usage, PII protection, software installation protection. Safe management of recording media.

Friendly presence and helpful attitude; excellent interpersonal skills and ability to work well with others.

Information Network Inc. Lanham, MD September 2005 - May 2006

Network Administrator

Responsible for overseeing the daily operations of thirteen (13) Windows 2000/2003 servers at the headquarters.

In charge of server, workstation anti-virus, installations and updates. Medial protection, backups, access control, system and services acquisition, systems and communications protection.

In charge of controlling physical access to HQ and one additional office.

Managed office expansion for a new contract, this included new drops, and computers physical security of a VPN for remote access to HQ servers. Manage the internal IT helpdesk providing support to desktop to 40 users, and assist the Office of the CIO in building and maintaining the growing corporate IT infrastructure. Additionally, administrator of the following systems: Data Watch (Access control system), Avaya IP Office (IP telephony system).

Florida Hospital Orlando, FL June 2003 - April 2004

System Analyst

Designed analyzed, coded and implemented several applications for the call center using Telescript (call center scripting software for inbound and outbound).

Develop applications that increased productivity and reduced phone time.

Develop programs that had controls for information integrity and access controls to program modules.

Executrain Orlando, FL October 2000 - October 2002

IT Manager

Responsible for the setup and maintenance of six (6) training rooms (100 computers). In charge of network accounts maintenance, connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), installation and configuration of software, the email system, and all computers in both sites. Responsible of supervising one person during this period.

Responsible for overseeing the daily operations of five (5) Windows 2000 and one (1) Novel servers at the headquarters and one office at Melbourne.

Performed server, workstation anti-virus, installations, and updates. Responsible of medial protection, backups, access control, system and services acquisition, systems, communications protection, inventory, and configuration control.

In charge of controlling physical access to HQ and one additional office.

Florida Technical College Orange City, FL January 2000 - July 2000


Responsible for the technical training of new MCSE 4.0 candidate’s technologies at the college. Gave classes on courses like: Supporting Microsoft Windows NT Server 4.0 Enterprise Technologies, Administering Microsoft Windows NT 4.0, Core Technologies of Exchange Server 5.0, and 5.5, Supporting Microsoft Windows NT 4.0 Core Technologies, Microsoft IIS 4, Supporting Microsoft Windows NT 4.0, and Internetworking with Microsoft TCP/IP.

In charge of MCSE training of setup, maintenance of NT computers, systems hardening, system accounts standards policies (security templates) and maintenance. Additionally, responsible of network connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), system configuration management, contingency planning, media protection and server’s physical protection.

Scala of North America Lake Mary, FL January 1999 - January 2000

Senior Technical Consultant

Responsible for the installation and upgrade of Scala’s accounting application all over US, the Caribbean and South America.

Productivity Point International Santurce, PR June 1997 - November 1998

Senior Technical Instructor

Responsible for delivering technical training for MCSE and MCSD candidates. Delivered seminars and or trainings on Microsoft Certified Development and Network courses, MS Office and Project.

In charge of training MCSE candidates in setup and maintenance of NT computers, systems hardening, system accounts standards policies and maintenance. Additionally, instructed on network connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), system configuration management, contingency planning, media protection, and server’s physical protection.

DRC, Inc. Santurce, PR January 1996 - June 1997

Certified Instructor/Consultant

Worked as an application development consultant and MS Certified Curriculum trainer.

Developed programs that implemented information access and integrity controls coded into program modules.

WSD Corp Rio Piedras, PR September 1994 - January 1996


In charge of client software, hardware evaluation, for automated solutions. Develop solutions in a Windows environment using Visual Basic 3.00, FoxPro 2.6, Access 2.00, prepared related documentation, and installation of software and servers.

Developed programs that implemented information access and integrity controls coded into program modules.

Interamerican University, Computer Center Guaynabo, PR September 1989 - August 1994


In charge of managing the campus central computing facility operations of as it provided both academic and administrative support to the organization

In charge of budget ($750,000), planning, presentation, and implementation.

Established the first inter-divisional committee, that provided each division technological needs.

Supervised 11 employees.

In charge of systems, service acquisition, protection of systems communications, program management, policy planning, and access controls




Fully Qualified Navy Validator, April 2012

Certified Information Systems Security Professional (CISSP), February 2010

Certified Cisco Network Associate. Cisco Certification (CCNA), October 2009 - June 2012

ITIL Foundations V3, October 2009

MCP. Microsoft, June 2002

MCSE - NT4. Microsoft

MCSD - Visual Basic 6. Microsoft

MCP+Internet. Microsoft


Fully Qualified Navy Validator, April 2012

Cyber Law I, 2011

IA Briefing for Senior Operational Leaders, 2011

NETOPS: An Overview, 2011

NETOPS: Applied to GIG Operation, 2011

Introduction to Continuity of Operations, 2011

Annual Antiterrorism Training, 2011

Annual OPSEC Awareness, 2011

Annual Counterintelligence Training, 2011

DoD Information Assurance Training, 2011

PII Training, 2011

Phishing Ver. 1.0 - Operations, 2011

ITIL Foundations V3, 2009

CISSP, 2009

CCNA, 2009

Contact this candidate