Senior FISMS Control Assessment Analyst

Senior FISMA Control Assessment Analyst

Washington, DC

Pay From: $65.00 per hour

MUST:

Experienced FISMA Control Analyst

5+ years of experience performing the functions of a Sr. Control Assessment Analyst

Experience performing control assessments as part of a team in accordance with applicable NIST standards (NIST 800-53, Rev 5, or newer version, as applicable).

Experience preparing control assessment plans, executing technical and non-technical assessments actions, evaluating the risk associated with areas of deficiency, and

documenting detailed findings and executive-level summaries of assessment results.

Experience briefing stakeholders on key findings, recommendations, risks, and impacts.

Experience providing direct support of information security compliance activities, including managing plans of actions and milestones (POA&Ms) and inventories of information systems.

Demonstrate knowledge and experience - Managing FISMA work with a cyber risk and compliance automation platform (eg. Xacta360)

Experience supported Authorizations to Operate (ATO) per FISMA guidelines

Familiarity with AWS, Azure, Terraform systems and control requirements

Certified Information Systems Security Professional (CISSP)

Certified Analytics Professional (CAP) Preferred

DUTIES:

Sr. Control Assessment Analyst to perform as the FISMA control analyst supporting Cloud Architecture and Administration.

Must be able to demonstrate working knowledge of M365 products, Xacta360, NIST 800-53, AWS, Azure, and Terraform.

Board's Assessment and Authorization (A&A) program operates in alignment with the NIST Risk Management Framework (RMF) as outlined in the current release of NIST SP 800-37.

The objective of Control Assessment task is to provide security subject matter expertise to develop A&A methodologies, maintain accurate assessment schedules, and conduct control assessment activities for newly developed or acquired information systems, as well as for systems and common controls in ongoing authorization.

Develop a methodology for conducting control assessments for software-as-a-service (SaaS) solutions operated by a vendor on behalf of the Board that have not received FedRAMP authorization, and assessing external organizations and systems that process, store, or transmit Board information

Align assessment methodologies with principles set forth in FISMA, OMB, and NIST standards and publications, and consider efficient and cost-effective means of assessment to allow Board senior leaders and stakeholders to make risk-based authorization decisions

Develop and maintain a Master Assessment Schedule that tracks new information systems that require full control assessments and existing information systems and common controls under ongoing authorization that are in the continuous monitoring phase of the RMF.

Develop the Master Assessment Schedule such that it shall adjust estimated completion dates in real-time to account for unplanned assessments, changes in prioritization, delays, or changes in resource availability. Enable Board security staff to provide stakeholders with estimated completion dates for all scheduled A&As at any given time

Review and update Control Overlays that define and justify the applicable security and privacy controls for information systems with common characteristics, such as internally developed web applications, FedRAMP authorized SaaS solutions, etc.

Based on the receipt and review of artifacts provided by system owners or support staff that may include, but are not limited to, FIPS-199 Categorization Memos, System Security and Privacy Plans (SSPP), Contingency Plans, etc., develop control assessment plans (CAPs) for each system, service, or common control provider to be assessed

Ensure that control assessors maintain independence and avoid potential or perceived conflicts of interest with respect to the control assessments.

Work with system owners, support teams, developers, vendors, and other stakeholders as necessary to conduct control assessments for all security and privacy controls described in the CAP. Control assessments shall be conducted in accordance with NIST SP 800-53A (current version) or NIST SP 800-171A (current version) guidance, and will include assessments of technical, operational, and management controls.

Document the results of each control assessed, to include the outcome of the assessment and the artifacts or evidence evaluated to support the assessment result.

Include in each control assessment a review of control selections for each system or common control provider, validating control inheritance decisions, and control overlays. Ensure that applicable controls are not omitted from SSPPs or Customer Controls.

Support the finalization of the A&A package by providing a summary of the control assessment findings in a Control Assessment Report (CAR).

The CAR shall describe the risk associated with all findings resulting from the control assessment and recommendations for correcting any deficiencies.

The CAR shall include a statement from the control assessor summarizing the overall risk to the Board of operating the system or service as it relates to the authorization to operate decision.

Participate in issue resolution discussions and authorization briefings to describe control deficiencies and necessary remedial actions to stakeholders and authorization officials.

Develop a post-authorization assessment process for internally developed systems intended to validate the carryover of specific controls from development or test environments into production. Carry out the post-authorization review and include the results as an addendum to the CAR.

Complete Security Impact Analysis (SIAs) to determine the security impact associated with changes to Board information systems. The SIA shall identify the risk associated with the change, identify any impacted security controls, and define applicable control assessment procedures to verify that impacted controls are still in place and operating as intended.

Assess a selected subset of the technical, management, and operational controls employed by the Board information systems and common control providers in accordance with the Board's continuous monitoring strategy.

Annually, develop a report to summarize the results of the control assessments of systems in ongoing authorization conducted throughout the fiscal year.

This annual report shall identify any systemic risks, lessons learned, or recommendations based on the results of control assessments and A&A activities.