Report this job

---

What is the problem? *

Incorrect company
Incorrect location
Job is expired
Job may be a scam
Other

Global Engineering and Technology (GET) is seeking qualified applicants for the position of Security Control Assessor (SCA) in support of the United States Department of Energy's cybersecurity program. This is a highly compensated, high-responsibility technical guidance position that is central to our mission's success.

In its majority, work will be performed remotely, from the employee's place of residence. Pre-planned travel to Oak Ridge, Tennessee, for on-site interaction, support, and inspections will be required as needed.

The SCA conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

THE SCA SHALL:

• Manage and approve Accreditation Packages
• Perform security reviews, identify gaps in security architecture, and develop a security risk management plan
• Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy
• Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change
• Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks
• Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials)
• Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network
• Verify and update security documentation reflecting the application/system security design features
• Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations
• Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers)
• Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risks
• Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
• Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals
• Assess the effectiveness of security controls

Requirements

Security Clearance:

This position requires a current DOE Q or DoD Top Secret security clearance.

Required knowledge (as demonstrated by technical expertise and certification):

• Computer networking concepts and protocols, and network security methodologies
• Risk management processes (e.g., methods for assessing and mitigating risk)
• Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
• Cybersecurity and privacy principles
• Cyber threats and vulnerabilities
• Authentication, authorization, and access control methods
• Database systems
• Security Assessment and Authorization process
• Risk Management Framework (RMF) requirements
• Information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption)
• Supply Chain Risk Management Practices (NIST SP 800-161)
• Personally Identifiable Information (PII) data security standards
• Application Security Risks

Required skills (as demonstrated by technical expertise and certification):

• Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
• Discerning the protection needs (i.e., security controls) of information systems and networks
• Using virtual machines
• Skill in recognizing and categorizing types of vulnerabilities and associated attacks
• Applying security controls
• Managing test assets, test resources, and test personnel to ensure effective completion of test events
• Preparing Test & Evaluation reports
• Conducting reviews of systems
• Assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.)
• Identifying systemic security issues based on the analysis of vulnerability and configuration data
• Conducting vulnerability scans and recognize vulnerabilities in security systems
• Analyzing test data
• Collecting, verifying, and validating test data
• Translating data and test results into evaluative conclusions
• Ensuring security practices are followed throughout the acquisition process
• Ability to function in a collaborative environment, seeking continuous consultation with other analysts and expertsboth internal and external to the organizationto leverage analytical and technical expertise
• Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives

Benefits

We provide exceptional benefits to our full-time employees (spouse/family coverage option also available at a company-subsidized rate).

Benefits include:

• Medical plan options with United Health Care
• Dental
• AD&D
• Life
• Long-/Short term Disability with MetLife
• 401(k) match with Principal Financial

All benefits are effective on day one of employment.