Project Manager USA, Inc.(DBA PM America) · 4 hours ago
Cybersecurity - Risk Management Framework (RMF) SMEs
Philadelphia, PA
Contract
Onsite
Senior Level
5+ years expProject Manager USA, Inc. is seeking Cybersecurity - Risk Management Framework (RMF) Subject Matter Experts (SMEs) to provide support in various cybersecurity functions. The role involves assessing and authorizing cybersecurity packages, conducting risk assessments, and ensuring compliance with security standards.
Information TechnologyProject ManagementTraining
No H1B
Security Clearance RequiredU.S. Citizen Only
Responsibilities
Provide support for development and validation of A&A and AO packages and artifacts
Implement security postures regarding cybersecurity life cycle management
Collect and collate system and site information and use it to evaluate and document in Enterprise Mission Assurance Support Service (eMASS) the security posture of the system or site being Assessed, Authorized, and maintained
Develop, submit, and maintain the RMF package documentation that includes:
AO Determination Request Package and Checklist
System Platform IT (PIT) Determination
Categorization Form
HW/SW lists
Authorization Boundary Diagrams
Defense in Depth Diagrams
PPSM list
Privacy Impact Assessment (PIA)
E-Authentication Questionnaire
System Level Continuous Monitoring Strategy (SLCM)
Security Plan (SP)
RMF Step SOP checklists
Plan of Actions and Milestones (POA&M)
Security Assessment Plan (SAP)
Security Technical Implementation Guide (STIG)
Alternate Forms of Compliance
Security Assessment Report (SAR)
Risk Assessment Report (RAR)
Security Authorization Package
Package Endorsement Letters
Create all documents in the appropriate software (i.e. Microsoft Visio, scanning software, eMASS DISA STIG Viewer, eMASSTER etc.)
Develop or revise existing policies, plans, and strategy documents to meet requirements for RMF Control Families and ensure all IA requirements, such as the following, are addressed:
Incident Response plan
Contingency plan
Information Assurance Vulnerability Management plan
Configuration Management plan
System Development plan
Physical Security plan
Conduct risk and vulnerability assessments of planned and installed systems to identify vulnerabilities, risks and protection needs
Conduct systems security evaluation, audits, and reviews; determine the residual risk of a package based on package content and assessment results
Execute SAPs by conducting on-site testing and remediation for the systems:
Executing STIGs, SRGs, ACAS scanning, and applying patches assets to obtain cybersecurity compliance and remediate vulnerabilities
Develop and maintain in eMASS a POA&M for all IA-related tasks and deliverables. The POA&M should include findings from required STIGs, vulnerability test results, automated scan reviews, Assured Compliance Assessment Solution (ACAS) scans, Security Content Automation Protocol (SCAP), Evaluate STIG, and other DoD-mandated assessment-utilities
Perform analysis of logs, events, and reporting of data collections tools including: vulnerability monitoring via ACAS and related tools, Host Based Security Systems (HBSS), web content filters, Security Information and event management (SIEM), firewall systems, network devices, server devices, workstations, and intrusion detection and prevention systems (ID/PS)
Obtain and maintain ATO or De-Authorization to Operate (DATO) through validated test results, security controls assessor review, and authorization official endorsement as part of the continuous monitoring process
Support the continuous monitoring activities:
Perform risk management and security engineering for Research, Development, Testing, and Evaluation (RDT&E)
Provide Information Assurance Vulnerability Management (IAVM) support, remediation, patching, scanning and associated boundary maintenance
Develop and update, at frequency specified in each package, all required eMASS documents, to include POA&Ms / RARs and STIGs
Determine a system’s compliance with all applicable Controls and Assessment Procedures (APs) for an assigned DoN system, including developing the appropriate test procedures; executing the test procedures; and accurately documenting the results of security testing
Maintain current vulnerability scan data and residual risk plan of actions and milestones in Vulnerability Remediation Asset Manager (VRAM)
Track deliverables and action items in accordance with A&A guidance
Ensure RMF artifacts are in compliance with published DoD / Navy Business Rules, NIST SP-800-37 and SP-800-53 Rev 4
Create and verify the accuracy of POA&Ms/RARs as identified by vulnerability actual test results
Conduct validation activities in accordance with Navy SCA office
Register and be listed on the official list of Navy Qualified Validators; perform and support activities of Validators of Navy RMF packages
Ensure separation of duties between the System ISSM/ISSE and NQV
Prepare the SAP with input from the system’s ISSE and ISSM. The SAP is to be submitted and approved by the SCA
Perform as an independent third party who assesses and validates that the system has [or has not] implemented the approved security control baseline. On-site validation may be required for conducting required testing. The Validator acts as a trusted agent to the (SCA) Security Control Assessor and SCA Liaison
Utilize the SAR to document the residual risk of the non-compliant security controls remaining after the risk assessment work is complete
Document the residual risk in the RAR
Develop the SAR Executive Summary and Functional Security Controls Assessor (FSCA) Appendix and brief to the required PM/ISSM
Apply system configuration changes and software application updates (patches) as required by automated security assessment tools
Develop and execute plans and procedures to secure the system against cybersecurity threats to the greatest extent possible while providing continuous capability to conduct mission requirements
Develop and enhance Operating Procedures, Process Guides, User Agreements, and system-level RMF Control Family Plans and Procedures specific to operating system configuration settings and capabilities
Identify, present, and implement improvements to operating system configuration settings to maintain a secure operating system
Support the following operating systems: Windows 11, Windows 10, Windows 7, Windows XP, Windows 2000, Windows CE 6.0, and Red Hat Enterprise Linux
Write technical documents: user manuals, reports, documentation, policies, presentations, POA&Ms, risk assessments, proposals, outlines, and summaries in support of the systems across multiple platforms
Develop the technical documents across multiple platforms including configuration management, milestone, issue tracking, web site content management
Develop system architecture diagrams, software design requirements, network connection / authorization boundary diagrams, RMF plans/policies, integrity analysis of integrated products, life-cycle management analysis, and vulnerability assessment
Qualification
Required
Bachelor's Degree / Relevant Degree in Electrical, Electronic or Computer Engineering, Computer Science, or Information Systems; Information Systems Management
IAM 2 certifications; IAT 2 certifications; evidence of current Navy Qualified Validator (NQV) Level III certification
5 - 7 years of experience in Information Assurance / RMF Specialist: Cybersecurity, Engineering, Test and Evaluation (T&E) or Authorization and Assessment (A&A) (formerly C&A) related field
5 - 7 years of experience in Information Assurance Compliance; Information Assurance tools such as Defense Information Systems Agency (DISA) Enterprise Mission Assurance Support Service (eMASS), Assured Compliance Assessment Solution (ACAS)
5 - 7 years of experience in the management of Information Assurance Technical (IAT), certification agents, and system engineers on the compliance requirements to achieve certification and accreditation IAW the DoD RMF program and the Department of Navy (DON) Chief Information Officer (CIO) IA Policy for Platform Information Technology (PIT) Systems
For the System Administrator: Microsoft Windows Operating System Administration, including Windows 11, Windows 10, Windows 7, and Windows XP (at a minimum)
Command line interface, PowerShell, and performing automated tasking through use of code
A United States Government issued “SECRET” security clearance
Preferred
Professional experience in support of the Department of Navy (DON) or Department of Defense (DoD)
Systems administration experience with help desk related support, for example troubleshooting stand-alone laptops
For the Project Manager: Seven (7) years relevant experience in a supervisory/management capacity with responsibilities for management of subordinates and personnel issues and direction, in addition to relevant experience with responsibility for financial management, tracking and fiscal oversight of program funding five (5) years' concurrent experience in program management; US Navy program experience
Working knowledge of US Navy organizations, including their infrastructure, responsibilities, programs and initiatives
Company
Project Manager USA, Inc.(DBA PM America)
We (Project Manager USA, Inc DBA PM America) are a small, minority-owned, SBA 8(a) Certified (certification date: 08/23/2024 & exit date: 08/22/2033) & HUBZone Certified Business.
11-50 employees
Funding
Current Stage
Early StageCompany data provided by crunchbase