Risk Management Cyber Security
Resume:
Alonni J. Sullivan
Brandywine, Maryland 20613
Mobile: 301-***-****
Email: *********@*****.***
General Information
Experience
Summary
Results-driven Cybersecurity/IT Subject Matter Expert (SME) with over sixteen (16) years of experience leading tasks in Assessment & Authorization (A&A), Customer Relationship Management (CRM), Policy Management and Risk Management.
Education
Georgia Institute of Technology Professional Education; GTPE Cyber Security Certificate
University of Maryland University College
oMaster of Science Cybersecurity
oMaster’s Certificate in Cybersecurity Technology
oMaster’s Certificate in Information Assurance
oMaster’s Certificate in Foundations of Cybersecurity
Bowie State University Bachelor of Science. Concentration: Computer Technology: Network Security
Work Experience
Department of Defense - Defense Human Resources Activity
IT Specialist Full Time 40/per week GS-13
October 2023 – Present
Provides SME Risk Management Framework (RMF) support to the DMDC technology portfolio of over 100 systems. Helping to ensure that Product Owners (PO) maintain an active Authorization to Operate (ATO) within the agency Enterprise Mission Assurance Support Service (eMASS) tool. Leads operations for a team of 3 responsible for triaging over 100 ATO, thus ensuring all system operate within acceptable level of risk and maintain a valid ATO.
Pivotal in creating the intake mechanism, developing the standard operating procedure, and drafting the PowerBI reporting dashboard for the Boundary Working Group (BWG), thus allowing for early integration of cybersecurity into the system development process and provides leadership insight into new ATO boundaries and changes to existing ATO boundaries. By formalizing this process and facilitating at least 5 sessions within the first quarter of operation DMDC was able to solidify activity for key initiatives involving the Innovation and implementation of AI, Address Sync Service, and cloud boundary development.
Influential in the development, implementation, maintenance and enhancement of a portfolio of cybersecurity policies directing product teams how to request an IATT, assign AALs and IALs to their system, and how to decommission their systems. This effort allowed the integration of process improvement with functional policies.
Involved in coordinating ATO efforts for the Defense Support Services Center (DSSC) modernization efforts ensure critical support services are provided to the Department’s military and civilian personnel. This involves tracking the implementation of a secure low code no code environment to ensure adherence to cybersecurity requirements.
Federal Deposit Insurance Corporation IT Specialist- A&A Specialist for External System
Full Time 40/per week CG-14
November 2021 – October 2023
Led a team of 6 responsible for the development and execution of risk management assessments for all agency contractor owned and operated systems. The assessments were completed using the agency Cyber Security Assessment and Management Application (CSAM) tool. Planned and recommended modifications or adjustments to the security postures of FDIC’s Cloud and Contractor system Assessment and Authorization(A&A) portfolio made up of over 70 systems. This required extensive knowledge of the organization's information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition life cycle.
Orchestrated collaboration with the agencies legal division and key stakeholder teams through weekly meetings resulting in development of data protection strategies that reduced the risk of non-compliance by 70% for contractor systems.
Independently generated quantitative risk scoring mechanisms to evaluate risk for contractor systems who did not align with NIST requirements. The scoring incorporated independent audit reports (i.e. SOC, ISO, etc.) to provide the authorizing official with a qualitative level of assurance on residual risk the system presented to the FDIC. The assessment standard was adopted as a formalized process for all contractor systems at FDIC. Further responsibilities included successfully overseeing a team of 6 Independent Validators, to manage division and office engagement.
Implemented the emergency ATO process and developed templates to support bank closure activities. This process considered contract execution timelines and product team constraints reducing from standard ATO cycle of 120 days, allowing the issuance of an ATO within 7 days. The E-ATO process was used to support the unexpected bank closures of 2023, allowing the FDIC to conduct closures and acquisitions in a short amount of time.
Managed the review of all FDIC IT procurements, averaging 10 weekly submissions, provided recommendations on FARS clauses bases upon the level of service provided by the vendor. This required the analysis of business requirements, understanding of security requirements, and understanding the impact of FARs clauses. Served as a non-voting SME in TEP reviews, providing written technical feedback advising division leadership whether a vendors security approach aligned with the organizational risk posture.
Acted as a liaison between FDIC OCIO and the FedRAMP program office to keep abreast of new cloud system requirements. Provided input into the assessment and compliance guidelines for security and privacy controls allowing the organization to maintain and lead forward when implementing cloud system requirements.
Coalfire Federal Inc. Senior Practice Manager: Cybersecurity Maturity Model Certification (CMMC) Federal Practice Lead and
Coalfire Systems Inc. Security Control Assessor
Full Time 40/per week
September 2019- November 2021
Influential in the direction, development, and implementation of internal CMMC assessment methodologies, lessons learned, procedures, and templates. Successfully led the development of the CMMC practice at Coalfire Federal.
bile: 301--4304
Directed a group of 2 assessors in a gap analysis of 3 major Amazon Web Service (AWS) enclaves against the NIST 800171A Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements. Leveraged industry established assessment criteria to appropriately identify security gaps in relation to CUI protection. Provided project management guidance to client stakeholders when establishing submission dates for CMMC certification.
Significantly contributed intellectual capital when conducting a gap analysis of 3 major Google products against the and Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements. Responsible for the identification of risks, evaluation of practice deficiencies, and recommendation on remediation efforts consistent with organizational policy and regulatory requirements. Developed testing approaches and recommendations for test plan modifications that improve validation of control objectives. Test procedure development may cover a wide range of diverse topics ranging from managerial, technical, and operational.
Further this business development required close interaction with the marketing in sales department to tailor invoicing to specific clients based upon the assessment scope and client need.
Advised senior leadership on any assessment and authorization issues, assessment methodologies and process deviations. At the conclusion of each security assessment activity, prepared the final Security Assessment Report (SAR) containing the results and findings from the assessment. Initiated a POA&Ms with identified weaknesses and suspense dates for each IS, based on findings and recommendations from the SAR. Lead the development of Test Plans, and Standard Operating Procedures (SOP) in order to conducted security reviews and technical research.
In the span of 4 months, Lead and supported the review, detection, and documentation of gaps and conflicting information within the Body of Evidence (BoE) (i.e. SAR, SSP, Automated Scan Tool Report, POA&M) presented during 5 agency systems validation assessments. This spurred the agency under test to reduce cyber risks by 5% in addition to highlighting critical vulnerabilities in security controls. As a critical asset to the assessment team, by client request, provided SME input int actionable recommendations for remediation, and ensuring compliance with industry standards, ultimately strengthening our overall security posture and protecting sensitive data. Made technical commendations to the system owner or designee for improving TTPS for better cyber threat protection.
Led, presented, and successfully won the Request for Proposal (RFP) for a federal cyber security support services contract worth over $500,000. This involved developing cyber security language to be included in the technical proposal, working with the sales department to derive cost, and presenting the technical proposal on executing cybersecurity services specific to the agency.
National Credit Union Administration
Information System Security Officer Full Time 40/per week CU-14
September 2018 – September 2019
Served as the principal advisor and liaison between the Business and the Office of the Chief Information Officer on the security status of 10 information systems, 2 being systems heavily integrated with the agency field activity. Ensured the rigorous application of information security, information assurance policies, principles, and practices in the successful delivery of 4 new ATO packages.
Coordinated within the privacy office, business representative, and security representative across NCUA to update and redefine implementation statement within the system Authorization Package. Thus, ensuring the appropriate security controls are applied during the appropriate SDLC phase and ensure integrity, confidentiality, and availability. This included preparing and reviewing System Development Life Cycle (SDLC) and Assessment and Authorization documentation for newly developed systems. Received an on-the-spot award for providing a direct engineering solution to a long-standing problem in a login page for a system under development.
Developed the Authority to Use (ATU) process for FedRAMP and IT Services. Performed independent risk and vulnerability assessments in addition to providing recommendations on system network boundaries, applications, and/or network implementation to ensure that appropriate security measures are in place and are being enforced. Reported on the Plan of Action and Milestones (POA&M) status monthly or quarterly to system owners, office officials, and key stakeholders.
Department of Agriculture - Office of the Chief Information Officer- Office of Information Security
Cybersecurity Policy Program Manager Full Time 40/per week; GS-14
July 2017 – September 2018
Served as the subject matter expert to the Chief Information Security Officer, Chief Information Officer and Senior Agency Officials for Cybersecurity-on-Cybersecurity policies and procedures and IT Security Audit. Responsible for leading a team of 2 in the maturation and review of the departmental level “USDA 3500 - 3599 Cyber Security” Series. This consisted of 18 Departmental Regulations and 7 Departmental Manuals utilized by the USDAs 29 agencies and offices.
Spearheaded the policy development and approval process improvement initiatives with two primary goals: 1) to streamline and reduce the time needed to develop and approve policy to no greater than 120 days and 2) help OIS enhance its overall customer experience. This successfully led to the reduction of policy approval process by 5 steps in the 12 step process.
Participated in OIG audit review in support of addressing corrective action plan close out and provide audit feedback. Led the successful closure of 3 long standing agency audit findings and submitting 2 others for review.
Lead USDA collaboration with DHS to develop the USDA Cybersecurity Policy Operations Guide (CPOG). The CPOG is a quick reference guide to USDA and Federal cybersecurity. The first of its kind, the USDA CPOG provides those working in various cybersecurity roles at USDA with an overview of key documents and programs that are shaping and influencing not only the USDA, but also the entire Federal cybersecurity landscape.
Obtained FAC-COR 1 to act as Branch COR, reviewing and informing CPO and/or Procurement Office of work that is accepted or rejected. Worked closely with Contract Managers to resolve irregularities or other problems in the procurement process and protests. Collaborated with Contract Managers to monitor suppliers’ compliance with deliverables as well as monitoring progress reports and work plans; Identifying opportunities to standardize business processes.
Department of Defense- Department of Navy
IT Specialist- Information System Security Officer/Information System Security
Manager
Full Time 40/per week; NT-4
December 2014 – July 2017
Served as an embedded Information System Security Officer under the Cyber Security Support Branch for the Cyber Security (CS) Division. Worked to integrate Cybersecurity methods/techniques into all aspects of aviation system development. Ensured the Confidentiality, Integrity, and Availability (CIA) of systems, networks, and data. IAW DoDI 8510.1, 8500.2 and Agency policy and procedures
Performed continuing analysis of in-place Cybersecurity plans/programs/processes to ensure an optimized level of security for the customer's IT assets/operations and are responsive to the customer's rapidly changing operational requirements for system security.
Conducted systems security evaluations, audits and reviews, and conducts risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities, risks, and protections needs. This led to the reduction of identified vulnerabilities by 20%.
Constructed, updated, and maintained DIACAP and Risk Management Framework (RMF) documents for Information Technology (IT) Systems, PIT Systems, PIT, IT Products, and IT Services within NAVAIR Systems.
Acts as a Cybersecurity SMEs to relay and recommend new policy requirements and communicates the Programs needs to competency management and peers. Assisted in the development of short and long-term strategies across the PMA Cybersecurity Program that takes a broad view to achieve significant results in support of the organization's goals and strategic plan.
Applied metrics to improve quality of products and services to render them effective & efficient, Implements solutions for standardization through quality Standard Work Packages (SWPs) Standard Operating Procedures (SOPs), Embedded ISSM guidance and automation within the Program, and participates in Program Management Reviews with AIR 7.2.6 and Program Office leadership to measure customer satisfaction and quality of products and services and serves as an ongoing liaison with customers/leadership/ management.
Supported the Cybersecurity Program Management efforts to meet PMA-268 cost, schedule, and performance thresholds based on the needs of the Program and lead the development of the Integrated Master Schedule (IMS) for Cybersecurity efforts in support of PMA-268 based on Program direction and schedule.
Led a unit of intern IT Specialists tasked with researching and developing a technical white paper on security requirements and ensured that the new security requirements were "designed into" the new PIT systems. Cybersecurity requirements from this effort were accepted into the design specification. Ensured Cybersecurity requirements are incorporated in all Request for Proposals, Statements of Work, and reviews Work Breakdown Structure and Basis of Estimates.
Provided recommendations on system network boundaries, applications, and/or network implementation to ensure that appropriate security measures are in place and are being enforced.
Chose by branch head to serve a short term as acting ISSM for PMA- 290. Day to day activities involved setting team tasks and priorities across diverse technical specialties and customer base, project management, identify and integrate optimal cyber security techniques and processes into program operations, ensuring consideration of cyber security issues in staff meetings, program reviews and other discussions of work status and progress.
Worked daily to oversee, evaluate, and/or support the documentation, validation, and accreditation processes necessary to assure that systems met the organizations' information security requirements. Provided a leadership brief to advise appropriate senior leadership or authorizing official of changes affecting the organization's information security posture. Reported on the Plan of Action and Milestones (POA&M) status monthly or quarterly to various officials.
Interpreted legislation and producing IT security policy at the level of risk management that requires and in concert with strategic and architecture plans. Provided support in assessment and authorization (A&A) activities such as provides Systems Owners with an independent review of the (A&A) efforts in compliance with applicable policies and reviewed security test plans and results to ensure evaluations of security controls for systems have been carried out according to accepted standards and practices.
Booz Allen Hamilton
Lead Technician
Full Time 40/per week
May 2009- December 2014
Worked as an Information Security Specialist conducting security reviews for Civil Support Teams (CSTs) in order to network security, ensure requirements were appropriately met.
Worked as a part of the Enterprise Process Automation System (EPAS) team, creating and managing electronic forms with Adobe LiveCycle tool, utilization of XML Schema. Further, worked with key stakeholders to develop requirements for new agency systems. This allowed for the newly developed system to move into production and a high user acceptance rate.
Provided rapid client focused technical support to over one hundred agency wide users. Worked within a metastorm environment correcting system crash and providing data recovery assistance. Worked to generate diagnostics, resolved system issues, and documented help desk tickets/resolutions as an extension to trouble shooting task. Also engaged in appropriately identifying and tracking high priority issues, with responsibility for the timely documentation, escalation (if appropriate), resolution and closure of trouble tickets.
Led the update to information security policies and procedures and the development a standard process for information security assessment. Worked to author the “Security Assessment Reporting Procedures” and the “Security Assessment Tracking Procedures”. This guidance successfully assisted system owner through the assessment process.
Designed test plans and performed risk assessments of information systems to identify risks and validate the extent to which security controls were properly implemented in reference to NIST SP 800-53, SP 800-53a and NIST SP 800-30.
Was responsible for gathering and analyzing technical security findings provided in the Security Assessment Report (SAR) and updating the System Security Plans (SSP) for each SSA system for the twenty-one (21) Information Systems of the SSA.
Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices. Conduct policy gap analysis, and work with SMEs to align policies with the National Institute for Standards and Technology (NIST) Special Publication 800-53, revision 4 guidance.
Assumed the lead of the Data Loss Prevention sub-task; Responsibilities for this task included collection subsystem information from 21 information systems, identifying PII (Personal Identifiable Information) contained within the systems and building system data flow diagram to document the ingress and egress of secure information.
Assumed a leadership role to draft the Pre-Assessment Questionnaire/Checklist for External Business
Partners/Vendors sub-task. Worked closely with NIST guidance to identify NIST 800-53 controls that determine the security posture of external vendors/business partner and identify the security risk they would introduce to the agency. Responsibilities for this task included reviewing a sampling of vendor contracts, evaluating and auditing current FISMA compliance for vendors working with the SSA; identifying the minimum requirements needed for external vendors and business partners, and then developing an assessment framework to establish requirements for future vendors.
Certifications
Microsoft Certified: Power Platform Fundamentals
Certified Cloud Security Professional (CCSP)
Cybersecurity Maturity Model Certification (CMMC)-AB Provisional Assessor
CompTIA Secure Cloud Professional (CSCP)
Certificate of Cloud Security Knowledge (CCSK)
CompTIA Cloud+
Certified Expert Independent Assessor (CEIA)
Certified Information System Security Professional (CISSP)
Navy Qualified Validator (Level 2)
Intermediate Navy Validator
Certified Authorization Professional (CAP)
Certified Network Defense Architect (CNDA)
Certified Ethical Hacker (CEH)
EC-Council Certified Security Analyst (ECSA)
CompTIA Security + CE
Contact this candidate