PROFESSIONAL SUMMARY:

• In - depth experience of conducting vulnerability and risk assessments in support of System Assessment and Authorization (SA&A) efforts in accordance with FISMA, FIPS, NIST, COBIT, ISO, SOX, FedRAMP and OMB standards/guidelines.
• Expert knowledge of utilizing a wide array of vulnerability assessment tools to ensure that the appropriate host and network security measures are in position and meet current intelligence community and private industry standards.
• Demonstrated skill identifying vulnerabilities and providing technical advice to senior government officials and IT stakeholders regarding various aspects of complex IT issues, network exploitation, cyber intelligence, and recommended countermeasures.

TECHNICAL SKILLS:

• CSAM
• Symantec
• Splunk
• Nmap
• Retina
• SolarWinds
• Trusted Agent FISMA (TAF)
• Tenable Security Center
• Fortify
• Ivanti
• McAfee tools (ESM
• AntiVirus ePO etc.)
• RSA Archer
• WebInspect
• AppScan
• BurpSuite

PROFESSIONAL EXPERIENCE:

Confidential, Rockville, MD

Information Security Engineer

• Conduct Information Security Risk Assessment
• Assist in completing System Security Plan (SSP) for Confidential FedRAMP application
• Work in conjunction with Amazon Web Services (AWS) to complete FedRAMP security control requirements

Confidential, Washington DC

IT Security Analyst

• Initiate three (3) applications for Security Assessment and Authorization (SA&A) in RSA Archer
• Assist Federal Information Systems Security Officer (ISSO) in producing core security documents (i.e. FIPS 199 Security Categorization, PTA, PIA)
• Work with Federal ISSO to establish baseline controls under NIST and FedRAMP standards

Confidential, Greenbelt, MD

IT Security Analyst

• Conduct Security Control Assessments (SCAs) under NIST 800-53 Revision 4
• Produce SOPs for Account Management, Contingency Plans, etc.
• Track Security Training (Role Based)
• Conduct Continuous Diagnostics and Mitigation (CDM) activities as required
• Managing and facilitating the daily User Acceptance Testing (UAT) meetings; including maintaining and distributing agendas, documenting project status and resolution of outstanding issues.
• Execution of test case scenarios; including functional and regression testing, documentation of test case results, resolution of outstanding software defects and completion of project status reports and related project tracking tasks.
• Note: Contract/Management Turnover

Confidential, Suitland, MD

Information Security Analyst

• Conducted Security Impact Assessments (SIAs) in support of the approval of Change Control Requests (CCRs)
• Conducted and authored transition of the System Security Plan (SSP) from NIST 800 Revision 3 to Revision 4
• Reviewed and updated SSP supporting docs as necessary (i.e Configuration Management Plan, Incident Response, Account Management Plan, FIPS 200)
• Collaborated with software engineering staff and developers to finalize to define, schedule and track implementation of security requirements.
• Supported clients and responding to processing, maintenance and enhancement questions and issues.
• Note: Contract uncertainty

Confidential, Washington D.C

Information Security Analyst

• Conduct Self Security Assessments (SSAs) under NIST 800 Rev. 3 standards
• Conduct Security Assessments for numerous Minor Applications under NIST 800 Rev. 3 standards in CSAM (Fed Gov’t Tool)
• Conduct multiple risk assessments for applications with outstanding POA&Ms
• Produce Risk Acceptance/Exemption Forms as needed
• Contribute to an IT Governance/Compliance Team through assessments, presentations, and other collaborative efforts
• Collaborate with Security Information and Event Management (SIEM) Team personnel to improve the overall security posture of the Business Unit (BU)
• Note: 3 month contract

Confidential, Washington D.C

Information Security Support

• Contributed to the initial Systems Assessment and Authorization (SA&A) of a new operational unit within the Department of Treasury
• Authored documents to include the System Security Plan (SSP), Continuous Monitoring Plan, and Contingency Plan
• Contributed to the OUs Plan of Action & Milestone (POA&M) Standard Operating Procedure (This effort included the development of logs, dashboards, and SharePoint sites)
• Documented functional, technical and process requirements, working with internal staff and/or clients as required.
• Initiated Cloud Computing and Baseline configuration efforts
• Lead 508 compliance and remediation efforts for the operational units web application, websites, documents, and various other files to meet federal standards
• Note: 6 month Contract

Confidential, Tysons Corner, VA

Security Support Specialist

• Provide insight and guidance to client regarding threat levels, risk acceptance, and recommended mitigation strategies
• Produced Standard Operating Procedures (SOPs) for Weekly POAM Reports, Executive Reports, and in-house applications as required
• Produced Incident Response notices and Security Incident Reports for the Federal Student Aid program as required
• Note: Stop Work Order (SWO) Issued

Confidential, Silver Spring, MD

C&A Support Specialist

• Support POA&M processes and procedure in accordance with National Weather Service (NWS) standard and produce Weekly POA&M reports
• Conduct annual assessment in accordance with NIST-800-53A guidance for NWS systems as assigned in support of the Security Assessment and Authorization (SA&A) process
• Prepared project plans for the completion of Information Technology projects from analysis through implementation of security controls throughout the SDLC
• Created test plans and performed systems testing (i.e. Security Control Assessment Plans)
• Review system accreditation packages for vital documentation (i.e. System Security Plan, Contingency Plan, Security Control Assessment, etc.)
• Serve as productive and proficient member of NWS OCIO FISMA Compliance Team
• Note: No Contract Renewal

Confidential, Rockville, MD

Security Support Specialist

• Support 3 FDA centers for production of security documentation to include SSPs, Contingency Plans, Risk Assessments, etc.
• Performing analytics on relational datasets to identify root causes, patterns, trends and recommend solutions.
• Conduct annual assessments and POAM reviews
• Provide customer service support to users as well as the Government appointed Information System Security Officers (ISSOs)
• Produced all documentation under NIST 800 series standards and FedRamp consideration for future operations
• Used Nessus Tenable Security Center to manage remediation of POAMs
• Facilitated regular training sessions to ISSOs, Project Managers, System Owners, etc. regarding the NIST Risk Management Framework (RMF) and its relevance within the Systems Development Lifecycle (SDLC)
• Note: Resigned due to medical reasons

Confidential, Washington D.C.

Security Analyst

• Served as Information System Security Officer (ISSO) Representative for three (3) software applications
• Conducted Annual Assessment for three (3) applications. This effort included tasks such as:
• Updated and reviewed System Security Plans (SSPs)
• Conducting Risk Assessments
• Updated Contingency Plans or Disaster Recovery Plans
• Conducted Privacy Threshold Analysis (PTA) and corresponding Privacy Impact Assessments (PIAs) as required to ensure that all web facing components of the agency met all security requirements and included all required security safeguards for Personal Identifiable Information
• Assembling data analytical input, including charts, tables, graphs and other analysis for executive level presentations and client reporting.
• Collaborating with other service support units to determine solutions and implement appropriate corrective actions to execute quality control strategies.
• Worked with System Owners, User Representatives, Software developers, Database Administrators, etc. to collect necessary artifacts for compliance with NIST 800-53 Revision 3
• All documentation posted to Cyber Security Assessment Management (CSAM) database

Confidential, Washington D.C.

Information Security Analyst

• Interacted with customers on daily basis to ensure that POAMs were managed efficiently from initiation through closure
• Member of team managing POAMs for over 160 applications
• Handling a vigorous timeline and schedule in most case
• COBIT Case Study for Dept. of Transportation
• Conducted Authorization and Annual Reviews in support of the C&A process; This included the review of security documentation to include
• System Security Plans (SSPs)
• Contingency Plans (CPs)
• System Characterization Documents (SCDs)
• Privacy Impact Assessments (PIAs)
• Risk Assessment Reports (RARs)
• Security Assessment Reports (SARs

Confidential, Washington D.C.

Info Security Specialist

• Provide oversight for Continuous Monitoring Program within the Risk Management Framework (RMF) in accordance with NIST 800-37
• Conduct Quality Assurance on POAM closures to verify that all Weakness Completion Plan (WCP) forms are complete and satisfy the requirement
• This includes validating all required artifacts to ensure that documentation has been provided to meet the necessary security controls
• Produce various reports to meet client requirements
• Quarterly Security Reports (QSR)
• Weekly Activity Reports (WAR)

Confidential, Bethesda, MD

Info Security Specialist

• Review of standard business security documents such as System Security Plans (SSPs), Security Test and Evaluation (ST&E), Privacy Impact Assessments (PIAs), etc.
• Worked in conjunction with the CIT ISSO Team to provide C&A support for the various Research Center General Support Systems (GSS) within NIH
• Produced and reviewed documentation for C&A packages as required through the use of the NIH Certification & Accreditation Tool (NCAT)
• Validation of in-compliance vulnerability assessment scans and results
• Worked with Research Centers to remediate and map out mitigation activities as necessary to closeout POA&Ms
• Production of various Accreditation packages for enterprise wide systems
• Established system baselines for multiple research applications within NIH (hardware, software, firmware, etc.)
• Note: 3 month contract

Confidential, Silver Spring, MD

Info Security Specialist

• Updated the Business Impact Analysis (BIA) for National Weather Service (NWS) systems to reflect enhanced information security business practices
• Reviewed System Security Plans (SSPs) and numerous other security related documents in support of NWS systems * In accordance with NIST 800-18, Developing Systems Security Plans for Federal Information Systems *
• Collaborated with multiple levels of staff to revise many security artifacts to include Configuration Management Plans, Disaster Recovery Plans, Interconnection Service Agreements (ISAs), etc.
• Lead security operations to obtain an Interim Authority to Operate (IATO) extension, so that all remaining Plans of Action and Milestones (POAMs) could be appropriately addressed
• Leveraged the accountability principles of the Cyber Security and Assessment Management (CSAM) tool to track and manage high visibility POAMs
• Provided oversight for the mitigation of these items in accordance with Continuous Monitoring requirements within the Risk Management Framework (RMF) - NIST 800-37
• Participated in Configuration Management Board (CMB) meeting in support of security related change requests
• Approved changes to the NWS infrastructure (i.e. software, hardware, inter-connections, file shares, etc.)
• Served as the Information System Security Officer (ISSO) for NWS
• Task included validation of compliance with NIST 800 standards/guidelines
• Conducted bi-weekly audit log reviews
• Collaborated with the NWS Project Management Team to introduce new security policy and guidance for the NWS Engineering/Technical Staff

Confidential, Washington D.C.

Independent Security Consultant

• Evaluated numerous COTS vulnerability and risk assessment products to meet business requirements for customers seeking to enhance network security
• Reviewed information security documents for small business owner to conform to industry best practices (NIST 800 Compliance)
• Conducted security assessments for commercial customers at a host-based level on Microsoft platforms

Confidential, Washington, D.C

Operations & Maintenance Team Manager

• Managed 8 highly skilled IT professionals (Northrop Grumman Contractors) who served as System Administrators, Quality Assurance Team members, programmers, Testers, Configuration Management Team, etc.
• Ensured that information security requirements were addressed in the planning phase of the Software Development Life Cycle (SDLC).
• Following guidelines of NIST 800-64, Security Considerations for the SDLC
• Led all information security efforts contributing to the Certification of numerous applications within the Trusted Wisdom PMO.

IT Specialist/Security Engineer

• Served as the Subject Matter Expert (SME) for Information Security for my office; providing on-the-job (OJT) information security training to new employees.
• Worked in conjunction with multiple project managers for both Business applications and Intelligence Mission applications (IMAs) to ensure that all new applications were developed in accordance with the Director of Central Intelligence Directive 6/3 (DCID 6/3) and DoDIIS standards.
• Provided Information Systems Security Officer (ISSO) support for numerous mission critical applications that are used worldwide.
• Served as an Information Security Liaison for the office to the Confidential Information Systems Security Manager (ISSM) to guarantee that all applications receive accreditation in a timely manner.
• Utilized Nessus, eRetina, and various other tools to conduct vulnerability assessments of COTS products