Information Security Compliance Analyst IV

Job ID: req2742
Employee Type: exempt full-time
Division: Applied & Development Research Program
Facility: Frederick: Ft Detrick
Location: PO Box B, Frederick, MD 21702 USA

The Frederick National Laboratory is a Federally Funded Research and Development Center (FFRDC) sponsored by the National Cancer Institute (NCI) and operated by Leidos Biomedical Research, Inc. The lab addresses some of the most urgent and intractable problems in the biomedical sciences in cancer and AIDS, drug development and first-in-human clinical trials, applications of nanotechnology in medicine, and rapid response to emerging threats of infectious diseases.

Accountability, Compassion, Collaboration, Dedication, Integrity and Versatility; it's the FNL way.

PROGRAM DESCRIPTION

The Clinical Services Program's (CSP) primary mission is to perform sequential studies of immune function in patients with cancer, AIDS, chronic granulomatous disease, or other diseases associated with immunologic dysfunction. The CSP Information Technology Data Management Group (DMG) provides direct IT support services to the mission of the CSP.

KEY ROLES/RESPONSIBILITIES

Responsible to perform, coordinate, and track all Federal Information Security Management Act (FISMA) compliance related tasks required to obtain and maintain a Federal information system's Authority to Operate (ATO) for all CSP's custom production computer systems running on Federal networks.

• Maintain an inventory of CSP IT software and hardware for FISMA compliance
  Mapping of NIST security controls via the NIST SP 800-53 series to CSP IT systems under FISMA requirements.
• Support, implement, maintain, and monitor security and privacy controls in compliance with FISMA, HIPAA, FedRAMP, NIST Risk Management Framework (RMF), and NIH requirements and guidance.
• Interface with NIH, NIAID, and NCI security specialists and security auditors to gather additional security information as needed.
• Complete and maintain system security authorization documents for CSP IT Systems, which include but is not limited to: FIPS 199, system security plans, information security risk assessments, privacy impact assessments (PIA), business impact analysis (BIA), information systems contingency plans, incident response plans, configuration management plan, and other security related documents.
• Support continuous monitoring and perform annual assessments for all CSP IT production systems in accordance with defined security controls and modify documentation to reflect current activities.
• Validate that CSP information security policies, principles, standards, and guidelines are implemented appropriately and consistently.
• Manage resolution of plans of action & milestones (POA&M) for CSP IT System weaknesses identified in security tests and/or audits.
• Work with CSP software developers/analysts to support implementation of secure coding practices, explain application-related security findings and how to reproduce them, and make sure information security risks are managed throughout all the phases of the Software Development Life Cycle (SDLC).
• Coordinate with system administrators and application/database support to research and resolve security concerns and revise documentation.
• Provide non-technical information security support and guidance including policy compliance, documentation requirements compliance, planning and recommendations for system continuity of operations, system standard operating procedures.
• Provide technical solutions to automate processes or functions to improve systems security.
• Review and audit administrative documentation for new and existing CSP IT software applications.
• Work closely with the CSP IT manager and software developers to ensure documentation is accurate and effective.
• Assist in the development of Change Requests to be submitted to Change Advisory Board (CAB) and participate in CAB reviews.
• Perform or support penetration testing as required for new or updated CSP IT applications.
• Participate in all phases of the software development lifecycle creating security documentation for new applications.
• Provide technical information security support and guidance in the areas of system architecture, system configuration, system assessment testing & validation and/or certification, product evaluations and recommendations, and support other technical areas as needed including MS Windows, LINUX, and Network Architecture.
• Development and review of standard operating procedures to support information security processes within CSP.
• Perform other duties as assigned

BASIC QUALIFICATIONS

To be considered for this position, you must minimally meet the knowledge, skills, and abilities listed below:

• Possession of a Bachelor's degree from an accredited college or university (CHEA). (Additional qualifying experience may be substituted for the required education). Foreign degrees must be evaluated for U.S. equivalency.
• Bachelor's degree in computer science, information systems, cybersecurity or a related IT security technical discipline, or the equivalent combination of education, professional training, or work experience.
• Minimum of 8-10 years' experience in cybersecurity and experience providing FISMA compliance support that is directly related to duties of this position.
• Knowledge of NIST SP 800-53, 800-37, risk management framework, POA&Ms, waivers, and continuous monitoring activities.
• Knowledge of risk assessment, security authorization, security assessment, ongoing authorization, and all processes related to receipt of an ATO.
• Experience with using the NIH Security Authorization Tool (NSAT).
• Experience with going through the process of a Federal IT security audit.
• Hands-on experience with implementing, documenting, maintaining, and monitoring NIST, HIPAA, and FedRAMP control requirements.
• Demonstrated technical writing experience in delivery of system security plans, plan of action and milestones, contingency plans, and similar technical and security documents.
• Knowledge of networking protocols and architecture.
• Knowledge of risk management methodologies.
• Knowledge of the security lifecycle.
• Knowledge of the systems development lifecycle (SDLC).
• Excellent oral and communication skills, including the ability to interact with management, auditors, system owners, technical and scientific staff.
• Experience writing policies and procedures.
• Understanding of, and ability to communicate, security and risk implications to technical and non-technical audiences.
• Must be detail-oriented.
  Strong organizational, problem solving, analytical skills, and technical troubleshooting skills are essential
• Must be a pro-active self-starter who demonstrates the willingness and ability to take ownership, be accountable, and deliver results.
• Ability to manage multiple projects in a fast-paced environment.
• Demonstrate ability to work on a team and work independently without supervision.
• Ability to obtain and maintain a security clearance.

PREFERRED QUALIFICATIONS

Candidates with these desired skills will be given preferential consideration:

• Master's degree in computer science, information systems or related field
• Certification with the International Information System Security Certification Consortium (ISC)²
• Experience with Tenable Nessus and/or Security Center
• Working knowledge of SQL Server database administration a plus
• Working knowledge of .NET software development a plus

Equal Opportunity Employer (EOE) | Minority/Female/Disabled/Veteran (M/F/D/V) | Drug Free Workplace (DFW)

#readytowork