Risk Management Security Clearance
Resume:
Annick Murdock
(Present Location: Saint Charles, MD 20603 Security Clearance: Top Secret & Level 6C Public Trust)
Professional Summary:
Seasoned Senior Cybersecurity Professional with 15+ years delivering secure, efficient, and compliant solutions across federal and DoD environments. Possess a strong working knowledge of the NIST Risk Management Framework (RMF) and its application in assessing and managing cybersecurity risks within organizations, including familiarity with the NIST 800-53 series of control families and approaches. Proven ability in conducting comprehensive risk assessments including identifying potential vulnerabilities, assessing risks, and recommending appropriate mitigation strategies for cloud service providers. Initiate, plan and direct the ISSO’s work activities to ensure successful audits and assessments directed by the Federal customers. Coordinate the data calls and information gathering requests as directed by the external auditors and Federal oversight to ensure timely and complete responses.
Education:
Master of Science, Cybersecurity and Information Security - Capitol Technology University (2016)
Bachelor of Science, Internetworking Technology – Strayer (2006)
Agencies Supported:
Department of Education, United States Secret Service, Department of Energy, United States Marshals Service, Department of Health Care Services, Drug Enforcement Administration, Transportation Security Administration, United States Mint, Federal Communications Commission (FCC) and few other agencies.
Professional Training and Certifications:
Microsoft Certified Professional (MCP)
Certified in Governance, Risk and Compliance (CGRC)/CAP
Access Data Certifier Examiner (ACE)
Security+ (CompTIA)
Project Management (PMP) – In Progress
CCSK (Certificate of Cloud Security Knowledge) – In Progress
Core Competencies:
Risk Management Framework (RMF) Framework
Governance, Risk & Compliance (GRC) Leadership
Enterprise Risk Management (ERM)
Risk Mitigation & Executive Reporting
National Institute of Standards and Technology (NIST) Special Publication 800-37 and series
DoD NIST SP 800-171 controlled Unclassified Information, or CUI/NIST RMF compliance
Federal Information System Controls Audit Manual(FISCAM) compliance
OMB A-123 Financial Assessments
FedRAMP 3PAO Accreditations
Cyber Security Assessment and Management (CSAM)
Archer
Professional Experience:
Department of Education Washington, DC
August 2020 – July 2025
DOE - Office of the Chief Information Officer (OCIO) - Sr. Security Assessment Specialist
Served as Sr. Assessor for the Department of Education (ED) Risk Assessment Services, providing critical security assessment and authorization to the office of Chief Information Security Officer (CISO) and ensuring compliance with NIST RMF FedRAMP mandates, and ED policies.
Conduct security control assessments for ED systems (review, document, evaluate and test security controls)
Maintain assessment and assessment results in identified repositories, Cyber Security Assessment and Management (CSAM) GRC tool
Led IV&V of Cloud Service Providers to validate technical, operational, and management controls prior to ATO issuance.
Provide support and guidance to Information Security System Officer/System Owner (ISSO/SO) through the POA&M remediation process, C&A progress, including compliance monitoring of C&A artifacts, annual self-assessments (NIST 800-53 rev.5).
Schedule and spearhead Audit/Assessment preparation and remediation meetings
Work with IT Operations and Cyber Security team to review and complete audit/assessment checklist
Maintain POA&Ms inputs in CSAM GRC tool
Ensure security control assessments are tracked and update the ISSM
Schedule and perform internal self-assessments and spot checks to ensure the teams are meeting established benchmarks
Coordinate audit activities (interviews, documentation and artifact requests, vulnerability scan analysis and remediation)
Coordinate and track remediation of internal assessment findings to ensure mitigation
Provide monthly/quarterly POA&M metrics for internal assessments
Coordinate audit activities (documentation and artifact requests, vulnerability scan analysis and remediation).
DOE - National Assessment Governing Board (NAGB) - Sr. Subject Matter Expert/ Consultant
Served as Subject Matter Expert for the Department of Education (ED), National Assessment Governing Board (NAGB) Program Office, providing critical security assessment and authorization for NAGB systems. Tasks included but not limited to:
Phase I: Boundary Confirmation, Controls Tailoring, Baseline & Implementation Statement Development
Perform a deep-dive review of the NAGB website’s architecture and design to obtain an in-depth understanding of the system’s boundary along with its associated platforms, operating systems, applications, data, the security capabilities of each of these components, their locations (e.g., on-premise, cloud-based, or hybrid), and users access the system.
Conduct control tailoring to closely align the system’s ‘Moderate’ baseline of security controls identified in the NIST SP 800-53 rev. 4 catalog of controls within CSAM.
Document security and privacy control as implemented by the system within CSAM along with the current state of the control’s implementation status, its inheritance status (e.g., fully inherited, or hybrid/partially inherited), and identification of the control’s owner(s).
Phase II: Self-Assessment
Conduct a self-assessment of each security and privacy control along with their associated control enhancements to ensure that they have been implemented, are operating as intended, and are producing their desired outcomes.
Develop a POA&M for each non-compliant control that identifies the plan’s owner, detailed remediation or mitigation procedures, and a suspense date for completion within CSAM
Work with website’s vendor for the implementation of technical corrective actions to remediate findings as identified in the POA&M.
Phase III: ATO & OSA Enrollment
Obtain a successful baseline assessment from the NAGB Security Controls Assessor (“SCA”) that results in the website’s issuance of an ATO.
Complete OSA enrollment for NAGB.
Department of Education - Office of the Chief Information Officer (OCIO) Washington, DC
August 2017 – August 2020
Cybersecurity Engineer
Served as cybersecurity engineer supporting OCIO Shared Infrastructures & Services; lead security architecture for cloud and on-prem environments
Architected and implement secure enterprise cloud solutions in alignment with NIST SP 800-53 Rev 5, FedRAMP, FISMA, and DoD Cloud Computing SR
Lead enterprise cloud service evaluations, including deep reviews of FedRAMP packages, vulnerability assessments, and compliance documentation
Consolidated legacy and redundant platforms into a best-of-breed shared services architecture, yielding significant annual cost savings and risk reduction.
Developed and maintained security architecture documentation, diagrams, and configuration baselines guiding secure implementation and sustainment.
Coordinated with the Agency FedRAMP PMO on continuous monitoring deliverables, POA&M analysis, and control remediation verification.
Delivered executive-level briefings translating complex technical risk into actionable decisions aligned with mission priorities.
Embedded security throughout SDLC, including Agile and DevSecOps practices, via close partnership with ISSOs, owners, and engineers.
Evaluated cloud solutions, security implementations, and managed service providers.
United States Secret Service Washington, DC
March 2016 - September 2017
Information System Security Officer (ISSO)
Applied RMF to national security systems across classified and unclassified environments in compliance with NIST SP 800-53 and DHS directives.
Directed assessment, authorization, and continuous monitoring; coordinated with AOs and ISSMs to sustain operational readiness.
Led enterprise risk and vulnerability assessments; implemented mitigations that materially reduced high-risk findings.
Authored and maintained SSPs, SARs, and Continuous Monitoring Plans in accordance with DHS and NIST guidance.
Enforced AIS security policies and insider-threat safeguards for privileged and general users.
Provided security architecture and engineering input to integrate protections into system and network designs through CCB.
Coordinated incident response with SOC and forensics teams; preserved evidence for potential law-enforcement actions.
Delivered executive briefings on posture, RMF progress, and emerging threats; advised leadership on risk trade-offs.
Embedded security across SDLC (Agile/DevSecOps) by partnering with developers, network engineers, and operations.
Conducted vulnerability and configuration management for Windows and Linux systems supporting secure cloud-hosted applications.
Department of Energy Washington, DC
September 2014 – February 2016
Information Systems Security Officer (ISSO)
Led A&A for high-impact systems per NIST SP 800-53 Rev 4, DOE directives, and FISMA requirements across the full lifecycle.
Formal liaison to ISSM/AO for accreditation-impacting changes; enabled timely, risk- based decisions.
Performed continuous monitoring and network security audits using approved tools to identify vulnerabilities and track remediation.
Authored SSPs, SARs, and Contingency Plans; maintained audit-ready documentation and evidence repositories.
Validated configuration management and change control for security-relevant updates prior to implementation.
Advised system owners on POA&Ms, incident reports, and technical vulnerability assessments to sustain authorization.
Coordinated compliance with DOE encryption, access control, and incident response policies; led incident investigations and RCAs.
Accelerated closure of audit findings via prioritized remediation and governance improvements.
Managed security for cloud-integrated systems, coordinating with system administrators on patching, baseline enforcement, and continuous monitoring.
United States Marshals Service (USMS) Arlington, VA
June 2011 – November 2014
Information System Security Officer (ISSO)
Primary liaison with system owners, AOs, ISSM and SOs to obtain and maintain system authorization.
Prepared and maintained SSPs, SARs, and continuous monitoring strategies; ensured audit readiness.
Managed POA&M remediation and ongoing authorization requirements.
Drove process improvements streamlined vulnerability management and reduced risk.
Oversaw security architecture/engineering to integrate safeguards into designs and infrastructures.
Embedded security requirements across SDLC (Agile and waterfall); governed documentation repositories for consistency.
Reviewed change requests for configuration/security impacts; ensured proper testing and approvals.
Delivered executive briefings on security status, vulnerabilities, and remediation progress.
Coordinated with operations, engineering, and application teams to maintain compliance with federal standards.
Department of Health Care Services (DCHS) Washington, DC
February 2011 – October 2011
Sr. Security Analyst
Directed the IT Security Program in compliance with FISMA, HIPAA, OMB A 130, and
FIPS requirements for sensitive health/financial data.
Developed enterprise IT security policies and procedures aligned to mission and regulatory mandates.
Authored the IT Security Handbook based on NIST SP 800 53 Rev 3 minimum controls
for enterprise adoption.
Led Certification & Accreditation (C&A), produced documentation, gap analyses, and tracked remediation to meet SLAs.
Established and managed Internal Audit; scheduled assessments and drove timely closure of findings.
Performed risk/readiness assessments; recommended mitigations to achieve HIPAA and NIST compliance.
Delivered security awareness training; mentored junior analysts to elevate team performance.
Streamlined remediation processes and enhanced monitoring to reduce open audit findings.
United States Marshals Service (USMS) Arlington, VA
June 2010 – November 2010
Subject Matter Expert (SME)
Advised on DOJ compliant C&A for GSS and MAs per NIST SP 800 37/800 53 and DOJ security policy.
Executed technical/programmatic security control assessments; evaluated architectures, integration plans, and risk strategies.
Reviewed and documented SSPs, SARs, and artifacts in accordance with NIST SP 800 18
and agency requirements.
Guided ISSOs/System Owners through POA&M remediation and ongoing authorization requirements.
Tracked compliance with annual assessments, vulnerability scans, and continuous authorization milestones.
Provided support and guidance to Information Security System Officer/System Owner (ISSO/SO) through the POA&M remediation process, C&A progress, including compliance monitoring of C&A artifacts, annual self-assessments (NIST 800-53), vulnerability scans.
Drug Enforcement Administration (DEA) Washington, DC
October 2008 – June 2010
Sr. Security Engineer
Supported Office of Security Programs, Information Security Section, and IA Unit on C&A for classified and SBU systems.
Used CSAM to document/manage/report security risk assessments in alignment with DOJ, NIST, and DISA STIG standards.
Implemented and validated security baselines for Windows, Linux, and network devices per DISA STIGs.
Coordinated continuous monitoring within SDLC; tracked remediation for vulnerabilities and configuration deviations.
Served as liaison to the DEA Classified Configuration Control Board for changes to HW/SW, infrastructure, and patches.
Provided security architecture guidance during design reviews to meet DOJ/NIST requirements.
Performed risk assessments and gap analyses; recommended technical/procedural controls to mitigate risks.
Reviewed vulnerability scan results and coordinated timely remediation with owners /admins.
Authored/updated SSPs, SARs, and POA&Ms to maintain audit readiness and reauthorization.
Streamlined interdepartmental coordination to shorten accreditation timelines.
Transportation Security Administration (TSA) Arlington, VA
Jan 2008 – Jun 2008
Sr. Security Analyst
Developed and maintained C&A packages for GSS and MAs per NIST SP 800 37/800 53 and federal standards.
Recommended FIPS 199 impact levels and mapped appropriate security controls by system criticality.
Managed POA&Ms in the Trusted Agent FISMA Tool (TAFT), ensuring timely mitigation and closure.
Guided ISSOs and System Owners through remediation, annual self assessments, and
vulnerability reviews.
Executed control assessments to validate safeguard effectiveness and identify residual risk.
Reviewed configuration management to ensure security relevant changes were tested, documented, and approved.
Aligned security activities with mission objectives through liaison with project/security leadership.
United States Mint Philadelphia, PA
August 2006 – December 2007
IT Security Auditor III
Led security audits and compliance reviews for GSS and MAs per NIST SP 800 37/800 53, FISMA, and Treasury mandates.
Maintained C&A documentation (SSPs, SARs, Continuous Monitoring Plans) and evidence repositories.
Recommended FIPS 199 impact levels; validated control selection and effectiveness by mission need.
Managed POA&M development/tracking for accepted risks; ensured timely remediation and continuous authorization.
Conducted vulnerability assessments and coordinated penetration test activities; documented mitigations.
Collaborated with owners/admins to implement safeguards in line with DISA STIGs and federal encryption policies.
Resolved audit findings within mandated timelines and reduced repeat findings through
root cause fixes.
Presented audit/compliance summaries to leadership to inform risk prioritization and resourcing.
Standardized documentation templates/workflows to reduce package completion time.
Counterpane Internet Security Mountain View, CA
December 2005 - August 2006
SOC Analyst
Operated in a 24 7 SOC, monitoring, detecting, and escalating security events across diverse client environments.
Analyzed IDS/IPS, SIEM, and firewall logs to identify threats and determine response actions.
Managed incident response/escalation; coordinated with engineering teams for rapid resolution.
Maintained security devices (IDS signatures, firewall rules, patches) to counter emerging threats.
Served as Engineer on Duty for high priority incidents, change requests, and emergency
escalations.
Onboarded new clients and configured security devices to meet security requirements.
Developed correlation rules to improve detection and reduce false positives, documented SOC procedures.
Delivered client briefings summarizing incident trends, vulnerabilities, and remediation guidance.
US Courts Thurgood Marshall New York City, NY
January 2005 – December 2005
Network Security Analyst
Monitored IDS, host based tools, and service health checks to ensure availability and
security of critical infrastructure.
Investigated alerts from Nagios and ISS consoles; performed root cause analysis and
escalated critical events.
Executed penetration testing and vulnerability scanning, recommended remediation to administrators.
Tuned IDS signatures, firewall rules, and ACLs to enhance detection accuracy and reduce false positives.
Collaborated across teams to resolve network/system security incidents; authored incident/SOP documentation.
Reviewed configurations for compliance with judiciary IT security policies; planned security upgrades.
Federal Communications Commission (FCC) Washington, DC
Mar 1998 – Dec 2005
Tech Support Specialist
Delivered Tier 1–3 support for 2,500+ users; resolved hardware, software, and
connectivity issues in a high demand environment.
Helpdesk Team Lead overseeing daily operations and SLAs; recognized for 95%+ customer satisfaction.
Led new PC rollout: hardware installation, software config, data migration, and application setup to reduce deployment time.
Managed Microsoft Exchange 5.5 accounts and mailboxes; executed system builds and
patches per SMIS SMP standards.
Provided remote/in person assistance to field offices; developed knowledge base and
training materials.
Partnered with network/systems teams to resolve escalations, outages, and security incidents while maintaining compliance.
Contact this candidate