General Information
Name
Alonni J. Sullivan
Education
Georgia Institute of Technology Professional Education
GTPE Cyber Security Certificate
University of Maryland University College
Masters of Science Cybersecurity
Masters Certificate in Cybersecurity Technology
Masters Certificate in Information Assurance
Masters Certificate in Foundations of Cybersecurity
Bowie State University
Bachelors of Science, Computer Technology: Network Security
Experience Summary
12+ years of cybersecurity experience
5+ years of project management experience
Accreditations
CMMC-AB Provisional Assesor
CompTIA Secure Cloud Professional (CSCP)
Certificate of Cloud Security Knowledge (CCSK)
CompTIA Cloud+
Certified Expert Independent Assessor (CEIA)
Certified Information System Security Professional (CISSP)
Navy Qualified Validator (Level 2)
Intermediate Navy Validator
Certified Authorization Professional (CAP)
Certified Network Defense Architect (CNDA)
Certified Ethical Hacker (CEH)
EC-Council Certified Security Analyst (ECSA)
CompTIA Security + CE
Work Experience
Coalfire Federal
Senior Manager
September 2019- Present
Led a group of assessors in a gap analysis of 3 major Amazon Web Service (AWS) enclaves against the NIST 800-171A Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements. Leveraged industry established assessment criteria to appropriately identify security gaps in relation to CUI protection. Provided project management guidance to client stakeholders when establishing submission dates for CMMC certification.
Significantly contributed intellectual capital when conducing a gap analysis of 3 major Google products against the and Department of Defense Cybersecurity Maturity Model Certification(CMMC) requirements. Responsible for the identification of risks, evaluation of practice deficiencies, and recommendation on remediation efforts consistent with organizational policy and regulatory requirements. Developed testing approaches and recommendations for test plan modifications that improve validation of control objectives. Test procedure development may cover a wide range of diverse topics ranging from managerial, technical, and operational.
Leveraging industry established assessment criteria to appropriately identify infromaton security gaps in relation to CUI protection. Providing knowledge and experience identifying, assessing, and documenting compliance against applicable security practices contined within the CMMC framework. Successfully interpreted and evaluated major applications infrastructure, enclaves, and Enterprise system environments based on established authorization boundaries
Provided leadership and direction in the development and implementation for internal CMMC assessment methodologies, lessons learned, procedures, and templates. Collaborates with industry experts, internal and external to Coalfire, in order to leverage competitive advantages through knowledge transfer.
Develops, communicates, and enforces IT policies and procedures and prepare records necessary to safeguard information and technological assets. Prepares accurate and timely information for clients and users.
Performs assessment of information systems, based upon the Risk Management Framework (RMF)/ Assessment and Authorization (A&A)/authorization and assessment processes.
Advises senior leadership on any assessment and authorization issues, assessment methodologies, and processes. Evaluates Authorization packages and make recommendation for authorization
At the conclusion of each security assessment activity, prepare the final Security Assessment Report (SAR) containing the results and findings from the assessment. Initiate a POA&M with identified weaknesses and suspense dates for each IS, based on findings and recommendations from the SAR
National Credit Union Administration
Information System Security Officer
September 2018 – September 2019
Served as the principal advisor and liaison between the system owner and the Office of the Chief Information Officer on the security status of a specific portfolio of information systems.
Reviews and provides corrective action plans to ensure that the appropriate operation security posture is maintained for a portfolio of information systems.
Coordinated within NCUA and with external agencies and vendors in the preparation of development of the Authorization Package. Thus ensuring the appropriate security controls are applied during the appropriate SDLC phase and ensure integrity, confidentiality, and availability throughout the SDLC.
Prepares and reviews System Development Life Cycle (SDLC) and Assessment and Authorization documentation for newly developed systems.
Reviewed and evaluated IT operations to appraise the effectiveness of policies and programs. Identified areas for process improvement and took proactive corrective actions to update or improve policies and processes.
Developed the Authority to Use (ATU) process for FedRamp and IT Services. Managed and submitted 5 systems for annual review.
Department of Agriculture - Office of the Chief Information Officer- Office of Information Security
Cybersecurity Policy Program Manager
July 2017 – September 2018
Developed policies and procedures to ensure information systems reliability and accessibility and to prevent and defend against unauthorized access to systems, networks, and data. Promotes awareness of security issues among management and ensures sound security principles are reflected in organization's visions and goals.
Facilitated IT cyber security policy at the departmental level. Reviewed and developed systems security policy, guidelines, and procedures. Develops or explains policy and procedural controls related to physical security, application and data security, system software security, contingency planning, compliance with personnel clearance procedures, security education and training, and contractor security.
Developed appropriate policy for cyber security compliance and oversight, education, and awareness, performance measures and metrics; this requires significant Attention to Detail when performing work and conscientious about attending to detail to move USDA forward toward improving FISMA compliance and improving overall IT cyber security posture across the department.
Served as the subject matter expert to the Chief Information Security Officer, Chief Information Officer and Senior Agency Officials for Cybersecurity on Cybersecurity policies and procedures and IT Security Audit.
Worked with IT Security teams throughout the Compliance & Policy branch and clients and to provide customer service and understand their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services.
Lead USDA collaboration with DHS to develop the USDA Cybersecurity Policy Operations Guide (CPOG). The CPOG is a quick reference guide to USDA and Federal cybersecurity. The first of its kind, the USDA CPOG will provide those working in various cybersecurity roles at USDA with an overview of key documents and programs that are shaping and influencing not only the USDA, but also the entire Federal cybersecurity landscape. The guide provides an overview of roles and responsibilities of Federal cybersecurity stakeholders; meta-summaries of key documents, policies and strategies related to cybersecurity; a checklist of reporting requirements; a list of common terms and definitions associated with cybersecurity; and agency-specific cybersecurity information. The guide will be packaged in a small, portable tabular reference guide to promote ease of use.
Spearheaded Policy development and approval process improvement initiatives with two primary goals: 1) to streamline and reduce the time needed to develop and approve policy to no greater than 120 days and 2) help OIS enhance its overall customer experience.
Briefed leadership on upcoming initiatives that were, technical, sensitive, and controversial. Provided weekly reports that takes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately.
Was responsible for all aspects of contract administration throughout the complete contract life cycle – creation, fulfillment maintenance and closure of all assigned contracts in cooperation with Contract Managers;
Ensured that suppliers properly correct all defects and omissions;
Managed more difficult, complex contract issues that involve disputes, modifications, claims, and close-outs. Advises General Counsel, Chief Procurement Officer, COR Group Leader, and other senior staff of contractors’ positions pertaining to disputes.
Informed the COR Group Leader, CPO and/or Procurement Office of work that is accepted or rejected;
Worked closely with Contract Managers to resolve irregularities or other problems in the procurement process and protests;
Collaborated with Contract Managers to monitor suppliers’ compliance with deliverables as well as monitoring progress reports and work plans;
Identifying opportunities to standardize business processes and leverage common IT services;
Department of Defense- Department of Navy
IT Specialist- Information System Security Officer/Information System Security Manager
December 2014 – July 2017
NAWCAD - Information System Security Officer(ISSO), Unmanned Carrier Aviation (PMA-268)
Served as an embedded Information System Security Officer under the Cyber Security Support Branch for the Cyber Security (CS) Division. Worked to integrate Cybersecurity methods/techniques into all aspects of aviation system development. Supports customer efforts to comply with governing Cybersecurity policies, procedures and documentation requirements (e.g., Clinger-Cohen Act), and ensure the security/integrity of IT/IM systems. Ensures the Confidentiality, Integrity, and Availability (CIA) of systems, networks, and data. IAW DoDI 8510.1, 8500.2 and Agency policy and procedures
Performed continuing analysis of in-place Cybersecurity plans/programs/processes to ensure they provide an optimized level of security for the customer's IT assets/operations, and are responsive to the customer's rapidly-changing operational requirements for system security. This includeed providing customers with information/analytical support/guidance on cybersecurity requirements for proposed IT acquisitions from earliest stages of development, through the acquisition milestone process and follow-on support. Provides technical/functional expertise and analytical support to guide customers through the A&A process that is mandatory for all Major Automated Information System applications, systems and networks, including aircraft systems.
Conducted systems security evaluations, audits and reviews, and conducts risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities, risks, and protections needs. Advises leadership on developing and/or revising specific policies and procedures that involve information security and assurance, and ensures the rigorous application of information security/information assurance policies, principles, and practices in the delivery of all IT services.
Constructed, updated, and maintained DIACAP and Risk Management Framework (RMF) documents for Information Technology (IT) Systems, PIT Systems, PIT, IT Products, and IT Services within NAVAIR Systems. Involved in all aspects of Platform Information Technology (PIT) and PIT System Assess and Assess and Authorize (A&A) packages. Acts as a Cybersecurity SME’s to relay and recommend new policy requirements and communicates the Programs needs to competency management and peers. Assisted in the development of short and long-term strategies across the PMA Cybersecurity Program that takes a broad view to achieve significant results in support of the organization's goals and strategic plan.
Implemented current DoN accreditation/authorization process and develop all necessary artifacts (System Security Plan (SSP), System Categorization, Plan of Action & Milestones (POA&M) and Scorecard) on key components of the weapon system and associated Test networks within the Agency element.
Applied metrics to improve quality of products and services to render them effective & efficient, Implements solutions for standardization through quality Standard Work Packages (SWPs) Standard Operating Procedures (SOPs), Embedded ISSM guidance and automation within the Program, and participates in Program Management Reviews with AIR 7.2.6 and Program Office leadership to measure customer satisfaction and quality of products and services and serves as an ongoing liaison with customers/leadership/ management.
Supports the Cybersecurity Program Management efforts to meet PMA-268 cost, schedule, and performance thresholds based on the needs of the Program and lead the development of the Integrated Master Schedule (IMS) for Cybersecurity efforts in support of PMA-268 based on Program direction and schedule. Ensures protective measures, maintain and strengthen confidentiality, integrity, and availability of information and information systems for complex Cyber Security Controls. Prepares assessment analysis and reports and provide assessment and authorization recommendations for documented residual risks and utilizes comprehensive knowledge of Information Security regulations, publications, and policies to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software. Ensures that a systematic methodology is followed to assess, identify and demonstrate attack vectors and their impacts to provide risk mitigation/remediation strategies.
Lead a unit of intern IT Specialists tasked with researching and developing a technical white paper on security requirements, and ensured that the new security requirements were "designed into" the new PIT systems. Cybersecurity requirements from this effort were accepted into the design specification.
Responsible for ensuring Cybersecurity requirements are incorporated in all Request For Proposals, Statements of Work, and reviews Work Breakdown Structure and Basis of Estimates. Reviews and develops systems security policy, guidelines, and procedures for systems processing multiple data streams, requiring different and conflicting security controls. Develops or explains policy and procedural controls related to physical security, application and data security, system software security, contingency planning, compliance with personnel clearance procedures, security education and training, and contractor security.
Provided technical expertise to the design, development, and implementation of information security policies and procedures. Identifies areas of potential vulnerability in operating systems used throughout the organization.
Identify new processes, techniques, and procedures to enhance security procedures and implements program wide.
Department of Defense- Department of Navy - IT Specialist January 2016 – May 2016
NAWCAD –Acting Information System Security Manager (ISSM), MPRA (PMA-290) (Temporary Rotation)
Served as acting ISSM for PMA- 290. Day to day activities involved setting team tasks and priorities across diverse technical specialties and customer base, project management, identify and integrate optimal cyber security techniques and processes into program operations, ensuring consideration of cyber security issues in staff meetings, program reviews and other discussions of work status and progress.
Worked daily to oversee, evaluate, and/or support the documentation, validation, and accreditation processes necessary to assure that systems met the organizations' information security requirements. Provided a leadership brief to advise appropriate senior leadership or authorizing official of changes affecting the organization's information security posture.
Interpreted legislation and producing IT security policy at the level of risk management that requires and in concert with strategic and architecture plans. Provided support in assessment and authorization (A&A) activities such as provides Systems Owners with an independent review of the (A&A) efforts in compliance with applicable policies and reviewed security test plans and results to ensure evaluations of security controls for systems have been carried out according to accepted standards and practices.
Booz Allen Hamilton
Lead Technician
May 2009- December 2014
Department of Defense (DoD)-Consequence Management Communication System (CMCS) 12/2013 - 12/2014
Worked as an Information Security Specialist conducting security reviews for various Civil Support Teams (CSTs) in order to ensure that requirements were appropriately met. This involves reviewing scan results and verifying hardware, software, IP and MAC addressing for assets assigned to each CST. Responsible for creating and maintaining compliance tracking documents as well as ensuring that compliance issues are solved. Worked with enterprise network engineers to implement network security practices and procedures.
Managed the tasks of developing and implementing the policies and procedures for mobile deice management. In-depth knowledge of NIST Special Publication 800-124 and is familiar with industry best practices when it comes to the implementation of a mobile device solution.
Booz Allen Hamilton- Associate
Federal Bureau of Investigation (FBI) – Business Process Management Unit (BPMU)
08/2012 - 08/2013
Worked as a part of the Enterprise Process Automation System (EPAS) team at the FBI. Technical involvement includes creating and managing electronic forms with specific expertise in migrating forms from paper to electronic. Area of expertise spanned process form management, analysis and design with specific tools experience in Adobe LiveCycle tool, utilization of XML Schema and binding to pre-populate forms and letters, and applying changes to existing forms for design, functionality and validation.
Worked to gather user requirements and converting them into system specifications. Worked with client stakeholders to determine requirements for new agency systems moving from paper processes to a technical bases workflow and provides white-box testing in order to resolve issues/bugs from User Acceptance Testing. Additional core functions include interfacing with end users and providing insight and clarification on issues of a new system that was recently acquired by the EPAS team.
Provided rapid client focused technical support to over one hundred agency wide users. Worked within a metastorm environment to disperse corrections to system crashes and provided data recovery assistance and corrected database element. Worked to generate diagnostics, resolved system issues, and documented help desk tickets/resolutions as an extension to trouble shooting task. Also engaged in appropriately identifying and tracking high priority issues, with responsibility for the timely documentation, escalation (if appropriate), resolution and closure of trouble tickets. The ross domain functionality required allowed the familiarization with the agencies mission, business processes, and user community. This supported the ability to understand application functionality; understand user roles, establish enhanced process capabilities and plan for new system releases.
Booz Allen Hamilton- Senior Consultant
Social Security Administration(SSA)- Office of Information Security; Standard Operating Procedures(SOP) 08/2011 - 08/2012
Severed as the information security subject matter expert (SME) for the Office of Information Security (OIS) at the Social Security Administration (SSA) to update information security policies and procedures and develop a standard process for information security assessment. The document entitled “Risk Assessment Methodology” provides a Standard Operating Procedure(SOP) for planning and conducting security assessments across the agency and provides step by step guidance for each stakeholder.
Provided subject matter expertise to the OIS division and utilized exceptional knowledge and experience to improve processes and develop new methodologies in accordance with changing NIST requirements. In addition to creating the SOP for information security assessments, the tasked included creating and standardizing agency wide templates that could be used throughout the security assessment and risk assessment processes such as SSP’s, a standard risk assessment template, a standard rules of engagement template, and a standard incident response template. Worked to author the “Security Assessment Reporting Procedures” and the “Security Assessment Tracking Procedures”. Processed to perform this task include utilized existing agency practices and combined them with industry best practices and procedures, along with NIST guidance to produce a standard program.
Booz Allen Hamilton- Senior Consultant
Social Security Administration(SSA)- Office of Information Security; Certification and Accreditation(C&A) Support Services 08/2009 - 08/2012
Worked as a part of the C&A support team at the Social Security Administration. Designed test plans and performed risk assessments of information systems to identify risks and validate the extent to which security controls were properly implemented in reference to NIST SP 800-53, SP 800-53a and NIST SP 800-30. Was responsible for gathering and analyzing technical security findings provided in the Security Assessment Report (SAR) and updating the System Security Plans (SSP) for each SSA system. This role required the collection of information and development of technical overviews for the twenty-one (21) Information Systems of the SSA. The information collection process includes thoroughly reviewing system diagrams and environment documentation, updating the system technical information with system teams, and conducting interviews with system teams. Worked closely with the system owners and provide guidance on the Cyber Security Assessment and Management (CSAM) tool.
Worked as an information security assessor reviewing General Support Systems and Major and Minor applications in each of the High, Moderate, and Low security baselines and has written several SSPs and SARs to detail their security posture. Significant knowledge of NIST and OMB guidance and has supported the FISMA compliant SA&A process for 21+ system inventory. Was also tasked with drafting technical overviews and modification of test plans and was required on a daily basis to write, edit and utilize presentation skills.
Conducted weekly meetings including risk reviews and POA&M review meetings with SSA management to include: system owners, authorizing officials to present status dates, security deliverables and to resolve security concerns for their respective system. Has a significant understanding of NIST SPs 800-37, 800-53, and 800-53a; FISMA; and OMB requirements in order to ensure all NIST security control objectives, major requirements were addressed. Worked closely with agency officials to interpret and provide guidance on FISMA and NIST regulations in order to enhance the agencies Risk Management Framework. Worked closely with NIST 800- 53 Security and Privacy Controls for Federal Information Systems and Organizations and NIST 800- 37 Guide for Applying the Risk Management Framework to Federal Information Systems to address the security concerns of organizations related to their risk management framework. Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices. Conduct policy gap analysis, and work with SMEs to align policies with the National Institute for Standards and Technology (NIST) Special Publication 800-53, revision 4 guidance.
Assessment of NIST SP 800-53 security controls and conducted quality reviews of SA&A packages. Was responsible for ensuring security controls are documented as implemented, risk scores/ratings were appropriately categorized based on the vulnerability and any applicable compensating security controls, and the overall completeness and quality of SA&A packages presented as client deliveries.
Booz Allen Hamilton- Senior Consultant
Social Security Administration(SSA)- Office of Information Security; Certification and Accreditation Support Services: Data Loss Prevention 07/2012 - 08/2012
Assumed the lead of the Data Loss Prevention sub-task; Responsibilities for this task included collection subsystem information from 21 information systems, identifying PII (Personal Identifiable Information) contained within the systems and building system data flow diagram to document the ingress and egress of secure information. Recommendations to leadership were provided for how to better secure agency information through risk management and information protection.
Booz Allen Hamilton- Senior Consultant
Social Security Administration(SSA)- Office of Information Security; External Business Partner Pre-Assessment Validation 09/2011 - 08/2012
Assumed a leadership role to draft the Pre-Assessment Questionnaire/Checklist for External Business Partners/Vendors sub-task. Worked closely with NIST guidance to identify NIST 800-53 controls that determine the security posture of external vendors/business partner and identify the security risk they would introduce to the agency. Responsibilities for this task included reviewing a sampling of vendor contracts, evaluating and auditing current FISMA compliance for vendors working with the SSA; identifying the minimum requirements needed for external vendors and business partners, and then developing an assessment framework to establish requirements for future vendors.
Booz Allen Hamilton- Consultant
Common Criteria Lab 05/2009 - 09/2009
Involved with common criteria testing lab from May 2009 to September 2009. During that time, involvement included review of Functional Specification documentation, which labeled the security relevant interfaces that are externally visible to users and components, which are outside the product’s target of evaluation. Also reviewed the TOE Design documentation, which describes the internal subsystems of the product and how they interact to meet the security functions of the product. The involvement with the lab includes successful completion of the Common Criteria boot camp.
Software and Technical Guidance
Compliance Frameworks
oCMMC; FISMA; FedRAMP; ISO 27001:2013;
Policies, Standards, & Guidance
oNIST SPs (800-53, -53a, -37, -61, etc.), OMB, DISA STIGs, DoD SRG