DAVID J. VASSALLO

** ******** **.

Tuxedo Park, NY 10987

Cell: 845-***-****

E-mail: ad3laf@r.postjobfree.com

EXPERIENCE

CACI International – LGS Innovations (Jan 2020 – Present) Information Systems Security Manager

• Responsible for ensuring Information System Compliance with the potential to span multiple business areas or programs.

• Ensures system security measures comply with applicable government policies. Provide configuration management and accurately assess the impact of modifications and vulnerabilities for each system.

• Maintain thorough understanding of NIST 800-53 controls, and determine which controls are applicable to the application, as well as document implementation in Security Controls Tractability Matrix (SCTM).

• Monitor and resolve Plan of Action and Milestones (POA&M) to mitigate system vulnerabilities on assigned Information Systems.

• Communicate and coordinate Information Systems Security policy across their organization and work with government agencies to obtain rulings, interpretations, and acceptable deviations for compliance with regulations.

• Establish, document, implement, and monitor the IS Security Program and related procedures for the facility and ensure compliance with IS security requirements.

• Prepare and maintain Systems Security Plans (SSP) which accurately reflect the installation and security provisions of the system.

• Ensure that each SSP has been implemented, that the specified security controls are in place and properly tested, and that the IS in functioning as described in the SSP.

• Evaluate proposed changes or additions to the SSP and collaborate with customers for systems approvals.

• Utilize automated tools to document certification and accreditation requirements like eMASS and XACTA.

• Conduct on-going security reviews and tests for information systems to periodically verify that security features and operating controls are functional and effective.

• Ensure that periodic self-inspections of the facility’s IS Program are conducted as part of the overall facility self-inspection program.

• Ensure the development, documentation and presentation of IS security education, awareness, and training activities for facility management, IS personnel, users, and others as appropriate.

• Ensure personnel are trained on the IS’s prescribed security restrictions and safeguards before they are initially allowed to access a system.

• Identify and document unique local threats/vulnerabilities to IS.

• Report IS security incidents to the CSA. Ensure action is taken when an incident/vulnerability has been discovered.

• Formulate and correlate security categorizations for multiple authorization boundaries.

• Draft and implement information system security software and hardware upgrades for multiple IC, SAP, and collateral authorization boundaries.

• Provide instruction and guidance for Risk Acknowledgment Letter (RAL) creation and implementation.

• Construct and develop ICD 503 RMF packages including SSP, SSP Questionnaires, Data Management Plans, and other requires CONOPS documents.

• Create and implement all NIST 800-53 control family policy and procedures.

• Construct and design categories and information to be included in the IA SOP and System Administration SOP.

• Provide insight over Linux administration of Red Hat and Ubuntu systems.

• Assist as alternate COMSEC account custodian to provide oversight with COMSEC inventories, keying of CCI devices, updating DIAS, and other COMSEC responsibilities.

• Assist in the design of SCIF infrastructure layouts that include internal and external network cabling and equipment placement, AV design, power and cooling consumption requirements.

L3Harris Technologies (Oct 2003 – Jan 2020)

Previously known as ITT (Oct 2003-June 2006), Exelis (June 2006-Sept 2015), Harris Corp. (Sept 2015-Jan 2020)

Information System Security Manager (Sept 2015-Jan 2020) Information System Security Officer II (June 2006-Sept 2015)

• Operate as lead Information Systems Security Officer (ISSO) for DSS collateral programs and 20+ Special Access Programs (SAPs)

• Create and maintain JAFAN 6/3 and DSS System Security Plans (SSPs) for over 25 different Local Area Networks (LANs) and standalone systems

• Serves as the Information Systems Security Manager (ISSM) for 20+ Special Access Programs (SAPs) within 21 Special Access Program Facilities (SAPFs)

• Assists Dept. of Defense (DoD)-only security staff with preparation of DSS Risk Management Framework (RMF) artifacts that include SSPs, Security Control Traceability Matrices (SCTM), Risk Assessment Reports (RAR), and Plan of Action & Milestones

(POA&Ms)

• Creates and oversees SIPRNet Security Technical Implementation Guidance (STIG) defined Information Assurance (IA)-based policy and procedure and Security Education and Training Awareness (SETA) that includes general user training, media training, and privileged user training

• Operates as a lead ISSO/M for DSS interaction during security inspections which include removable media management, auditing reviews, documentation creation, continuous monitoring, insider threat review, risk management adaptation, and security control implementation.

• Coordinates with SAP Program Security Officers (PSOs) and Security Control Assessors

(SCAs) to ensure required implementation of the Joint SAP Implementation Guide (JSIG) security controls

• Communicates multiple status and programmatic information assurance meetings with Information System Owners/Program Managers (ISO/PM) to deliver updated oversight on information security and risk management components related to their computer systems

• Develops and facilitates training and security assessments of 20+ SAP computer systems per JSIG SAP requirements.

• Implements government guidance to over 25+ federal information systems that fall under the purview of JSIG, National Industrial Security Program Operating Manual (NISPOM), National Institute of Standards and Practices (NIST) 800-53 security control implementation, NIST 800-37 risk assessment management, JAFAN 6/3 legacy IA controls, ICD 705 SAPF/SCIF construction requirements, and DoD 5200 SAP implementation manuals.

• Increases the awareness for government AIS policy and procedure within different program level environments through implementation of different government agency policy and memorandums

• Monitors the oversight for maintenance/compliance and implementation of classified information systems within SAPFs by applying ongoing information security control review determining JSIG and DoD SAP relevant security control requirement

• Ensures system administration of IA security control are correct and adequate by thorough review of security local policy, registry key, Basic Input Output System (BIOS), and other technical implementation management guidance

• Develops and monitors periods processing program for information systems that cannot operate fully in an online capacity

• Creates and reviews a thorough key management plan (KMP) for data-at-rest (DAR) requirements that include Wide Area Network (WAN) encryption devices, self- encrypting drives (SEDs), FIPS-140-2 compliant hard drives, or software encryption solutions

• Diagnoses, coordinates, and uses automated information system tools to help maintain, operate, and comply information systems with auditing, endpoint security management, network device review, technical security control assessment, system administrator oversight, patch management, and security control/vulnerability monitoring

• Creates and implements information assurance policy for JSIG classified processing requirements throughout the facility that include system integrity, risk assessment and management, security awareness, access control, auditing, backup solution, physical environmental, system maintenance, etc.

• Organizes, defines, and approves access control list (ACL)/technical control changes to multiple classified DoD and SAP networks from STIG guidance and government memorandums

• Created and reviews IA security control assessments and the continuous monitoring program that defines, updates, and implements security control mechanism and compliance checks in accordance with several government requirements

• Manages and conducts oversight of security and technical control implementation with System Administrators (SA) and Information System Security Engineers (ISSE) from STIG and DoD-defined policy standards

• Developed and oversees Discretionary Access Control (DAC) policy implementation by reviewing security setting permissions on different classified information systems

• Manages, documents, and updates wireless scanning policies to record and diagnose potential rogue devices within closed areas or SAPFs

• Develops and ensures patch management plans for all classified networks that covers installation of operating system, application, and mobile code implementation and documentation during the monthly or quarterly baseline

• Conducts multiple vulnerability assessments via Nessus to ensure classified systems are up to date with the most current patch management or security control implementations available

• Creates, analyzes, and updates robust risk assessment reports from a multitude of DoD threat reports and catalogs to document the most accurate assessment for all classified information systems

• Ensures malware and antivirus patches and updates are implemented with most current definitions available from approved vendors

• Reviews software vulnerability reports from the Nationality Vulnerability Database

(NVD) to guarantee any software requested for classified information system deployment is current and up to standards

• Handles, directs, and responds to security concerns during suspected compromises in coordination with locally defined incident response handling procedures and coordinate suspected results with different government cyber security groups

• Creates, updates, and ensures an implementation of a robust sight-wide SAP JSIG security awareness and training program for all facilities that include removable media management and tracking, basic information system usage requirements, auditor and system administrator requirements.

• Develops and maintains a media management high to low transfer policy and procedure on multiple SAP networks

• Coordinates oversight and maintenance updates to classified customer network information systems for over 10 customer WANs

• Assists with creation of program protection security plans and provides oversight for maintaining a high level posture for operation security.

• Achieved a detailed tracking inventory system for Authority-to-Operate (ATO) Letters to ensure classified computer SAP and DoD systems do not fall out of compliance

• Developed and reviews a continuous monitoring program for the facility that goes over all- defined security control information and documents current security control information status of all classified computer systems

• Performs annual information assurance self-compliance inspections that review, document, and diagnose current security compliance posture status of all SAP and DoD classified information systems

• Operates and successfully conducts multiple Superior and Satisfactory inspections for various government organizations including DSS, USAF, DARPA, and Dept. of Navy.

• Responsible for conducting investigative audits for over 25+ classified Local Area Networks, Peer-to-peer systems, and Multi-User Standalone systems by researching incorrect login information, access control records, removable media management logs, and administrative actions taking place

• Performs and provides system administration support including account management, software installation, hardware upgrades and installation, and computer troubleshooting.

• Defines and manages system administration procedures including account management, backup and restoration, and password policies.

• Performs active directory maintenance including creating, deleting, enabling, and disabling user accounts, groups, group accounts, and different organizational units (OUs).

• Assists and conducts computer maintenance and troubleshooting for any operating system, software, or hardware errors encountered.

• Builds desktops and servers required for multiple classified networks.

• Updates, implements, and manages group policy object (GPO) and local security policy security configuration settings required for setup on classified computer systems.

• Facilitated preparation for DISA Cyber Readiness Inspection, including ACAS and HBSS training, as well as a solid understanding of Cybercommand Tasking Orders.

• Conducted security audits of firewalls and IDS to ensure compliance with industry standards.

Engineering Technical Assistant (Oct 2003-June 2006)

• Served as lead lab coordinator for engineering activities for Communication Systems

• Documented technical drawings and engineering design specifications per engineering guidance

• Conducted communication asset management inventory for multiple development platforms

• Lead overall maintenance and setup for lab network setups that include multiple computer, switch, and router configurations with the development platforms. TOOL SKILLS

• Microsoft Office

• Microsoft Dumpsec

• Zoho Manage Engine Event Log Analyzer

• Zoho Manage Engine AD Audit+

• Zoho Manage Engine Desktop Central

• Port Protection Program (P3)

• Ivanti Device Control

• PuriFile Document Sanitization

• Security Technical Implementation Guide (STIG) viewer

• Security Control Automation Protocol (SCAP)

• ACAS/Nessus

• EMASS

• XACTA

• Group Policy Object Manager

• ProWatch

• Symantec Backup Exec

EDUCATION & CERTIFICATIONS

CISSP, March 2018 - Present

ID#: 655859

RMF (provided by Mantech), December 5, 2015

Continuous Monitoring (provided by Logos Secure), Dec 2017 PuriFile (provided by Peraton), Dec 2018

Linux Audit Training (provided by Logos Secure), Feb 2019 Nessus Proficiency (provided by Tenable), April 2019 CompTIA Security+, March 2014 - Present

ID#: COMP001020691433

WILLIAM PATERSON UNIVERSITY, Wayne, NJ,

Bachelor of Arts, History, January 2003

MEMBERSHIPS

NCMS, Mid-Atlantic Chapter, Feb 2019

CSSWG, Nov 2016

CAISSWG, Mar 2020

CLEARANCE

Top Secret/SCI

Contact this candidate