SkyePoint Decisions, Inc. · 2 months ago
Lead Security Control Assessor
US
Full-time
Hybrid
Senior Level, Lead/Staff
10+ years expSkyePoint Decisions, Inc. is a leading IT service provider specializing in Cybersecurity Architecture and Engineering. They are seeking a highly motivated Lead Security Control Assessor to support the Department of Education’s Cybersecurity and Privacy Support Services, focusing on establishing security requirements, conducting assessments, and providing recommendations to enhance security measures.
AnalyticsAppsArtificial Intelligence (AI)Cyber SecurityInformation TechnologyIT InfrastructureMachine LearningSecurity
No H1B
U.S. Citizen Only
Responsibilities
Establish and satisfy information assurance and security requirements based upon the analysis of user, policy, regulatory, and resource demands
Conduct a comprehensive assessment of implemented controls and control enhancements to determine the effectiveness of the controls, i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization
Schedule and lead System Assessments out-briefs with different stakeholders and provide SAP, SAR, security recommendations and system certifications
Prepare security, privacy, and supply chain assessment reports containing the results and findings from the assessment
Provide an assessment of the severity of the deficiencies discovered in the system, environment of operation, and common controls and recommend corrective actions to address the identified vulnerabilities
Complete and execute a Security Controls Test (SCT) plan that outlines all the assessment activities, including but not limited to the required vulnerability scanning activities, Penetration Testing consistent with DHS RVA standards, guidelines, and templates, coordinate requirements, Scope of the controls and special interest items to be assessed, Provide the final analysis report and briefing to the CISO, Support the Authorizing Official (AO) briefing, Summarize the findings, Provide the detailed findings and Provide the POA&M injection template
Create or update a 3-year OSA test plan for each system that includes the most resent versions of NIST SP 800-53 control tests and any additional tests the Department requires to be included for OSA. A subset of the controls will be tested or assessed each quarter so that all controls will be tested or assessed at least once during a three-year period
Complete and maintain an OSA master project schedule by using NIST assessment methods and approved OSA procedures
Create or update program management documentation that include rules of engagement, schedules, annual document reviews, process for POA&M and accepted risk reviews
Ensure that appropriate vulnerability and penetration tests are scheduled, conducted, analyzed, and presented to the system owner ad information systems security officer (ISSO)
Meet with the system ISSO(s) [as needed], systems contractors and the POAM Team, to develop mitigation strategies and identify acceptable evidence criteria to close deficiencies. For all security deficiencies found during a test cycle, per system populate an FSA’s vulnerability tracking tool injection template ensuring appropriate content is included in all required fields
Review and provide advice based on analysis for Third Party Website and Applications (TPWA)
Review and analyze all system artifacts for accuracy, completeness, in support of an authorization to operate (ATO) requests
Create and submit to the CISO, a monthly OSA report that itemizes and describes the OSA scheduled assessment activities (controls, scans, etc.); Production Readiness Reviews (PRRs), scorecards, audits, CM, other tests completed during the past month, and any residual risks added
Provide a risk rating, based on the risk profiles of all systems in the OSA program, identify trends, and provides recommendations for improving security across the enterprise. This report shall provide sufficient granularity
Qualification
Required
Must be able to obtain a DoED Level 6 High Risk/Public Trust Security Clearance
Bachelor's degree or equivalent and at least ten (10) years related experience
At least five (5) years of experience as a Security Controls Assessor or similar audit findings response role
Excellent communications and interpersonal skills
Solid understanding of DoED Information Assurance policy
Experience with security audits and compliance
Experience with IT Review Board change requests
Ensure compliance with DoED Standards and procedures
Good familiarity with and understanding of all relevant government and agency policies and procedures to ensure system documentation is compliance with relevant guidelines, e.g., FedRAMP, RMF, FISMA, FIPS-II, NIST, etc
Certified in Risk and Information Systems Control (CRISC), Certified Authorization Professional (CAP), or equivalent certification required
Preferred
Active Top Secret security clearance
10+ years' experience
Benefits
Several insurance options including HMO and High Deductible plans with Health Savings Accounts [HSAs]
Flex Spending Accounts [FSAs]
Full Dental Plans
ST/LT Disability
Life Insurance
Floating federal holiday options
401k matched
Certificate Incentive Program
PTO
Vision
Company
SkyePoint Decisions, Inc.
SkyePoint Decisions is a leading Cybersecurity Architecture and Engineering, Critical Infrastructure and Operations, and Applications Development and Maintenance IT service provider headquartered in Dulles, Virginia.
51-200 employees
Funding
Current Stage
Growth StageLeadership Team
Bo Kimbrough
Founder & CEO
Jason Weaver
Chief Technology Officer
Recent News
Morningstar.com
2025-07-01
Washington Technology
2024-11-23
2024-02-09
Company data provided by crunchbase