Security Controls Assessor/ Information System Security Officer

Malabi Abwao-Konya

202-***-**** **********@*****.***

Professional Summary: Self-motivated certified Technology professional with over six years of solid experience providing IT support across multiple platforms. Strong technical skills and knowledge combined with the ability to clearly communicate security requirements. Six years' experience in Cyber Security environments supporting federal clients. Excellent knowledge of the NIST's Risk Management Framework (RMF) for assessing security controls, POA&M Management, and Continuous Monitoring. Strong interpersonal skills and adept at working independently or with a team to ensure the confidentiality, integrity, and availability of information systems.

Professional Experience:

DelTaahTech Consulting October 2018/July 2023 ISSO US Department of Labor Federal Contract, Washington, DC

Provided guidance and continuous monitoring support for Legacy Systems or FedRAMP for Cloud Systems.

Conducted Certification and Accreditation (C&A) on major applications following the Risk Management Framework (RMF) from Categorization through Continuous Monitoring using the various NIST Special Publications to meet Federal Information Security Management Act (FISMA) requirements.

Developed SSPs, SARs, and POA&Ms presented to Designated Approving Authorities (DAAs) to obtain the Authority to Operate (ATO).

Conducted security assessments on major applications, updated POA&Ms with findings, and monitored for remediation deadlines.

Provided weekly status reports on ongoing tasks and deliverables.

Performed risk assessments to identify the risk level associated with findings.

Reviewed artifacts regarding POA&Ms created by ISSO before closing.

Ensured compliance with protection requirements, control procedures, incident management reporting, remote access requirements, and system management for all systems under scope.

Assisted in updates of IT security policies, procedures, standards, and guidelines according to department and federal requirements.

Supported cyber security analysis by conducting Vulnerability Management, Security Engineering, Certification and Accreditation, and Computer Network Defense.

Monitored controls post-authorization to ensure constant compliance with security requirements.

Conducted annual assessments based on NIST SP 800-53A.

Reviewed and analyzed Nessus Vulnerability and Compliance scan results for remediation.

Monitored security tools and correlated reporting and other appropriate information sources to identify incidents, issues, threats, and vulnerabilities.

Developed and maintained all security documentation for systems under purview, including Privacy Threshold Analysis (PTA), Privacy Impact Assessments (PIA), System of Record Notices (SORNs), Business Impact Assessments (BIA), Contingency Plan and Tests (CP and CPT), Security Authorization Briefing.

Notable Experience: During my tenure at DelTaahTech Consulting, I faced a significant challenge of conducting Certification and Accreditation (C&A) on major applications within a tight timeframe to meet Federal Information Security Management Act (FISMA) requirements. One such experience exemplifying my ability to handle this challenge was when I worked on a high-profile project for a federal client. The application required a comprehensive security assessment, including developing SSPs, SARs, and POA&Ms, which were critical for obtaining the Authority to Operate (ATO).

To ensure a successful outcome, I collaborated closely with stakeholders, including the Designated Approving Authorities (DAAs) and the project team, to gather necessary information and streamline the certification process. I conducted thorough security assessments, identified vulnerabilities, and updated the POA&Ms accordingly. Additionally, I monitored and tracked remediation deadlines, providing regular status reports to keep all parties informed.

My meticulous approach, attention to detail, and ability to navigate complex regulatory frameworks allowed me to successfully complete the C&A process within the stipulated timeframe. This experience highlights my proficiency in managing time-sensitive projects, working collaboratively with diverse teams, and ensuring compliance with stringent security requirements.

DelTaah Tech Consulting May 2016- OCT 2018 Information System Security Assessor Department of Health and Human Services, DC

Supported efforts related to security control assessments for information systems utilizing the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision (Rev.) 4 & 5 security controls.

Performed all aspects of the security controls assessment from kickoff to submission of all assessment deliverables.

Coordinated all aspects of security controls testing with relevant stakeholders and team lead.

Developed a security assessment plan with input from stakeholders.

Developed and tailored evidence request lists.

Conducted and led assessment interviews and tests and managed evidence.

Coordinated with team lead and client management to develop and maintain a project plan.

Ensured all required deliverables are completed according to schedule and at a high quality with the understanding that deliverables will undergo independent review by the client.

Provided insightful recommendations to the client to improve security posture.

Leveraged existing organization’s RMF process, reviewed and determined if system/application documentations are accurate, up to date, and displayed thorough details to support the Security Control Assessment/Validation process.

Experienced with developing and implementing information security continuous monitoring (ISCM) or continuous diagnostics and mitigation (CDM) strategies, policies, and supporting technologies.

Worked with a team of Information System Owners, Developers, and System Engineers to select and implement tailored security controls in safeguarding system information.

Initiated meetings with various System Owners and Information System Security Officers (ISSO), providing guidance on evidence needed for security controls and documenting assessment findings.

Expertise in National Institute of Standards and Technology Special Publication (NIST SP) documentation: Performed assessments, POA&M Remediation, and document creation using NIST SP 800-53.

Reviewed security controls and provided implementation responses as to if/how the systems are currently meeting the requirements.

Developed NIST-compliant vulnerability assessment reports and Plans of Action and Milestone (POA&M) and provided recommendations to address system weaknesses.

Ensured customers follow security policies and procedures following NIST 800-53 and NIST 800-53A.

Performed specific quality control for package validation on the SP, RA, RTM, PIA, SORN, E-authentication assessment, and FIPS-199 categorization.

Planned, assigned, and performed security validation review for C&A documentation and supervised team members.

Provided POA&M Quality and Management (review, update, and validate on behalf of the CISO).

Reviewed and uploaded deliverables in C&A repositories CSAM.

Maintained an inventory of all Information Security systems assigned.

Provided guidance and training to the system owner and ISSO on the validation process.

Developed and implemented FISMA ISSM Validation processes.

Demonstrated understanding and experience with the NIST Risk Management Framework (RMF) process.

Documented and reviewed System Security Plan (SSP), Security Assessment Report (SAR), Security Plan of Action and Milestones (POA&M), Authorization letter/memorandum (ATO).

Demonstrated understanding and experience with the NIST Risk Management Framework (RMF) process.

Performed assessments and document creation using NIST SP 800-53 Rev.4.

Performed Information Systems Security Audits and Certification and Accreditation (C&A) Test in compliance with the NIST standards.

Contact this candidate