Security RMF Pen Tester & Technical Controls Assessor (0011)

Silver Spring, Maryland, United States

Applications have closed

OCT Consulting, LLC

We look for talented consultants with experience at leading consulting firms and expertise in our practice areas. OCT Consulting provides all staff with a competitive benefits package and opportunity for professional growth. If this sounds like...

View company page

Security RMF Pen Tester & Technical Controls Assessor

OCT Consulting, LLC is an SBA-certified, 8(a) small business management and technology consulting firm that provides support to Federal Government clients. We provide consulting services in the areas of Strategy, Process Improvement, Change Management, Program and Project Management, Acquisition/Procurement, and Information Technology.

Responsibilities and Duties

The ideal candidate has experience performing internal penetration testing, vulnerability assessments and manual exploitation of servers, web applications/services and databases to identify vulnerabilities, misconfigurations, and compliance issues. In addition, the candidate will have extensive experience in performing FISMA technical controls assessments, writing final reports, Pen Testing Rules of Engagements (RoE), Test Plans and Standard Operating Procedures (SOPs).

OCT Consulting currently has an opening for an experienced Security Risk Management Framework (RMF) Technical Controls Assessor and pen tester to support a Federal government client. The responsibilities for the Security RMF Technical Controls Assessor include:

  • Conduct custom penetration testing scoped to the Federal Information Security Modernization Act (FISMA) systems’ unique environment and role based on the controls, schedule, and resources concurrent with the Information System
  • Write final reports, defend all findings to include the risk or vulnerability, mitigation strategies, and references
  • Conduct internal penetration testing and vulnerability assessment of servers, web applications, web services, and databases
  • Manually exploit and compromise operating systems, web applications, and databases
  • Examine results of web/OS scanners, scans and static source code analysis
  • As needed, provide Penetration Testing, Vulnerability Scanning, and App Scanning using tools such as: Burp, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect, Metasploit
  • Develop Penetration Testing Rules of Behavior (RoB) and deliver to team and clients
  • Understand how to create unique exploit code, bypass AV, and mimic adversarial threats
  • Help customer perform analysis and mitigation of security vulnerabilities
  • Research and maintain proficiency in tools, techniques, countermeasures, and trends in computer network vulnerabilities, data hiding, network security, and encryption
  • Work with the Assessor Lead to conduct the Authorization & Assessment (A&A) for the annual FISMA systems assessment
  • Establish the schedule and resources for the A&A of the annual FISMA systems assessments
  • Conduct verbal discussion/meeting to address progress of the A&A effort

· Prepare and update various security documentation such as Systems Security Plans (SSPs), Plan of Action and Milestones (POA&Ms), Risk Assessments, Private Impact Assessments (PIAs), and more

  • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
  • Assist in preparing Security Assessment Plans (SAP) to document test and assessment procedures
  • Collect artifacts as proof that security controls are performing effectively
  • Conduct custom interviews based on initial analysis of the system’s security plan to assess compliance with security controls
  • Conduct system specific review and assessment of applicable controls at each site to be assessed, including and remote assessments (if applicable)
  • Conduct FISMA systems Continuous Monitoring implementation and assessment
  • Validate inventories for the annual FISMA system’s assessments

· Gather and analyze sufficient artifacts to verify technical control implementation against agency security policies

  • Review relevant policies, schedule activities, and provide recommendations for courses of action

· Complete comprehensive test plans for identified security controls following National Institute of Standards and Technology (NIST 800-53), Federal Risk and Authorization Management Program (FedRAMP) guidance, and/or agency-specific guidance

  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence)
  • Produce complete, accurate, and timely findings reports
  • Develop documents and document templates
  • Promote an environment of continuous process improvement, learning and team collaboration

Qualifications and Skills

  • Must be a United States citizen

· Two (2) or more years of experience with penetration testing preferred

  • Two (2) or more years of experience in technical controls assessments preferred
  • Two (2) or more years of experience with RMF preferred
  • Two (2) or more years of experience with A&A preferred
  • Must have hands-on technology experience (Engineering, Development, or Operations)

· Strong familiarity with at least one of the following: Burp Suite, Open Web Application Security Project (OWASP) top 10, Penetration Executive Standard (PTES), and National Security Agency (NSA) Vulnerability and Penetration Testing Standards

  • Familiarity with the Cyber Security Assessment and Management (CSAM) System for system assessments, or other equivalent tools
  • Previous experience with security and scanning tools such as Burp Suite, NMAP, Splunk, Nessus, SIH (Tripwire), AppDetective, WebInspect.
  • Knowledgeable with information security and assurance principles and associated supporting technologies
  • Flexibility to adapt to contingencies resulting from changes or modifications to the schedule and assessment requirements.
  • Excellent customer service and organization skills
  • Excellent oral and written communication skills
  • Experience in presenting control requirements and deficiencies to both technical and non-technical audiences

Education and Certifications

· One or more of the following certifications preferred:

o Offensive Security Certified Professional (OSCP)

o GIAC Security Leadership (GSLC)

o GIAC Penetration Tester (GPEN)

o GIAC Web Application Penetration Tester (GWAPT)

o Certified Information Systems Security Professional (CISSP)

o Certified Ethical Hacker (CEH)

o Other Penetration Testing certifications

  • Monday to Friday


Salary Range

$115,000 - $140,000


The position includes competitive compensation and a full suite of benefits:

· Medical, Dental, and Vision insurance

· Retirement savings 401K plan provided by an industry leading provider with 3% employer matching contributions.

· Paid Time Off

· Life Insurance, Short- and Long-Term disability benefits

· Training Benefits

About US

OCT Consulting is a certified SBA 8(a), minority owned, small, disadvantaged business providing professional services and information technology solutions to the federal government and commercial clients. Founded in 2013, we bring the advantage of agility in operations along with a management team with a track record of leading successful engagements at major federal government agencies.

OCT is committed to a diverse and inclusive workplace. OCT is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status.

Job Types: Full-time, Contract

Tags: Application security Burp Suite CEH CISSP Code analysis Compliance Encryption Exploit FedRAMP FISMA GIAC GPEN GSLC GWAPT Metasploit Monitoring Nessus Network security NIST Nmap Offensive security OSCP OWASP Pentesting Risk analysis Risk assessment Risk management SAP Security assessment Splunk Strategy System Security Plan Tripwire Vulnerabilities

Perks/benefits: 401(k) matching Career development Competitive pay Health care Insurance

Region: North America
Country: United States
Job stats:  19  2  0
Category: PenTesting Jobs

More jobs like this

Explore more InfoSec / Cybersecurity career opportunities

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.