Security Clearance Cloud
Resume:
AHMED E ELSAFTY SECURITY CLEARANCE: TS
571-***-**** ad31tp@r.postjobfree.com 15401 Bond Mill Rd Laurel MD 20707
I am a seasoned cybersecurity leader with over 25 years of experience in FISMA auditing, Security Management Framework (RMF)
processes, and senior-level consulting. My expertise lies in securing and ensuring compliance of complex global technology
ecosystems for government organizations. I have a proven track record of leading audit teams in multiple locations, while
maintaining a business-first approach with executives and vendors. Additionally, I possess a deep understanding of information
security risk management, regulatory compliance, and policy adherence, with a focus on FISMA Audits and Cloud Security
Compliance. I am willing and capable of traveling to meet the needs of the organization.
Professional Experience
S. Cybersecurity Lead SGSS and IP Keys Technologies
12/2020 – Present
In my current role, I serve as the Department of Defense's (DoD) principal representative on the Joint Authorization Board (JAB),
actively collaborating with Homeland Security and the GSA within the FedRAMP framework. My responsibilities extend to work
with the DISA team, ensuring Cloud Service Providers (CSPs) adhere to the DoD's stringent Cloud Computing Security Requirements
Guide (SRG) for authorization in DoD environments.
Key Responsibilities
Strategic Leadership and Partnership: Represent the DoD on the Joint Authorization Board (JAB), fostering strategic alliances with Homeland Security and the GSA to enhance the FedRAMP program's cloud service security and compliance.
Security Compliance Oversight: Ensure CSPs' compliance with DoD security standards as detailed in the Cloud Computing Security Requirements Guide (SRG), facilitating their Provisional Authorization (PA) for operation within DoD environments.
Documentation Review and Evaluation: Manage the submission and detailed evaluation of CSPs' documentation packages against the SRG and FedRAMP standards, ensuring security and compliance.
Guidance and Evaluation: Provide directional guidance to assist CSPs in meeting DoD and FedRAMP security compliance, focusing on thorough evaluations, vulnerability identification, and the recommendation of mitigation strategies.
Achievements
Enhanced Cloud Security Frameworks: Instrumental in enhancing security and compliance frameworks within the cloud service provisioning process for DoD use, ensuring CSPs meet or exceed the mandated security requirements.
Efficient Authorization Process: Streamlined the authorization process for CSPs, significantly improving the efficiency and effectiveness of security evaluations and compliance checks.
Robust Vulnerability Management: Led a comprehensive vulnerability management program, identifying and mitigating potential security threats, thereby strengthening the DoD's cloud security posture.
Strategic Security Initiatives: Spearheaded key initiatives to improve ongoing monitoring and risk assessment practices, enhancing the security and resilience of cloud services within DoD environments.
Security Classification and Compliance Management
Developed and managed security classification levels for DoD information, ranging from Unclassified to Sensitive Compartmented Information (SCI), ensuring appropriate access controls and protection measures are in place.
Directed the evaluation of cloud access points (CAPs), connection processes, and continuous monitoring strategies, upholding DoD security standards across cloud services.
Audit and Continuous Monitoring
Led audit programs for reviewing CSP security packages against FedRAMP templates and checklists, ensuring comprehensive coverage of security controls and compliance with federal standards.
Oversaw ConMon reviews for CSPs, establishing a framework for regular reporting, incident handling, and continuous risk assessment to maintain a robust security posture.
Technical and Strategic Expertise
Conducted vulnerability scans and classifications, assessing CSPs' security vulnerabilities based on severity and legitimacy, and implementing necessary remediation strategies.
Utilized a range of scanning methodologies, including infrastructure, web application, and database scanning, to ensure comprehensive coverage of all potential security vulnerabilities.
Principal Cyber Information Assurance Manager Chickasaw Nation, Defense Security Cooperation Agency 10/2019 – 12/2020
I have extensive experience as a Principal Cyber Information Assurance Manager, supporting the Defense Security Cooperation Agency (DSCA). In this role, my responsibilities included:
Providing analysis of operational risk to systems and networks on behalf of the DSCA Authorizing Official.
Evaluating functional operations and performance in light of test results and providing recommendations regarding A&A.
Assessing the impact of incidents, determining probable damage, and suggesting methods of damage control, while building historical and predictive capabilities for IA incidents.
Explaining security controls and requirements to system owners and teams, and recommending implementation strategies for Continuous Monitoring processes using Plan of Action & Milestones (POA&Ms).
Providing consulting to ensure compliance with FISMA and RMF/A&A processes, using DoD 8000-series, NIST SP 800-series, and DISA-series instructions and guidance.
Demonstrating proficiency with A&A tools such as EMASS.
My extensive experience and expertise in providing analysis of operational risk, assessing the impact of incidents, and ensuring compliance with regulatory requirements have enabled me to provide valuable support to the DSCA, while promoting secure and efficient operations.
Principal Cyber Information Assurance Analyst Northrop Grumman Systems Corporation, Linthicum, MD 07/2019 – 10/2019
During a short assignment as an Information Assurance Analyst, I provided valuable support in assessing the implementation of IS
security controls in accordance with the DoD-mandated Risk Management Framework (RMF) program, using the Enterprise Mission
Assurance Support System (EMASS). My responsibilities included:
Supporting a team of three Security Controls Assessor Representatives (SCA-R) in their assessment of IS security controls implementation.
Providing direction to the team in aligning NIST 800-series, Department of Defense Instruction, DODI 8500.01-Cybersecurity, and DODI 8510.01-RMF guidance to meet organizational mission and business objectives while adhering to security compliance standards.
Providing subject matter expert support in the analysis of system authorization packages, active support in workflow and process development, and providing information assurance recommendations to the Authorization Official, Designated Representative (AODR).
My expertise in RMF, NIST 800-series, and Department of Defense cybersecurity guidelines enabled me to provide valuable support to the team and ensure compliance with security requirements, while promoting efficient and secure operations for the organization.
Assessment Execution Manager ARCH Systems Inc., CMS, Baltimore, MD 11/2018 – 04/2019
As a direct contract support Assessment Execution Manager for the Center for Medicare and Medicaid (CMS), I was responsible for
managing the orchestration of high-quality Adaptive Capability Testing (ACT) and High Value Assets (HVA) of General Support Systems
and major applications at CMS. My responsibilities included:
Evaluating the technical and operational security posture of network infrastructures and system security controls implementation, performing ACT to validate security controls implementation on systems and networks, and managing system Plan of Action & Milestones (POA&Ms).
Collaborating with System/Mainframe Security Test Leads, Project Managers, ISSMs, Project Quality Assurance Officials, Penetration and Vulnerability test teams, and PMO Director (Leadership Team) in the development of security deliverables.
Providing continuous improvement of assessment execution and deliverables, collecting and recording lessons learned, risks, and issues via approved templates and tools, and conducting final Peer Review and release of Security Assessment Reports (SAR), CMS Assessment & Audit Tracking (CAAT) Files, Document Evaluations, and Test Plans.
My experience and expertise in managing and executing security assessments, collaborating with cross-functional teams, and
providing continuous improvement have enabled me to provide valuable support to CMS and ensure the secure and efficient
operations of their systems and networks.
Information Security Principal III CACI, Department of Commerce (DOC) / International Trade Administration, Washington 07/2013 – 10/2018
As a direct support contractor serving as Information Security Principal for the Department of Commerce, I provided expert advice
and guidance to Program stakeholders, Information System Security Engineers, and System Integrators on policies and requirements
for Certification and Accreditation (C&A) approval. My responsibilities included:
Providing guidance for System Security Authorization Agreement (SSAA) development and documenting system design and operation.
Conducting Security, Test & Evaluations (ST&E) on system and network components, using security test plans provided by various programs, to verify applicable security controls were in place and functioned properly for proposed system use.
Developing comprehensive Security Certification Test Reports that outlined test results and residual findings for Certification Authority (CA) review and consideration.
Obtaining full accreditations and reaccreditations for over 25 systems and networks, including approvals for system modifications, from the Certification Authority (CA) and Designated Approval Authority (DAA) during my tenure.
Collaborating with stakeholders, program managers, and cyber operations teams to ensure information systems undergo thorough and ongoing risk-based Assessment & Authorization (A&A).
Evaluating, documenting, and finalizing Cybersecurity and Privacy policies, programs, and compliance artifacts or standards that support the department’s security compliance and systems accreditation and management and artifacts (SSP, PIA, PTA, CP, ASA, MOU, etc.).
Developing and periodically monitoring various IT controls, including PTA, PIA/PNA information for several IT systems and interacting with various stakeholders to clarify and document any identified vulnerabilities.
Participating in weekly conference calls with government, IAO, and DAA staff POC's for status reporting, conducting quality assurance reviews of security packages, and briefing findings to Certification Authority for approved operational recommendations to DAA.
My extensive experience and expertise in C&A approval, ST&E, and collaboration with stakeholders have enabled me to provide
valuable support to the Department of Commerce and ensure the secure and efficient operations of their information systems.
Information Security Principal III (Part Time) JD Biggs & Associates Inc Beltsville, MD 04/2010 – 07/2013
As an independent contractor supporting various clients, I have performed Assessment and Authorization (A&A) services for commercial Cloud Service Providers (CSPs) seeking to provide cloud services to the federal government. My assignments have included:
Assisting CSPs in preparing for a FedRAMP assessment, as the process of receiving a FedRAMP authorization is long and arduous, often filled with uncertainties.
Developing the Security Assessment Plan (SAP), performing the security assessment of the cloud service offering (CSO), and documenting the results of the assessment in the Security Assessment Report (SAR) and supporting documents.
Conducting subsequent annual continuous monitoring assessments of the CSPs to provide assurance that the CSP's control environment continues to operate effectively.
My expertise in A&A services, security assessments, and FedRAMP requirements have enabled me to provide valuable support to various clients in the cloud services industry. By performing security assessments and continuous monitoring of CSPs, I ensure the security and compliance of cloud services offered to the federal government, while promoting efficient and secure operations for CSPs.
Sr. Information Security Leader, Lunar line, Inc. Department of Transportation / Federal Railroad Administration (FRA), Washington 08/2011 – 04/2013
As a direct support contractor/Team Lead responsible for managing and/or producing and delivering security artifacts in support of the Federal Railroad Administration (FRA), I applied comprehensive cybersecurity and privacy analysis to the entire System Development Life Cycle (SDLC) and compliance life cycle process. My responsibilities included:
Managing the Federal Information Security Management Act (FISMA) compliance, audits, and reports, including preparing responses for quarterly and annual FISMA reports. I possess working knowledge of RMF and related publications, including 800-37 and 800-53a, and their documentation in the agency's systems in CSAM.
Leading the evaluation of IT threats and vulnerabilities to determine additional safeguards, advising on the impact levels for Confidentiality, Integrity, and Availability for the system, and developing, reviewing, endorsing, and recommending action for both the Risk Executive and Authorizing Official.
Facilitating the FedRAMP security assessment and authorization (SA&A) test process for over 40 systems. I lead the review and updates and technical analysis of cybersecurity artifacts (SSP, PIA, PTA, CP, ASA, MOU, etc.) for enterprise-wide systems.
Developing and periodically monitoring various IT controls, including controls such as PTA, PII, SORN information for several IT systems, and interacting with various stakeholders to clarify and document any identified vulnerabilities.
Leading the process of reviewing network architecture diagrams, evaluating network controls, system configuration information, and developing recommendations on identified vulnerabilities for executive management.
Leading the performance of Gap analysis, value delivery, and risk management based on COBIT requirements for the OCIO systems.
Leading the performance of IT security program planning and management and identifying, initiating, and completing the SA&A process as defined by the DOT/Confidential using Cyber Security Assessment and Management (CSAM) tool. I developed and executed the Security Controls Assessment Plan, Test Control Matrix, and SAR in compliance with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), NIST Special Publications (SP800 series), and FRA requirements for each system.
My experience and expertise in FISMA compliance, cybersecurity, and SA&A processes have enabled me to provide valuable support to the FRA and ensure the secure and efficient operations of their systems and networks.
My other relevant experiences include:
XA SYSTEMS, LLC, Information Security Principal III, October 2010 to July 2011
Maryland Consulting Services (FMAK) LLC., President, May 2008 to October 2010
K-Force Government Solutions, DoD Office of Secretary of Defense, VA Military Health Systems, Financial Analyst Manager, November 2007 – May 2008
DoD, US Air Force Medical Service (AFMS) VA, Office of the Surgeon General – Net Star Government Solutions, Senior Security Analyst and Senior IT Auditor, November 2001 – October 2007
Throughout these roles, I have gained extensive experience in information security, risk management, regulatory compliance, and financial analysis in support of government and commercial organizations. As Information Security Principal III at XA SYSTEMS, LLC, I provided expertise in information security to support various clients in their information security needs. As President of Maryland Consulting Services (FMAK) LLC, I provided consulting services to various government and commercial clients, specializing in information security, compliance, and financial analysis. As a Financial Analyst Manager at K-Force Government Solutions, I supported the Department of Defense Office of Secretary of Defense and VA Military Health Systems in financial analysis and management. As a Senior Security Analyst and Senior IT Auditor at Net Star Government Solutions, I supported the US Air Force Medical Service (AFMS) VA, Office of the Surgeon General, in information security, risk management, and regulatory compliance.
My diverse experiences have enabled me to gain a broad understanding of information security and risk management issues in government and commercial organizations, and the ability to provide valuable support in various areas, including financial analysis, compliance, and management.
education
I hold a Master of Science degree in Managerial Accounting from the University of New Haven, CT, USA, and a Bachelor of Science
degree in Accounting and Business Administration from the University of Cairo, Egypt. These educational backgrounds have
provided me with a solid foundation in accounting and financial analysis that has been invaluable in my various roles as a financial
analyst and manager. My education has also enabled me to gain a deep understanding of the financial aspects of information
security and risk management, which has been particularly useful in my work supporting government and commercial
organizations.
certifications
I hold several industry-recognized certifications, including:
DOD 8570.01-IAT and IAM Level III
Certified Information Security Manager (CISM)
Certified Information System Auditor (CISA)
Certified Data Privacy Solutions Engineer (CDPSE)
BSi 7799 Lead Auditor
Certified Public Accountant (CPA)
Certified Information Technology Professional (CITP)
Certified Business Manager (CBM)
Certified Sarbanes-Oxley (CSOX)
These certifications demonstrate my expertise and knowledge in information security, risk management, data privacy, auditing, and
financial management. They have provided me with a comprehensive understanding of the requirements and standards for
maintaining a secure and compliant information technology environment. My certifications also demonstrate my commitment to
ongoing professional development and continuous learning in this rapidly evolving field.
Contact this candidate