Ultra-Technologies is seeking an experienced Senior Information Assurance Policy Engineer to work on a small cyber security team for a current active Defense Health Agency (DHA) project supporting the Defense Healthcare Management System (DHMS) and its program offices in Arlington, VA to provide:
- Engineering, Cyber Security, and Configuration Management (ECCM) activities utilizing the Risk Management Framework (RMF) for the categorization of system requirements in accordance with the CNSSI 1253 to include the selection implementation, assessment, and authorization of system and application controls.
- Utilize the Enterprise Mission Assurance Service (eMAAS) toolset to perform all subtasks within the RMF Cyber Security Framework.
- Develop risk mitigation strategies to assure performance accountability and cost effectiveness to include assisting with policy interpretation, devising and/or assessing implementation methods, assessment procedures, cyber engineering solutions, and cyber architectural strategies.
The candidate should have a bachelors degree in a computer or cyber security related field. A mathematics-based technical degree such as Computer Science, or Computer Engineering is desirable.
In addition to a degree the candidate MUST have an active DoD Secret clearance and the following:
- 5+ years of specialized Information Assurance for Department of Defense IT systems.
- Should currently hold DoD 8570 certifications and qualify as an IAT II or IAM II.
- Must have extensive working knowledge and experience with NIST, DISA, and DoD Security Standards and Risk Management Framework (RMF) processes.
- Must have experience in working and documenting Risk Management Framework processing with end results achieving an Authority to Operate (ATO).
- Experienced in cyber security management using the Enterprise Mission Assurance Support Service (eMASS).
- Experienced in reporting and managing POAMs using JAZZ LMT, and eMASS.
- Experienced in writing cyber security polices and procedures.
- Must have a working knowledge of the Automated Compliance Assessment Solution (ACAS) assessment tool.
- Experience with compliance scanning tools (ACAS, Fortify); running scans, evaluating results, and determining remediation steps.
- Experienced in network security, continuous monitoring, system auditing, and security policy development.
- Experience in writing POAMs, including detailed justifications for program-required non-compliant items and have a thorough understanding of and experience with the Federal Information Security Management Act (FISMA).
- Experienced in vulnerability remediation activities, scanning and analysis and STIG/ Manual Checklist auditing.
- Experience in completing the DoD CIO Scorecard.
- Have the ability to work multiple projects concurrently within deadlines while ensuring that complex information is conveyed in a clear, accurate, and concise manner under normal and in crisis situations.
- Should have working knowledge of database security principles and practices. Qualification and/or experience as a database administrator is a plus.
- Experience with penetration testing and software code checking techniques used in the SCQC function is a plus.
Ultimately the chosen candidate should:
- Possess additional certifications such as CISSP, CISM, or CAP working towards becoming IATIII or IAMIII qualified.
- Must have the ability to think inductively to assess the suitability of procedural or environmental security mitigation where technical solutions are not possible or require unacceptable levels of resources to implement.
- Superior verbal and written communication and customer service skills including presenting to senior government officials.
- Must have the ability to clearly express thoughts in written documentation that follows all norms of grammar, punctuation, and spelling, as well as technical documentation preparation standards and expectations.
- Should also be able to express complex security issues in a manner that can be understood by non-technical and/or security illiterate personnel.
- Must be able to think strategically and avoid getting wrapped up in minor details.
- Must have expert knowledge and extensive experience with the DoD RMF Assessment and Authorization process, to include documenting that process using eMASS or another similar automated system such as Xacta. Experience with the DIACAP and DITSCAP processes is desirable.
- Should have thorough understanding of and experience with the Federal Information Security Management Act (FISMA) and its reporting requirements.
- Must be able to assess the acceptability of Configuration Management, Incident Response, Contingency Response programs.
If you have the following desired skills, you will also be considered:
- Additional 8570 certifications such as CISM, CAP, Security+, CISSP, CCSP, HCISPP, CEH.
- CompTIA CySA+, CASP, PenTest.
- Experience in DoD Healthcare IT and/or electronic health record (EHR) systems.
- Experience IBM Jazz tool suite.
- Cerner Millennium EHR.
- Interoperability other defense agencies including VA (VISTA) and Defense Information Systems Agency (DISA).
- Industry best practices such as ISO, CMMI, Lean Six Sigma, and Agile Scrum.
Knowledge of the following is a plus:
- System Development Lifecycle (SDLC) Requirements, use cases, release management, testing, risk management, change management, and configuration management experience.
- Service Oriented Architecture (SOA), Web Applications, Security Architecture, Relational databases.
- Installing, managing, maintaining, administering, and troubleshooting applications, and documenting technical guides.
- Software Development and Documentation Standards (SDDS).
- Department of Defense (DoD) Acquisition lifecycle-working in major acquisition.
- Program/system(s) adherence with DoDI and DoDD.
If you have the above qualifications, we want to hear from YOU!
- Should be able to qualify as an IAT III or IAMIII in accordance with DoD 8570 requirements.
Ultra Tech has a great benefits program (medical, dental, vision)
- 80 hours of vacation each year
- 40 hours of paid sick leave
- 10 paid holidays (New Year's, Thanksgiving, Christmas, etc.)