Cyber Security/Risk Management Support Analyst

About ARSIEM Corporation
At ARSIEM Corporation we are committed to fostering a proven and trusted partnership with our government clients.  We provide support to multiple agencies across the United States Government.  ARSIEM has an experienced workforce of qualified professionals committed to providing the best possible support.
As demand increases, ARSIEM continues to provide reliable and cutting-edge technical solutions at the best value to our clients.  That means a career packed with opportunities to grow and the ability to have an impact on every client you work with. 
ARSIEM is looking for a Cyber Security/Risk Management Support Analyst. This position will support one of our Government clients in Hampton, VA.

Responsibilities

• Develop and Maintain Security Plan
• Develop a Security Assessment Plan,  including AOS System Security Plan, Security Assessment Report, Risk Assessment Report (RAR), and Up-to-date POA&M 
• Monitor and track execution of POA&M for AOS to identify and monitor corrective action for weaknesses and deficiencies found during a security assessment.
• Perform required cybersecurity analyst (CSA) RMF process steps, including Categorize System, Select Security Controls, Implement Security Controls, and Assess Security Controls. R
• eview and adjudicate system security categorizations decisions for the AOS as well as final security control sets.  
• Review the Security Plan and System Level Continuous Monitoring Strategy.
• Guide AOS on RMF processes and procedures for the AOS domain enclave of the Air Force Enterprise.
• Categorize and Describe Information Systems in the following Capacities, Categorize Information System – Categorize the information system and document the results of the security categorization in the security plan, Deliverables: Written subsection of the Security plan that covers FIPS 199 Security Categorization and Threat Assessment, and Deliverables: Written System Definition Document, a subsection in the Security plan.
• Guide Stakeholders on the RMF assessment process.
• Support in embedding cybersecurity and the Risk Management Framework actions and checkpoints into the appropriate point in the System Life Cycle (SLC) Management Policy, developing tools, procedures and templates to support CS and RMF execution under the SLC.
• Submit status reports on open action items (to include projected completion dates), issues/concerns and lessons learned.
• Provide technical analysis of RMF artifacts and authorization documentation.
• Perform all required CSA RMF process steps, including Categorize System, Select Security Controls, Implement Security Controls, and Assess Security Controls.
• Assess approved technical and non-technical security features to address known threats and vulnerabilities. The assessment must consider and identify impacts and consider existing risk mitigation strategies.
• Risk Management Assessment will be accomplished IAW NIST SP 800-34 Contingency Planning Guide for Federal Information Technology Systems, NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems, NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems, OMB A-130 Managing Information as a Strategic Resource, NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, current edition, NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-30 Guide for Conducting Risk Assessments, current edition, NIST SP 800-39 Managing Information Security Risk, Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, Subchapter III of chapter 35 of Title 44, United States Code (Federal Information Security Management Act (FISMA of 2002), and NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems Organizations.
• Act as an independent and impartial assessor to determine and certify aggregate cybersecurity risk for recommendations.
• Complete Checkpoints (as described in Appendix K of Risk Management Framework Process Guide, Version 2.0, 4 August 2017) for the CARP/ADIS and provide recommendations for the Security Assessment Plan, ensuring all appropriate security controls will be assessed for compliance.
• Provide quality assurance of an RMF Security Assessment Plan related to cybersecurity risk.
• Select, Implement, Assess, and Monitor Security Controls IAW RMF/NIST standards.
• Assess software assurance program, identifying deficiencies and needs for processes, people and tools. Document results in an actionable whitepaper.
• Review proposed mitigations, requests for risk acceptance, and the rationale for stated residual risk acceptance.
• Provide evaluation results on an official form used to verify AOS leadership's awareness of or risk acceptance.
• Integration of RMF and Federal Information System Controls Audit Manual (FISCAM)
• Develop control level mapping for FISCAM application controls to RMF controls; support documentation of superset controls; update assessment procedures to include FISCAM reviews.
• Identify automated tools available to support monitoring at the control monitoring. Deliverables include superset controls, updated guidance and tool gap assessment.
• Assess current processes and templates, identifying deficiencies and needs. Guidance, processes and recommendations must facilitate robust implementation of applicable DoD, NIST and FISCAM standards. Support senior ISSM in developing a plan of action and milestones.
• Develop eMASS administration, role-based instruction and procedures, and processes to facilitate uniformity, integrity and maintenance of eMASS instances. Deliverables include tools, templates, procedures and training.
• Assess IT privacy program, identifying deficiencies and needs for processes, people and tools. Document results in an actionable whitepaper.
• Provide focused, direct support and guidance to ISSM/SM staff analyzing control implementation & test statements, system artifacts and overall assessment and authorization (A&A) authorization to operate (ATO) packages
• Ensure readiness for package submission; develop full A&A package examples for AOS system types, including mainframes and mid-tiers as appropriate for re-use
• Develop methods to support the development and assessment of uniform A&A packages.
• Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report, excluding any remediation actions taken
• The contractor shall perform the following System Approvals for Network Operations tasks:
• Ensure IT software products receive and maintain Air Force enterprise authorization and comply with the higher-level policy as defined by DOD policy.
• Ensure authorization and compliance with higher level policy as defined by DOD policy.
• Develop POA&M Report and Residual Risk Statement that will be included in the Risk Acceptance Recommendation Report / Briefing (slides and meeting support)
• Risk Acceptance - Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.
• Risks Determination – Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
• Risk Acceptance Recommendation Report, Briefing (slides and meeting support)
• Security Authorization Package – Assemble the security authorization package and submit the package to the authorizing official for adjudication.
• Review and adjudicate system security categorizations decisions for the AOS domain enclave of the Air Force Enterprise.
• Coordinate recurring software certification of ADIS and CARP (including the addition of CARP software to Joint Mission Planning System (JMPS) ATO, and any further follow-on enterprise which may replace ADIS and CARP.

Minimum Experience

• Minimum 3 years of experience in cybersecurity documentation and system authorization artifacts (System Security Plan, lifecycle documentation, continuous monitoring plan, Security Assessment Plan, Security Assessment Report, Risk Assessment, etc.).
• Possess Information Assurance Management (IAM) Level III (DoD 8570.01). It is desired that the contractor possesses the Certified Information Systems Security Professional (CISSP) status. However, other DoD-approved IA management level III baseline certifications are suitable for this task.
• Knowledgeable in DoD Information Assurance Certification & Accreditation Process (DIACAP), RMF and NIST experience in security control and risk assessments. 
• Possess strong technical writing skills.

Clearance Requirement: This position requires an active Secret clearance. You must be a US Citizen for consideration. Candidate Referral: Do you know someone who would be GREAT at this role? If you do, ARSIEM has a way for you to earn a bonus through our referral program for persons presenting NEW (not in our resume database) candidates who are successfully placed on one of our projects. The bonus for this position is $3,500,  and the referrer is eligible to receive the sum for any applicant we place within 12 months of referral. The bonus is paid after the referred employee reaches 6 months of employment.
ARSIEM is proud to be an Equal Opportunity and Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status, age, or any other federally protected class.