SUMMARY:

Over 21 years, including more than 12 years in information security.

PROFESSIONAL EXPERIENCE:

Confidential, Silver Spring, MD

OCIO Cyber Security Program Manager

From January 2016 to Present: GS - 2210-14 - NOAA OCIO CSPM or ITSO (Information Technology Security Officer)

From May 2016 to December 2016: (Temporary Promotion as a GS-15) NOAA Acting Director for Compliance and Oversight

From May 2016 to Present: Acting NOAA Compliance Manager

I am required to maintain security professional certifications and a security clearance at the Top Secret/SCI level in accordance with the Department of Commerce policy.

I was asked by senior management to assume the positions of the NOAA Deputy Director for Oversight & Compliance as well as the Compliance Manager roles, in addition to my primary role as NOAA OCIO Cyber Security Program Manager. In those capacities, I played the role of a backup to the NOAA Cyber Security Director (CSD). I was the IT security liaison/focal point for the CSD Staff and six other Line Offices ITSOs in support of the IT Security Program.

My primary responsibilities consist of directing and coordinating the security activities for eleven (11) Information System Security Officers as well as a team of over 12 contractors. I certify compliance with the Federal Information Security Modernization Act (FISMA) of 2014 for the FISMA systems within OCIO ( Office of the Chief Information Officer) by providing leadership on remediation activities on associated Plan of Actions and Milestones (POA&Ms), analyzing audit findings and recommendations, and certifying that all Assessment and Authorization (A&A) milestones and actions are completed as required. I oversee the review and update of all security documentations such as the Information System Contingency Plans (ISCP), Disaster Recovery Plans (DRP), Incident Response Plans (IRP), System Security Plans (SSP), Risk Assessments (RA), FIPS199 and 200, and eventually make recommendation to the Authorizing Officials and/or CISO.

Within the first six (7) months in my position, I ensured all OCIO systems have in place effective and updated security documentations.

I contribute to the implementation of the NOAA wide IT security policies, standards, best practices, and guidance that established a framework for the IT Security program and asure compliance with applicable federal statutes, regulations, policies and guidance.

As the Task Manager for the NOAA-wide IT Security Awareness Training, I ensure NOAA has an active contract in place that allows all 22,000 IT resources users to be trained at 100% annually. Likewise, I coordinate with Staff and Line Offices to certify NIST control AT-3: Role-Based security training is met annually.

Utilizing our FISMA tool, CSAM, I track compliance with the Department/NOAA IT Security Program requirements and provide updated inventories to the CIO, CSD Director, Authorizing Officials and System Owners.

I review Tenable Security Center dashboard (Nessus) and I arrange with my stakeholders to mitigate risks in accordance with the Department policies and procedures. By actively following up with my customers, we reduce the number of outstanding vulnerabilities and progress is still being made to resolve Critical and High vulnerabilities immediately upon discoveries.

I review and monitor auditors’ activities to make sure NOAA meets all requirements as stipulated in our policies, standards and procedures. Similarly, I ensure NOAA provides the auditors all artifacts in a well-timed fashion.

I track and report POA&Ms progress using CSAM. I collaborate with my customers to patch all systems using BigFix tool in accordance with policy to meet NIST control SI-2. Similarly, I review Tenable Security Center dashboard (Nessus) to verify systems are being scanned per NIST control RA-5 and NOAA policy. My contribution has allowed NOAA OCIO systems to resolve all outstanding late POA&Ms, provide the opportunity to my stakeholders to be more pro-active by patching their systems and scan the systems per requirements.

As the Task Manager for NOAA wide anti-phishing initiative, I utilize the approved phishing tool (PhishMe) to schedule quarterly phishing exercises for the entire NOAA community. Ever since I started the program, the results have gone from 58% pass rate during the inception in FY16 Q3 to 96% pass rate in FY17 Q3. This is a clear indication that NOAA community learns how to handle phishing emails.

I work in conjunction with our local CIRT - Computer Incident Response Team and ensure all incidents are resolved appropriately.

I developed Performance Work Statement (PWS) for the Cyber Security Services contracts and FedRAMP service acquisitions. Similarly, I performed evaluations of proposals for Cyber Security Service contracts and I have been the chairperson for some of these evaluations.

Confidential

Senior IT Security Specialist (Top Secret)

As a Senior IT Security Specialist and Compliance Team Lead, I managed the enterprise-wide Security Authorization & Accreditation (SA&A) program, POA&Ms program, the Risk Management program, the Information Security Continuous Monitoring (ISCM) program, and other FISMA related activities for enhanced organizational risk management decision-making capabilities.

I provided advices to the CISO on all cyber security-related matters and implementation of the information security program. I participated in the development and implementation of the agency risk management framework, the A&A security assessment and authorization efforts, continuous monitoring (ISCM) and submitted input to the Chief Information Officer Dashboards on a weekly basis.

I tracked the re-certification progress identifying risks to resources, schedule, or budget and provide periodic updates to the Chief Information Security Officer.

Having led a team of fourteen (14) contractors in the compliance office, I coordinated not only with the team, but also with the Authorizing Officials, System Owners and ISSOs to ensure all systems are in compliance with FISMA using for instance NIST SP 800-37, NIST SP 800-53 and local policies; and all security artifacts are updated and properly documented in CSAM.

I had extensive enterprise level knowledge and subject matter expertise managing creation, implementation, assessment, gap analysis and benchmarking of Information Security strategies, roadmaps, remediation plans, policies, standards, processes, procedures and best practices. I ensure all system representatives maintain an excellent risk management approach, compliance program as well as patch management.

I was the designated administrator for the agency security management tool - CSAM (Cyber Security Assessment and Management) application. I successfully led the migration of the agency systems from NIST SP 800-53 revision 3 to revision 4.

As a cloud SME (Subject Matter Expert), I reviewed and communicated relevant feedbacks to cloud-based solutions and other applications & systems for procurement.

Within the first 2 years of leading the compliance team, the agency security posture has extremely improved with all systems meeting the ATO renewal requirements. I implemented a robust strategy to have all systems assessed yearly using the core controls and annual assessments to satisfy regulatory requirements such as FISMA, OMB as well as SBA policies and procedures. I reduced by over 60%, the number of overdue POA&Ms using an open communication with all stakeholders at all level of the agency. Through my leadership, the agency was able to implement a resilient Contingency plan/Disaster Recovery testing, and as of FY15, all FISMA systems have successfully tested their CP/DR plan at 100% compared to FY13 where less than 30% of the system have been tested.

I successfully managed all assessment activities and reviewed/approved draft POA&Ms. At the conclusion of each assessment, I ensured all NIST controls (NIST 800-53 rev4) are accurately assessed and that all artifacts submitted positively reflect the controls in scope of the security control assessments before submission of the ATO package to the CISO for his final review.

As the designated SBA Common Control Provider, I worked diligently to tailor all applicable NIST common controls and system-specific controls to ensure the assessments are properly conducted.

I served on the OCIO CCB -Change Control Board and the ECCB - Enterprise Change Control Board to identify and approve operational changes or modified hardware/software solutions, and ensure identified controls are properly tailored to safeguard all systems and applications.

I led a team of three (3) contractors to revise the local IT security policy to reflect NIST SP 800 rev 4.

Similarly, I drafted and had the agency level ISCM - Information System Continuous Monitoring program that meets NIST SP 800-137 to provide sound real time protection of our system postures.

On an annual basis, I promoted security awareness among employees and contractors to ensure security principles are reflected in the organizations’ visions and goals.

I coordinated with the CISO, the SOC (Security Operation Center) and US-CERT to address security incidents.

Information System Security Officer/Project Manager

Confidential

I served as the Information System S ecurity Officer at the Veteran Affairs Medical Center in Northampton, MA and Washington, DC as well as four (4) Outreach VA Clinics. As a technical expert on information security policies, standards, directives, and guidance. I was r esponsible for the coordination and integration of all aspects of the Veteran Affairs Department’s cyber, telecommunications, and information security programs and prepared reporting for all Federal reporting requirements such as the Federal Information Security Management Act of 2002, the E-Government Act, and other reporting requirements such as the GAO, OIG and OMB. I assured the integration of the IT security requirements and programs into the Medical centers IT investments and their lifecycle. I developed, provided and managed the security awareness training to over 2600 IT resource users.

I authored and processed security documents to include Privacy Impact Assessments (PIA), Business Impact Assessment (BIA), investigation documents, system security plans (SSP), continuity of operations plans (COOP), and disaster recovery plans (DRP). I assessed system risks, prepared risk assessments, and implemented risk mitigation strategies. I investigated security incidents and prepared final reports for management decisions. I oversaw the execution of security plans, risk assessment, system security penetration testing, and evaluation plans. I reviewed the cost-effectiveness and practicality of existing information security procedures and systems, and makes suggestions for the improvement of these same procedures and systems.

I analyzed network events to determine the impact on current operations and conducted all-source research to determine advisory capability and intent. I also managed the Acceptance of Risk (AOR) and Security Exception Waivers.

I was responsible for the security awareness training, investigations of computer incidents and compliance with FISMA, HIPPA and OMB laws and regulations as well as the VA and local policies and procedures.

I individually planned, implemented and maintained the security programs, policies and procedures to protect the integrity, availability and confidentiality of veterans’ private information.

My assignments involved ensuring the confidentiality, integrity, and availability of the VA networks, and data through the planning, analysis, implementation, maintenance, and enhancement of information systems security programs and policies.

Skills & Accomplishments:

• For over 6 years as an ISSO, I reviewed at least 25% of all workspaces for security vulnerabilities weekly to identify any security weaknesses and/or maintain a physical inventory of all computer equipment and peripherals. I worked with stakeholders to ensure all vulnerabilities and/or risks are properly mitigated.

• I ensured sure all POA&M (Plan of Action & Milestones) are properly recorded, reviewed and weaknesses are properly resolved on schedule and on budget.

• I generated weekly reports to track employees’ completion of the required annual security and privacy training and coordinated the employees training completions are properly recorded. My leadership with respect to the annual computer security training has increased the training rate of all 2600 employees from around 70% to close to 100% from 2009 to 2013.

Confidential, Atlanta, GA

Transportation Security Officer

performed front line defense against any terrorist from the traveling public in a variety of Confidential related to providing security and protection of air travelers, airports and aircraft using electronic and imaging equipment.