Egbert H. Creque, Jr. “JC”

Citizenship: United States Clearance: Secret Location: VA

Contact

Mobile: 571-***-****

e-mail : ad0bwn@r.postjobfree.com

Profile

Objective: Results driven a cybersecurity leader providing 20 years of experience in Compliance, Project Management, and Risk Life Cycle Management. Able to provide expert technical advisory and oversight to support risk management activities within information technology organizations. Seeking to contribute my analytical expertise and strategic insights to enhance risk management processes at your organization. Work Experience

Cybersecurity Solutions Group – Cybersecurity Program Manager March 2023 to Present An emerging cybersecurity firm with expertise in Enterprise Risk Management, Cybersecurity, and Infrastructure Security Agency (CISA) High-Value Asset (HVA) Program Management, CISA Zero Trust Program Management, Continuous Diagnostics and Mitigation (CDM) Program Management, Risk Management Framework (RMF), Federal Information Security Modernization Act (FISMA), Department of Defense (DoD) cyber, compliance, project management, risk analysis, assessments, and authorizations management.

Cybersecurity Program Manager March 2023 to Present

Provide expertise in developing and implementing enterprise risk management frameworks and strategies.

Developed integration planning initiatives through active participation in Configuration Control Boards, shaping risk management policies, processes, and assisting in Capability Maturity Model Integration (CMMI) implementation and risk management plan development.

Proven ability to identify, assess, and mitigate risks across multiple business units and operational areas.

Extensive experience in conducting risk assessments, assessing risk appetite, and implementing risk mitigation plans.

Proficient in conducting security assessments and applying appropriate security controls to protect high value assets.

Extensive experience in developing and maintaining HVA inventory, assessing vulnerabilities, and ensuring compliance with program guidelines.

Strong understanding of Federal Zero Trust principles, concepts, and implementations.

Proficient in assessing and enhancing network security controls to align with the Zero Trust approach.

Extensive experience in implementing the RMF for federal systems, including DoD cyber environments.

In-depth understanding of FISMA requirements and compliance standards.

Proficient in conducting security assessments, developing System Security Plans (SSPs), and managing Plan of Action and Milestones (POA&Ms).

Strong project management skills, including planning, organizing, and executing cybersecurity initiatives.

Proven ability to lead cross-functional teams, set project milestones, and ensure timely delivery within budget constraints.

Skilled in stakeholder management and effective communication to achieve project objectives within defined constraints such as time, budget, and resources.

Expertise in performing comprehensive risk analyses and assessments.

Proficient in identifying and evaluating security vulnerabilities, threats, and impacts.

Experienced in conducting security authorizations and producing relevant documentation for compliance.

Excellent oral and written communication skills with a proven ability to interface with senior management.

Skilled in technical writing, producing comprehensive risk management plans and assessments. Zachary Piper Solutions (ZPS) – Enterprise Risk Management SME March 2022 to March 2023 Zachary Piper Solutions is a national security technology company that delivers innovative systems, solutions, and services in support of mission-critical initiatives on behalf of the Intelligence Community, DoD, Department of Homeland Security, Department of Justice, and Department of State.

Cybersecurity and Infrastructure Security Agency (CISA) ZPS Contract March 2022 to March 2023 CISA works with agency partners to defend against today’s threats and collaborates with industry to build more secure and resilient infrastructure for the future. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure.

Enterprise Risk Management Lead March 2022 to March 2023

Supported the identification, categorization, assessment, tracking, and monitoring of enterprise risks.

Applied unique strategic, technical, and engineering knowledge, skills, abilities, and experience to the planning, development, and implementation of cyber capabilities for CISA.

Supported the CISA Federal HVA Program in planning, prioritizing, and coordinating the delivery of cybersecurity services to Federal agencies with the goal of assessing the enterprise risk posture across the Federal HVA enterprise.

Supported the CISA Zero Trust Program to enable least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised to ensure Risk Identification, Risk Evaluation, Risk Response, and Risk Monitoring requirements are addressed.

Provided Guidance and Direction on DHS regulations, principles, and practices pertaining to Risk Management support functions.

Provided expertise in risk management life cycle activities and best practices.

Conducted research, developed guidance, defined decision-making methodologies and approaches, and provided direct assistance in the form of focused workshops and seminars.

Led the design and implementation of a robust security governance program for CISA, aligning security practices with business objectives and regulatory requirements.

Provided cybersecurity engineering, support, analysis, documentation, and/or validation services for a broad set of Information Technology (IT) solutions, including applications, networks, systems, architectures, and infrastructure.

Provided thought leadership and influence through my strong leadership presence with my consultative, analytical, organizational, and strategic planning skills.

Advised, guided, consulted, and provided support for risk assessment and mitigation activities for the CISA CDM Program.

Provided security engineering expertise in support of the security architecture of large and complex enterprises and/or major mission systems/investment programs - from initial threat and risk assessments to security architecture requirement development and implementation.

Provided cybersecurity engineering, support, analysis, documentation, briefs, reports, dashboards, and/or validation services for a broad set of IT solutions, including applications, networks, systems, architectures, and infrastructure. Booze Allen Hamilton (BAH) August 2020 to February 2022 Booz Allen Hamilton is a leading professional services company, providing a broad range of services and solutions in management, technology, consulting, and engineering. Defense Information Systems Agency (DISA) Joint Service Provider (JSP) BAH August 2020 to February 2022 JSP operates and defends the DOD key cyber terrain and provides IT services to the Pentagon and National Capital Region

(NCR) customers.

Risk Management Framework (RMF) Projects Lead August 2020 to February 2022

Provide oversight for defining a plan of prescribed measures, methodologies, and processes to be used toward ensuring the establishment and enforcement of enterprise-wide cybersecurity compliance for the JSP Risk Management Division (JP22).

Ensure compliance with all appropriate cybersecurity-related requirements, laws, regulations, instructions, and standards within JP22.

Directed Risk Management within a multi-disciplinary team, offering technical advisory and lead system integrator technical oversight to the government division lead.

Manage the review of RMF Enterprise Mission Assurance Support Service (eMASS) Project Management Plans to ensure timelines do not exceed ongoing cyber security workloads and provide capacity recommendations to add resources as required to accommodate the dynamic JSP environment.

Developed and maintained JP22 security policies, ensuring they were up-to-date and communicated effectively to all staff.

Provided comprehensive end-to-end System Development Life Cycle training, aligning risk management practices with project phases and objectives.

Guide the JP22 RMF Process Workflow Team to conduct a thorough review of the JSP Assessment and Authorization

(A&A) processes to ensure alignment within the constructs as defined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework; the integration of privacy risk management processes; an alignment with system life cycle security engineering processes; and the incorporation of supply chain risk management processes. Our review included the current A&A framework and processes in a complementary manner within the RMF to effectively manage security and privacy risks to agency operations and assets and individuals within JSP.

Recommend authorization path determinations for JSP cyber projects in accordance with the conditions outlined in DoD Instruction 8510.01, “Risk Management Framework for DoD Information Technology (IT),” DoD Instruction 8500.01, “Cybersecurity,” and CNSSI 1253, “Security Categorization and Control Selection for National Security Systems”. Ensured adherence to JP22 work instructions and authorization determination tools to promote consistency in the way DoD Information Technology types are determined across JSP.

Review and recommend boundary device transitions within JSP to ensure all boundary changes are assessed, approved, implemented, and reviewed in a controlled manner. The transition review is not to eliminate risk but to ensure that risk is addressed and accepted within JP22 policies and procedures.

Lead the Assess & Authorize/Authorized to Connect (A&A)/(ATC) and Assess Only/Not Yet Assessed (AO)/(NYA) Workload Tracker Meetings to provide an authoritative metric source for the RMF authorization cycle of all systems within the JSP portfolio. This weekly workload tracker meeting presents system updates to JP22 government leadership, highlighting potential delivery risks and coordinating action items between government and contract staff.

Oversee JP22 artifacts in accordance with approved DISA SOPs and DoD Instruction (DoDI) to ensure artifacts are quantifiable and measurable while maintaining JP22 quality assurance standards.

Managed boundary modification and approvals of JP5 Systems to facilitate risk management and accountability via the ServiceNow IT Helpdesk Management solution. This included boundary support incidents and requests that were recorded to allow the JP223 Team to monitor progress as we reviewed boundary modification submissions, allow multiple JSP branches to collaborate, and have a wider overview of the JP223 boundary approvals via ServiceNow. Our boundary workflow solution within ServiceNow allowed JP223 to track, prioritize, manage, respond to, organize, and resolve boundary submissions within JSP.

Network Security Systems Plus, Inc. (NSSPlus) - Director of Cybersecurity April 2008 to July 2020 NSSPlus is a certified ISO 9001:2015 and ISO 27001:2013 Veteran-Owned Cybersecurity Company that serves on the cybersecurity frontier.

United States Agency for Global Media (USAGM) – NSSPlus Contract November 2019 to July 2020 The mission of the United States Agency for Global Media (USAGM) is to inform, engage, and connect people around the world in support of freedom and democracy.

Lead Security Control Assessor November 2019 to July 2020

Lead Security Control Assessor for authorization reviews to measure performance and deliverables for Voice of America, Radio Free Europe/Radio Liberty, Office of Cuba Broadcasting (Radio and TV Martí), Radio Free Asia and Middle East Broadcasting Networks (Alhurra TV and Radio Sawa) Divisions within USAGM.

Technically assessed both major application and general support system security configurations and implementations.

Interfaced with federal employees and contractors to perform security assessment activities and was responsible for presenting the vulnerability findings to internal and external customers and clients of USAGM.

Analyzed the results from vulnerability scanning and Security Information and Event Management (SIEM) tools such as DHS Continuous Diagnostics and Mitigation (CDM) Tool, Qualys, Nessus, FireEye, and Splunk.

Interfaced with USAGM clients related to the overall security control assessment program and all security control assessment activities.

Effectively identified and understood customer needs and requirements, resulting in the development of streamlined and effective risk management processes and reviews.

Developed Project Schedules, Security Assessment Plans (SAPs), Security Assessment Reports (SARs), POA&M Reports, and Executive-Level briefings.

Used Xacta as the primary automated risk management, risk assessment, risk remediation, and security compliance tool for the management of authorizations within USAGM. Developed a body of evidence for USAGM A&A packages to manage cyber risk with compliance automation, continuous monitoring, and ongoing authorization that included SSPPs, CPs, CP Tests, Privacy Threshold Analysis, SAPs, and SARs. Utilized Xacta to perform automated documentation needed for FedRAMP continuous monitoring compliance reporting for USAGM authorizations.

Developed templates for NIST 800-171 and FedRAMP LI-SaaS assessments and authorizations.

Conducted assessments to validate USAGM Configuration Management Databases (CMDB) to adhere to the Security Review Guides based on four security core standards Application, Network, Operating System, and Policy. The Control Correlation Identifiers (CCIs) and Security Technical Implementation Guides (STIGs) represent discrete, measurable, and actionable items sourced from Information Assurance (IA) controls defined in a policy, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. This provided a secure review methodology to evaluate technical requirements for applying security concepts to database management systems (DBMS) within USAGM.

Defense Health Agency (DHA) – NSSPlus Contract March 2017 to October 2019 DHA is a joint, integrated Combat Support Agency that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. Cybersecurity Lab Deputy Project Manager March 2017 to October 2019

Actively support the Cybersecurity requirements for the DHA Cybersecurity Directorate (CSD) Assessment & Authorization (A&A) Branch.

Coordinator of the DHA RMF Integrated Product Team which serves as the governing body for collaboration on DHA RMF transition guidance and procedures.

Developed joint risk management impact analyses documentation, formulating innovative mitigation strategies to mitigate system development acquisition risks and ensure project success.

Manage the monthly RMF Component Transition Issues Document distributed throughout DHA/CSD.

Actively manage over 25 RMF Packages quarterly and POA&M Management Templates, SOPs, and Guides to support DHA AO authorization decisions.

Reviewed over 2700 Common Control Identifiers (CCIs) across 950 controls to identify Common Control Providers and areas of responsibility.

Manage the RMF training attended by DHA A&A Branch Chiefs, SCARS, ISSMs, ISSOs, PMs, Uniformed Personnel and Contractors.

Provide tactical Common Control Documentation, which outlines roles and responsibilities between DHA CS, Line Side CS, and Service Medical entities and the MTFs transitioning to the MED-COI.

Actively manage A&A policies, procedures, CS research and development; supporting A&A Teams and system/application development teams; and implementation of the DHA/DoD RMF process.

Provide oversight for DHA RMF Portal, DHA A&A SOPs, Training, and Cybersecurity tools used within the DHA A&A program.

Actively support complex technical security evaluations and solutions to implement and support a full spectrum security program and CS technology initiatives.

When Cybersecurity regulations are introduced, proactively identify their impact on the DHA A&A Program. Develop recommended solutions to address new regulations or challenges to implementing existing ones.

Perform program management, project planning, developing internal/external reports, facilitation, meeting, and administrative.

Provide management and oversight for Plan, Policy, Process, and Procedure Review and Development, Audit & Assessments.

Monitor and track DoD Cybersecurity guidance for dissemination to DHA Cybersecurity stakeholders.

Conducts status meetings, provides weekly management reporting, and attends related meetings, seminars, and conferences as required.

Defense Contract Management Agency (DCMA) – NSSPlus Contract June 2016 to February 2017 DCMA is a Department of Defense (DoD) Combat Support Agency responsible for ensuring the integrity of the government's contracting process and provides a broad range of acquisition management services. DCMA CIO Deputy Project Manager June 2016 to February 2017

Coordinate the creation, development, and organization of DCMA IT Cost Models. Maintain documentation of business processes in support of IT executive decision making.

Direct the development and completion of DCMA Business Cases in support of the DCMA CIO to document IT Analysis of Alternatives, Risk Analyses, Project Plans, Business Cases, Cost Models and Standard Operating Procedures.

Facilitate the Analysis of Alternatives for IT Projects, including Benefits/Cost Analysis Data (OMB A-94) to select the solution based on strategic value, lifecycle costs, and risks; and ensure compliance with DCMA, DoD, and the DoD Federal Enterprise Architecture (FEA) requirements.

Successfully provided mission services for risk management, supporting acquisitions at both program and project levels. Conducted thorough analysis of stakeholder requirements, ensuring compliant solutions while expertly balancing risks related to cost, schedule, and technical performance.

Maintain OMB Circular A-11 and A-130, Section 8b compliance for DCMA IT projects/programs.

Research Strategic Value and Need for DCMA IT Projects, including performance information tied to the Government Performance and Results Act – Modernization Act of 2010 (GPRA-MA).

Maintain OMB guidance for DCMA Capital Planning and Investment Control (CPIC)/IT Management and Governance.

Provide support for:

o DoD Information Assurance Certification and Accreditation Process (DIACAP) for all Information Systems (IS), enclaves, and application systems under the purview of DCMA CIO IAW DoDI 8510.01. o The transition for DCMA to RMF, updating policies, procedures, and processes as appropriate. o Develop risk management guidelines associated with the Certification and Accreditation (C&A) process and recommend improvements to accreditation processes and tools. o Conduct the baseline, tracking, and processing of accreditations and authorizations. Defense Health Agency (DHA) – NSSPlus Contract April 2008 to May 2016 DHA is a joint, integrated Combat Support Agency that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. Cybersecurity Deputy Program Manager November 2013 to May 2016

Responsible for coordinating with the DHA Chief of the Assessment and Authorization Branch within the Health Information Technology Directorate on the transition to DoDI 8510.01 which delineates the roles, responsibilities, and high-level life cycle process of the RMF for DoD IT as the replacement for DIACAP for current DHA Assessments and Authorizations (A&A).

Provided technical advisory skills with proven a track record of collaborating effectively with cross-functional teams over multiple authorizations.

Member of the DHA Cybersecurity review team assigned to adopting NIST Special Publication 800-37 RMF processes, shifting of DHA roles and responsibilities, implementing new cybersecurity controls based on Committee on National Security Systems (CNSS) 1253 and adopting new terminology for cyber security roles and processes for DHA.

Project Manager for DHA Cybersecurity Independent Verification and Validation (IV&V) Team Program providing oversight and direction to deliver DIACAP/RMF accreditations/authorizations to DHA. The DHA CS Team approach builds upon the six Steps of the RMF (Categorize, Select, Implement, Assess, Authorize, Monitor) to conduct IV&V assessments for DHA.

Project Manager to ensure the DHA CS Team performs a map/gap analysis of existing security processes and technologies for DHA systems, identifies the scope of work required to fully implement DoD RMF requirements, leverages current documentation and procedures where possible, develops and implements risk based focused tools and procedures, and delivers a compliant cybersecurity program focused on risk-based decision making for DHA authorizing officials.

Provide extensive experience in Continuous Diagnostics and Mitigation (CDM), continuous assessment, and cybersecurity integration with the System Development Life Cycle (SDLC) to implement a complete cybersecurity program for DHA that delivers cyber risk management, not just C&A/A&A packages.

Designed the integration of the Project Management Institute (PMI) and Capability Maturity Model Integration

(CMMI) Maturity Level 2 methodologies on all DHA CS Team IV&V efforts to ensure consistency, repeatability, quality, and efficiency of A&A assessments.

Ensured DHA CS Team IV&V assessments are categorized, analyzed, secured, assessed, and authorized using consistent guidelines and standards to ensure that a system authorized by for one division within DHA, can be accepted by another division via reciprocity.

Provide DHA CS Team direction and oversight for the utilization of eMASS for DHA information system C&A/A&A.

Designed DHA CS Team Assured Compliance Assessment Solution (ACAS) IV&V assessment procedures to ensure the automated network vulnerability scanning, configuration assessment, application vulnerability scanning, device configuration assessment, and network discovery for C&A/A&A are completed appropriately and with consistency for DHA authorizations.

Cybersecurity Team Lead April 2008 to October 2013 Responsible for the integration of Cybersecurity throughout the DIACAP life cycle of DHA information systems and divisions.

Experienced CS Manager for DHA reporting to the DHA Chief of the Cybersecurity Division. Manager for the implementation of a DIACAP Certification and Accreditation program required by the DoD for Outsourced IT-Based Processes and Automated Information System (AIS) applications.

Function as a liaison between the DHA, CS Team, and the DoD contractors to complete C&A packages in a timely, professional, and organized manner. This includes but is not limited to Gathering and organizing technical information about an organization’s mission goals and needs, existing security products, and ongoing programs in the security arena. Defining and analyzing security requirements. Designing, developing, engineering, and implementing security solutions to achieve business objectives. Performing risk analyses to include, identifying, and periodically evaluating information security controls and countermeasures to mitigate risk to acceptable levels as well as reporting significant changes in information risk to appropriate levels of management for acceptance on both a periodic and event-driven basis.

Conducted ongoing authorization reviews of products, processes, and systems, driving continuous improvement efforts and pinpointing opportunities for optimization.

Conducted regular risk assessments and implemented appropriate controls to mitigate identified risks. Monitored and reported on risk levels to DHA leadership.

Served as a critical risk management resource during design reviews, guaranteeing that identified risks and issues adhered to specified milestone entrance/exit criteria and government-established top-level requirements.

Executed, drafted, edited, and maintained C&A Packages throughout the DIACAP Life Cycle. This included but was not limited to the development of C&A documentation such as the System Identification Profile (SIP), DIACAP Implementation Plan (DIP), DIACAP Scorecard, Information System Core, Memorandum of Agreement (MOA), Letter of Agreement (LOA), Service Level Agreement (SLA), Inherited Information Assurance (IA) Controls Memorandum, Security Education, Awareness & Training, Privacy Impact Assessment, C&A Boundary Device Matrix & Diagrams, IA Controls Report, Incident Response Plan, Contingency and Business Continuity Plan

(CBCP), Information System STP&ER, Vulnerability Matrix (VM), Mitigation Strategy Report (MSR), Physical Security Assessment (PSA), Designated Accreditation Authority (DAA) Presentation, Ports Protocols and Services

(PPS) and Registry Spreadsheet and POA&M.

Member of a technical process review team assigned to assist in the design of the DIACAP Automation System

(DAS). DAS delivers enterprise-wide visibility into C&A status and accepted risks. DAS is a web-based business intelligence platform designed to optimize the implementation and execution of the DIACAP processes by automating workflow, reporting, system vulnerability scanning, and document management tasks.

Assisted the Defense Criminal Investigative Services, Defense Information System Agency (DISA), and the Air Force in completing a Command Cyber Readiness Inspection (CCRI) on a DoD Contractor Network. Conducted compliance validations on current network accreditation, evaluated enclave and network security, including network vulnerability scans, and assessed compliance with Department of Defense Information Assurance policies as directed by the JTF-GNO's Enhanced Inspection Program (WARNORD 06-18 and Amplified Guidance) and in accordance with the CJCSI 6211.02C.

Lead the Tiger Team Working Group to discuss the functional ability of DAS and feature requests/recommendations on new functions that would aid in the DHA C&A process.

Perform on-site and remote initial and mitigation system security scans, Internet scans, and database scans using ISS software and Security Readiness Reviews (SRR)s in accordance with DISA requirements.

Provide reports indicating the vulnerabilities determined from the scans along with recommended resolutions.

Responsible for the certification of applications, systems, or networks in compliance with DoDI 8510.01, DoDI 8500.2 and DoDD 8500.1, and other applicable directives.

Execute C&A plans against a negotiated timeline and assist Designated Approving Authority (DAA) and application/systems or network owners with defining all applicable Information Assurance and security requirements in compliance with all applicable DoD policies, directives, and guidance.

Develop and executes security test plans in coordination with the site’s information based on the requirements.

Review security design documents (SDDs) identifying the security boundary, security infrastructure, and host systems in the planning and coordinating of Retina, AppDetectivePro, WebInspect, and DISA security assessment tools such as Production Gold Disk (PGD), Security Technical Implementation Guides (STIGs) and SRRs.

Conduct periodic reviews of accredited applications, systems, or networks to ensure configuration stability and continued compliance with information assurance and security requirements.

Ensure compliance with privacy and Health Insurance Portability and Accountability Act (HIPAA) requirements and provide guidance to applications, systems, or networks owners as necessary.

Conduct Physical Security audits per DoD policy, directives, and guidance, Ports and Protocol audits per DoD policy, directives, and guidance, and conduct Test of Readiness Reviews validating schedule and readiness for manual and automated scanning of computing environment components.

Prepare comprehensive Risk Assessment Reports to support interim accreditation and Accreditation Reports to support full accreditations.

Education & Certifications (Complies with DoD 8570.01M - IAT III, IAM III and IASAE III) Certificate of Cloud Security Knowledge (CCSK) - “CSA” Certified in Risk and Information Systems Control (CRISC) - “ISACA” Federal IT Security Professional – Manager (FITSP-M) - “FITSI” Certified Information System Security Professional (CISSP) - “ISC2” Security + Certified Professional - “CompTIA”

Bachelor of Science in Management of Information Systems New York Institute of Technology, Old Westbury, NY Information Security Compliance and Regulation

Compliance Methodologies RMF, A&A, C&A, FIPS 140-2, FIPS 200, FIPS 201, OMB, FISMA, HIPPA, NIST, HVA, Zero Trust, FedRAMP, C-SCRM, AI

Security Clearance

DoD Secret - Expires September 2029

Department of Homeland Security Secret – Expires April 2028

Contact this candidate