Information Systems Security Officer (ISSO) – Experienced professional providing information security assurance and systems security support to government agencies and private sector organizations for classified and unclassified Information Systems (IS). Strong background in developing information security policies, procedures, and plans in a clear, concise manner for individual customer environments. Proficient in generating Security Assessment & Authorization (A&A) packages using the Risk Management Framework (RMF) for accreditation. Experienced in Authority to Operate (ATO) compliance maintenance activities such as Continuous Monitoring, Risk and Security Control Assessments, Control Identification, Security Controls Traceability Matrix (SCTM) generation, Vulnerability Assessments and POA&M generation and mitigation actions.

Able to effectively collaborate and negotiate problem resolutions to provide quality service for a wide variety of customers.

Core Competencies

●Policy and directives expertise: RMF, FISMA, NIST, DOD, FIPS, FedRAMP, CNSS, ICD, JSIG, DAPPM, OMB A-130, A-123, FISCAM, GAO and DIACAP.

●Reporting: Plan of Action (POA&M), and Corrective Action Plan (CAP) generation and mitigation, milestone tracking and status reporting. Security Impact Analysis (SIA), Privacy Impact Analysis (PIA), Self-Assessments (SA), Vulnerability Assessments (VA), Risk Assessment Reports (RAR), Memorandums of Understanding (MOU), Interconnection Security Agreements (ISA), Authority to Connect (ATC).

●A&A security package generation and reporting tools: eMASS, CSAM, CyberScope and Xacta.

●Incident Handling and investigation, Disaster Recovery/Business Continuity Planning and testing.

●Security vulnerability and compliance scanning/reporting tools: Nessus, Retina, STIG’s/STIG Viewer. Utilize SolarWinds Security Event Manager, Splunk and ManageEngine for SIEM.

●Testing: Security control testing, remediation/mitigation action identification and vulnerability and validation testing.

●FISMA and OMB A-123 Program Audit.

Clearance

●DOD Top Secret

Experience

Naval Air Systems Command Headquarters (NAVAIR), Patuxent River, MD. Information Systems Security Officer, Sabre Systems Inc. 2023 - present

●Provide support for PMA systems information assurance program through security assessment and authorization activities in compliance with Risk Management Framework (RMF).

●Prepare and review security-relevant artifacts to include System Security Plans (SSPs), Risk Assessments, CM Plans, maintenance procedures etc.

●Conduct Independent Assessments of the management, operational and technical security controls and control enhancements employed within or inherited by an IT system to determine overall effectiveness of the control.

●Validate assessment and authorization documents and technical assessment results to confirm that the level of risk is within acceptable limits for each software application, and system.

●Ensure that Programs of Action and Milestones or remediation plans are in place for vulnerabilities identified during Risk Assessments, Audits, Inspections etc.

Department of State, Washington, DC, Security Controls Assessor (SCA), 2022- 2023

●Developed and executed security and privacy assessment plans in accordance with NIST SP 800-53A, as amended, for each security assessment project.

●Performed independent security and privacy control assessments for on behalf of the client in support of RMF Assessment & Authorization (A&A).

●Conducted assessments of existing and new FISMA systems, including subsystems in the respective system boundary, and communicate results and potential implications of identified control weaknesses.

●Documented and provided findings that provided concise, system-specific, and actionable.

recommendations.

●Analyzed security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings.

●Supported A&A activities to include RMF steps 4-6 for classified and unclassified systems.

●Created and maintained test cases for security assessment testing and perform security testing at the control-requirement level for each unique component of each system.

●Generated Security Assessment Plans (SAPs) and Security Assessment Reports (SARs) for Assessment activities and final Security Assessment Findings Reports for AO/AODR review and Authorization.

Northrop Grumman, Linthicum, MD, Sr. Information Systems Security Officer (ISSO), 2016-2021

●Performed assessments of systems and networks within the networking environment or enclave and identifies deviations from acceptable configurations, enclave policy, or local policy. Achieved through compliance audits and vulnerability assessments.

●Established program control processes to obtain/sustain system accreditation and ensures risk mitigation to include process, analysis, coordination, security certification test and documentation, as well as investigations, software research, hardware introduction and release, technology research inspections and regular audits.

●Assisted in the implementation of required government policy (i.e., NIST, JSIG, ICD) and makes recommendations on process tailoring; documented process activities. Performed

analysis to validate established security control requirements and recommended additional security requirements and safeguards.

●Supported required Security Test and Evaluation (ST&E) activities through pretest preparations, test participation, and results report generation. Provided recommendations resulting from system.

vulnerability and compliance scan reports (SCAP and Nessus) and hardening guide documentation (STIGs) for mitigation actions.

●Documented Assessments and Accreditation activities and results; prepared the ATO Body of Evidence (BoE) documentation to include regular updates and reporting such as POA&M activity status. Conducted system audits/reviews and monitored corrective actions until actions were closed.

●Ensured the management coordination with classified programs regarding the design, testing, and implementing of secure operating systems, networks, database products, firewalls, and network architectures to meet government compliance requirements. Ensured environments remain compliant and all associated systems/networks achieved and maintained formal accreditation authorizations from government agencies.

●Conducted computer security briefings, security audits and ensured audit record archival.

●Collaborated with Program Management, Government Program Office personnel and Team Members for compliance activities and issue resolution.

Consumer Financial Protection Bureau (CFPB), Washington, DC. Information Systems Security Officer (ISSO). 2014-2015

●Generated A&A packages using NIST SP 800-53 RMF guidelines as a member of the Security Risk Management (SRM) project team.

●Produced CFPB IT Security policies and procedures.

●Generated Corrective Action Risk Assessment Management reports for CFPB Leadership.

●Collaborated with Security Engineering and Security Control Assessment Team for vulnerability mitigation and compensating control resolution.

●Served as project management representative for cross agency initiatives and services.

Defense Intelligence Agency (DIA), Washington, DC. IT Specialist-INFOSEC / Cross Domain Solutions Analyst, 2012-2013

●Served as member of the Cross Domain Services (CDS) project team working with users, developers and managers on product issues, new product development and updates to existing CDS products.

●Generated and updated System A&A security documentation, testing processes and SOPS from DCID 6/3 to ICD-503.

●Generated CDS training presentations and conducted training for CDS users.

●Researched and implemented solutions for project security and functionality issues; generated Request for Change (RFCs) for Change Advisory Board (CAB) approval.

●Tracked/generated system POA&M mitigation activities, milestones and closures.

●Generated security risk reports, briefings and presentations for DIA management.

●Worked with Security Control Assessors (SCAs) to resolve issues found during security control testing.

●Participated in CDS and IT security Communities of Interest (COIs).

●Performed Reliable Human Review (RHR) and Trusted Agent (TA) activities for manual security domain file transfer.

DISA, Join Spectrum Center (DISA-JSC), Annapolis, MD. Sr. Information Assurance Officer (IAO) / Systems Security Engineer, 2010-2011

●Reported to the Information Assurance Manager (IAM) on all matters regarding the security of designated JSC information systems and projects.

●Tracked and documented asset STIGs and IAVAs; researched, generated, coordinated and tracked resolution actions for CAT vulnerability closures. Generated associated POA&Ms and milestones. Tracked mitigation actions to closure using DISA’s Vulnerability Management System (VMS) and produced VMS status reports for management review.

●Used Retina Network Security Scanner to identify vulnerability exposures and prioritize remediation activities and ArcSight ESM for security log information and event management.

●Maintained and generated C&A DIACAP package documentation using the Enterprise Mission Assurance Support Service (eMASS).

●Worked with system administrators in transitioning existing JSC systems to the assigned Defense Enterprise Computing Center (DECC) systems-hosting facility per DISA mandate.

●Worked with application developers, network engineers and system administrators to resolve security issues in development/test, production and DECC environments.

●Worked with DISA FSO representatives conducting Security Reviews.

●Generated RFC and Implementation Assessment Reports for Configuration Management Control Board review and approval of system configuration changes.

U.S. Department of Justice (DOJ), Washington, DC. CSAM Information Security Analyst, 2009-2010

●Provided user support for the Cyber Security Assessment Management (CSAM), C&A package generation application and the FISMA reporting tool, CyberScope.

●Developed and conducted CSAM and CyberScope customer training and provided liaison support to Shared Service Center Federal Agency customers such as DOT, HUD, USDA and DOI.

●Conducted IA software requirements analysis on behalf of the customer agencies.

●Conducted CSAM/CyberScope software testing and assisted developers with software debugging.

●Generated and tested CSAM/CyberScope program policies and procedures for product integration and revision update (i.e., NIST SP 800-53 revision updates and FISCAM/OMB A-123 control integration).

Naval Air Systems Command Headquarters (NAVAIR), Patuxent River, MD. Information Assurance Analyst, 2008-2009

●Generated Project Office DIACAP C&A packages for DOD/DON compliance and readiness for NQV evaluation. Transitioned DITSCAP packages to DIACAP.

●Reviewed system STIG and IAVA vulnerability/compliance results from Retina scans; generated risk, vulnerability and compliance reports for IAM review and C&A package compliance.

●Generated NAVAIR SOPs and guides.

●Tracked status of systems and networks for the NAVAIR Enterprise utilizing systems such as DADMS and DITPR-DON.

●Provided SME support on security-related issues for Research, Development, Test and Evaluation and Operational classified and unclassified systems and networks.

●Coordinated C&A collaboration efforts with Project Offices, NQVs, Information Assurance Managers (IAMs) and System Administrators (SAs) in order to obtain IATTs/ATOs. Provided project liaison support between NAVAIR Project Offices, NSA, DOD, DON, and SPAWAR organizations.

Nuclear Regulatory Commission (NRC), Rockville, MD, IT Security LAN/WAN C&A Analyst, 2005-2006

●Security consultant contracted for the NRC LAN/WAN GSS certification and accreditation effort.

●Evaluated existing NRC LAN/WAN security procedures, policies, and plans regarding NIST/FIPS standards and guidelines.

●Developed NRC GSS LAN/WAN system security plans, security categorization documents, self-assessments, risk assessments and contingency plans.

●Assessed NRC security controls using NIST SP 800-53 and NIST 800-53A.

U.S. Department of Energy, Savannah River Site (DOE SRS), Aiken SC, Computer Security Analyst, 1999-2002

●Computer Security Analyst for the DOE SRS Cyber Security Division providing systems security support to DOE employees and contractors.

●Information Systems Security Officer (ISSO) for classified and unclassified General Support Systems (GSS) and Major Applications (MA).

●Reported to the DOE Information Systems Security Manager (ISSM), Designated Accreditation Authority (DAA) and the CIO, assessing divisional unit security compliance.

●Working member of the Computer Security Incident Handling team.

●Technical writing skills included creation and maintenance of classified and unclassified computer security policies for the DOE Cyber Security Office, generating and evaluating SRS Program Office C&A packages and maintaining site Cyber Security Program Plans.

●Responsible for conducting DOE IT Security Awareness training for users and technical personnel.

Education

●Bachelor of Science (B.S.), Information Systems Management, UNIVERSITY OF MARYLAND COLLEGE PARK, College Park, MD

●Associate of Arts (A.A.), Electronics Engineering Technology, ANNE ARUNDEL COMMUNITY COLLEGE, Arnold, MD

Certifications

●CompTIA Security+ CE

●Microsoft MCSE

●CISM in progress

Contact this candidate