OBJECTIVE:

Safety-Critical software and systems engineering experience to architect, develop and execute (real-time embedded) resilient product security & safety-critical strategies & certifiable solutions/designs with superior technical competency by leading projects & initiatives with broad scope & high impact.

SUMMARY:

• Systems Security Architect/Engineer/Contractor/SME/Consultant with successful diverse and extensive proven hands-on experience of challenging cutting edge technology programs, in Research, Architecture, & FDLC of Information (High-)Assurance(IA), Cryptographic, Systems Security/Cyber-Security & Safety-Critical products & apps with a strong technical Software Engineer.
• Unique blend of expertise in strategic planning, requirements definition & management, process development & leadership along with in-depth technical knowledge & product design including definition of product secure-by-design & safety-critical objectives, analyzing product architectures for security vulnerabilities, evaluating threats, qualitatively assessing security & safety-critical risks, security metrics definition for monitoring & support, defining & managing product security & safety-critical requirements, coordinating & conducting security & safety-critical test activities, penetration testing, supporting certification, accreditation (C&A/A&A) activities, and documentation.
• Designing & Evaluating secure & safety-critical technologies at various levels (systems, subsystems, components & interfaces) of secure/trusted & airworthiness/airborne hardware & software, leading towards certifiable architectures & solutions via NISCAP ( Confidential ), DIACAP/DIARFM (DOD), FISMA/RMF/NIST SP 800-37,-39,-53,-82,-160/FIPS 140-2 & PCI-SSC/PA-DSS (Federal, Commercial & Financial), EASA/FAA/ ITSEC/ARP4754/RTCA (“Safety-Critical” Avionics Cybersecurity), Confidential /CIP v3 & v5 (ICS/SCADA/ Power Generation ICS/Utility), and HIPAA (Health Insurance) Compliance Certification Frameworks. Solid understanding of their information security & safety-critical regulations, policies, publications, and their corresponding Certification & Accreditation/Assessment and Authorization (C&A/A&A) processes & supporting documentation.
• Translation & Implementation of system & subsystems security controls (of Confidential Type 1&2 UIC/IASRD & Suite B cryptographic, IATF/DISA/NIST/RMF/DIACAP/DOD 8500 series security, PCI-SSC/PA-DSS standard, and EASA/ITSEC/ FAA/ARP4754 Security & Safety-Critical requirements) into Multiple Independent Levels of Confidential ecurity(MILS) & Multiple Levels of Confidential ecurity (MLS) detail trusted Hardware (of ASP/BSP w/GPP & multicore and/or DSP/FPGA and/or End Cryptographic Units (ECU/SoC - AIM, JANUS, SIERRA II)) & Software Architectures (achieving physical, functional & cryptological RED/BLACK data isolation & information flow control via data separation with VMMs/Hypervisors/Separation (Secure) Kernels/Safety-Critical DO-178B SRTOS - GHS INTEGRITY, LynxSECURE/ LynxSE, VxWorks MILS & SELinux - and Cross Domain Solutions (CDS)/Guards/Reference Monitors).
• Defense in Depth principles and technology, including implementation of strong Identification, Auditing, Authentication, Authorization & Access Control schemes (IA4CS) with Key Management (EKMS/KMI) & PKI via cryptographic algorithms within protocols (SSH, SSL/TLS, IPSEC, HAIPE v1.35-3.X , ESPv3, IKEv2 key exchange protocol, Robust Header Compression (ROHC), AES, SHA, ECDH) in accordance with the Common Criteria (CC) defined Evaluation Assurance Levels (EAL1-7/E1-6) and Confidential /DIACAP/NIST/FIPS, PCI-SSC/PA-DSS & EASA/ ITSEC/FAA/ARP4754/RTCA Guidelines for various security domains/enclaves & airworthiness/airborne safety-critical (levels DAL A-E) respectively.
• Security risk assessment methodology application to system development, including threat model development, vulnerability assessments, validation & verification, and resulting security risk analysis. System penetration via selective security scan tools, DISA’ Confidential STIGs, and ethical hacking to identify potential of exploitation.
• Possess a solid understanding of High Assurance Wireless Communication Systems (HAWCS), Mobile/ Cellular/Smartphone and Software Define Radios (SDR/JTRS) architectural principles.
• Development of secure embedded real-time preemptive multitasking/multithreaded software & device drivers, programming solutions of Robotics/Automatic Controls/GN&C, wired & MANET/mesh/wireless single & multi-tier LAN/WAN secure networks & communication protocols.
• Proficient in C, competent in C++ & Java, experienced in Shell scripts & various other languages.
• Utilization of middleware (CORBA/J2EE/ SOA), system modeling and simulation with OOSE & ROOM via CASE tools (UML, Rational Rose/Real Time, Rhapsody, ObjectTime).
• Well versed in the usage of a variety of Operating Systems, GPOS Confidential (Windows & UNIXes - FreeBSD, NetBSD, Linux/SELinux, uClinux, SUN/Solaris, SCO/UnixWare, HP-Unix) & RTOS Confidential (RT-Linux, GHS INTEGRITY, VxWorks, C/OS II, LynxOS, FreeRTOS, iRMX, MTOS, Gemix) on a variety of computer hardware/BSP Confidential (X86, MIPS, ARM-9, Thales VMPC Power Node 3, TI TMS320C6000 DSP, ZT8901, Microsemi/SmartFusion2, Xilinx & Altera FPGA, BCM11XXX, BCM95352E, (ADI’ Confidential ) Blackfin ADSP-BF535 STAMP, M68302/332, M680X0, TR2020, TR2001, multicore Octal Freescale QorIQ™ P4080 SOC, dualcore Mindspeed Comcerto 2000 ARM Cortex-A9 SOC, Freescale Coldfire MCF5235, NXP’ Confidential ARM Kinetis K66F & QorIQ LS1043A SOC).

EMPLOYMENT HISTORY

Confidential, Tarpon Springs, Florida

Founder/CTO, Contractor/Consultant

Responsibilities:

• Networks enclaves of existing ground space (GSE) systems & newly developed launch vehicle (SLS) ground support systems, towards achieving & maintaining Authorization-to-Operate (ATO) via the implementation of security standards & guidelines in accordance with the FISMA & RMF A&A processes, utilizing FIPS 199 and NIST (SP 800-37,-53/-82.r2) security controls for industrial & non-industrial control devices that require ITSEC & Confidential policy directives, compliance & pertinent NASA cybersecurity instructions.
• Reviewed existing ground subsystem design documentation and developed security policies for the subsystem, processes & procedures (e.g. Standard Operating Procedures (SOPs), Desk Instructions (DIs)), evidence (e.g. subsystem Confidential INFOSEC Block Diagram & Security Architecture Document (SAD), ConOps) in support of Continuity, Contingency Plans and System Security Plans (SSPs) construction that applies specifically to ICS that are based on the Homeland Security Advisory System Threat Level, and deployed increasingly heightened security postures as the Threat Level increases is required.
• Utilized defense - in-depth strategies and applied NIST 800-53 requirements to the ICS for a complete vulnerability assessment to minimize the risk of the end-item/asset/fielded device and the overall subsystem.
• Implemented a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
• Provided logical separation between Launch Control System (LCS) and ICS networks (e.g., stateful inspection firewall( Confidential ) between the networks, unidirectional gateways, etc.).
• Employed a DMZ network architecture (i.e., preventing direct traffic between external and ICS networks) and ensured that critical components are redundant and are on redundant networks.
• Disabled unused ports and services on ICS devices after testing to assure this will not impact ICS operation. Restricted physical access to the ICS network and devices via ICS user privileges to only those that are required to perform each person Confidential job (i.e., established role-based access control and configured each role based on the principle of least privilege).
• Supported the INFOSEC V&V compliance activities & actions regarding Plan of Action & Milestones (POA&M), Risk Acceptance Letters, and Continuous Monitoring and significantly contributed as a member of cross-functional and collaborative teams. Involved with the Security Assessment Review Team (SART) and provided feedback to team regarding IT & ICS SAs, Peer Review of Design Packages, implementation detail/evidence, and POA&M items. Reviewed all NASA Engineering (NE) organization Confidential system-related information System Security Plans (SSPs) and acted as a liaison for coordinating the effort to consolidate plans.

Confidential, Fort Walton, FL

SME Information Assurance/Security Compliance Specialist/ Systems Cyber Security Engineer

Responsibilities:

• Participated & supported the Buyer Confidential System Requirements Review (SRR), PDR, CDR, Technical Interchange Meetings (TIM), Peer Reviews, and Acceptance Testing, and entails security advice, consultation and guidance of identified DIACAP/RMF issues to program managers.
• Conducted comprehensive security assessments to identify architectural & implementation weaknesses (by evaluating the technical implementation of the security design to ascertain security software, hardware, and firmware features affecting confidentiality, integrity, availability, accountability, and non - repudiation implemented as documented in the NIST SP 800-53 and/or DoDI 8500 series) to determine compliance with regulatory compliance requirements.
• Performed & completed, using the government provided A&A tool (Assured Compliance Assessment Solution (ACAS)), all applicable Tenable NESSUS/ACAS vulnerability & compliance scans and applied patches for operating systems (e.g. Windows, (RT)Linux & VxWorks), applications, and all hardware (including network equipment) to all ATD/Simulators systems and sub-systems. Closed all Critical/High IAVM findings and provided justification for Critical/High IAVMs that cannot be closed.
• Performed & completed, using the government provided A&A tool (DISA Security Content Automation Protocol (SCAP) Compliance Checker (SCC) & STIGViewer), all applicable STIG hardening and compliance checklists, at the classification level (MAC III/Classified) of the system, (as available from DISA) for all ATD operating systems, applications, and hardware. Mitigated all CAT I & II STIG findings, and answered CAT III items. Updated STIG checklists with results, and provided justification within the STIG checklists for any CAT I or CAT II findings that cannot be closed prior to uploading them to OTI/enterprise Mission Assurance Support Services (eMASS) via SIPRNet
• Responsible for writing, implementing, completing, managing, and maintaining related security documentation (System Identification Profile (SIP), System Security Plans (SSP), Assessment Security risk Plan & Report (ASP&R) and Plan of Action and Milestones(POA&M), Mitigation & Remediation Plans of systems security controls, Contingency Plans and any Program Protection Plans (PPP) required by government customers, as well development of other A&A related systems bodies of evidence), policies, processes & procedures required to achieve, obtain and maintain systems ATOs, classified to the level of the systems, in accordance with the RMF & DoD guidance, policies and procedures, to ensure that accreditation packages are complete and system compliance is met for the USAF OTI Designated Accrediting Authority(DAA)/Authorizing Official (AO).
• Performed system security tests to verify the operational state of the ATD systems after completion of patching, vulnerability scans and hardening tasks and provided test reports (Documenting residual risks by conducting a thorough review of all the vulnerabilities, architecture and defense in depth & providing the IA risk analysis and mitigation determination results for the Test Report).
• Supported assessment of the cyber posture of legacy systems and assisted in the determination of a prioritization strategy to fix existing and future cyber vulnerabilities and recommended mitigation strategies, as well as the future effort of continuous monitoring, using active & passive vulnerability ACAS scanning in combination of Host Based Security System (HBSS) support & patch management, both before validation and post ATO, that also entails the Incident Response Plan (IRP).

Confidential, Cambridge, MA

SME Information Assurance/ Cryptographic Systems Software Security Architect

Responsibilities:

• Assessed the unified Confidential IASRD and customer Confidential CONOPS & Tactical security requirements and derived/ defined/tailored the CM Confidential capabilities/requirements and functional decomposition (Root of Trust/Secure Boot, Encryption/Decryption, Bypass, Key Gen & Management, Operational Integrity, Randomizer, Alarms & Zeroization, Access Control and Security Policy via Ref. Monitors) towards satisfaction for its Confidentiality, Integrity & Availability (CIA).
• Performed analysis of the Confidential Type 1 certifiable Secure Micro - digital Data Link (SMDD) CM used for UAVs as well as alternative designs, including defining and evolving secure/trusted architectures via ARM Cortex v7 & v8 w/RTOS (RT-Linux, C/OS II, FreeRTOS) based System-on-Chip (MPSoC)/Single Chip System Module (SCM) and/or FPGA (Altera, Xilinx, Microsemi/SmartFusion2) SoC to support Confidential Suite B Confidential crypto algorithms (AES256-GCM, SHA384, ECDSA384 & ECDH384), mission goals and fault-tolerant requirements.
• Involved with the Key Gen, Management & Distribution of all keys (i.e. KEKs & TEKs) via ECDH/ECDSA.
• Participated and worked with all the DoD Confidential & Vendor Confidential IPTs towards tuning the secure architecture; worked on developing all Confidential security related documents (i.e. the Security Evaluation Document-SED) towards a successful Confidential C&A.
• Provided expertise to & managed multidisciplinary teams to develop and deliver the secure Blackstone CM (BCM) system throughout the secure system and software development lifecycle.

Confidential

Strategic Security Architect

Responsibilities:

• Assessed & defined unified security requirements and security technologies implementation for real - time, critical embedded (NISTIR & Confidential CIP compliant, reliable, available & real-time operable in harsh environments satisfying mission critical, embeddable, NXP Confidential ARM Kinetis K66F & QorIQ LS1043A SOC based) systems including: multi-core, IPC, secure boot, bootloaders (PBL/non-PBL), hypervisors (KVM), containers (LXC),TrustZone, virtualization for domain separation, hardware security (security fuse and/or OTP memory technologies), tamper detection, code signing, key management and provisioning.
• Defined, derived, translated and delivered various architectural & implementation documentation of the embeddable devices security requirements and controls, tailored to Confidential Suite B cryptographic framework.
• Involved with the design, development, and implementation of highly complex secure (X.509) architectures, frameworks (PKI) and infrastructures that integrate M2M/D2D bootstrapping constraint IoT devices with current enterprise DCS standards & SCADA architectures, utilizing secure networks and protocols (3G/4G, LwM2M, DTLS, MODBUS, DNP3, etc.).
• 3G/4G System architecture from the perspective of end to end communication between edge-product (TSIIC & Intelliraptor) and the end customer data centers via Confidential &C or third party aggregation resources.
• Involved & assisted of defining the development and implementation of the company Confidential CIP Governance, Risk & Compliance (GRC) framework.
• Provided education and mentoring to other team members on security issues.

Confidentia

Senior Control Systems Cyber Security Specialist

Responsibilities:

• responsible for ensuring the ICS/SCADA systems being developed and deployed are secure, and providing support, including but not be limited to, in the area of cyber security, Control/SCADA system security, Confidential CIP v3 & v5 Convergence & Compliance, preparation of documentation in support of audits, conducting cyber security and vulnerability assessments, and contributing to the development & implementation of Confidential CIP v5 compliant programs (CIP - 002: Asset Categorization, CIP-005: ESP (Electronic Security Perimeter), CIP-007: System Security Management / Ports & Services, CIP-010: Configuration Change Management, CIP- 011: Information Protection).
• Acquired expertise of DCS used in the Electric Power sector, specifically those in Generation, Substation and Control Centers, vendor control systems security offerings such as Emerson OSC, Confidential Security ST, and Industrial Defender and their corresponding DCS network architecture for control systems such as Confidential MARK VI, Emerson Ovation, involving SCADA networks and protocols (MODBUS, DNP3, etc.).
• Involved with the capabilities and/or configuration of cyber security controls, specifically those relating to firewalls, access control, authentication, anti-virus/anti-malware, logging, patching and hot fix.
• Provided SME expertise in Controls & Process Networks Engineering, Factory Acceptance Testing (FAT), and Confidential Reliability Standards & Processes. Associated with NIST SP 800-82, Confidential CIP Controls Framework and Automation, Cyber Asset Identification, Categorization and Management, Configuration Management, Recovery Plans, Security - Vulnerability Management, Cyber Security Incident Response Plan (CSIRP), Security Information Event Management (SIEM), Access Management and Automation, Patching and Malicious Code Prevention, Electronic Security Perimeters (ESP), Information Protection Program (IPP), Personnel Risk Assessment (PRA) Program, Confidential CIP Compliance Training Program, Physical Security.
• Ensured the reliability, performance, integrity, and recoverability of the identified Critical Cyber Asset (CCA) & cyber asset systems supporting the Bulk Power System critical assets (BCA) by defining security policy.
• Reviewed vulnerability assessments, identified risks and recommended appropriate mitigations.

Confidential, Washington, DC

Senior Java Security SME

Responsibilities:

• Worked with product teams & owners to understand and formulate security requirements for ELIS Confidential /W apps.
• Served as SME on application security and collaborated with software development teams to provide technical guidance to implement appropriate security solutions (Java security, SSO/SAML & ICAM), mechanisms and/or controls (WS, multi - factor AuthN, AuthZ/RBAC, encryption/hashing) that addressed business requirements.
• Defined & provided system Confidential security metrics and the how to gather & monitor them. Consulted on technical security issues/incidents as needed. Applied FISMA/NIST SP 800-35/37 RMF (Step 6) Guidelines for monitoring security controls, and as the organization-defined continues monitoring process, utilized Security Information Event Management (SIEM) NewRelic & Splunk tools for monitoring & log data analysis.
• Acted as a liaison between software engineers and Information System Security Office (ISSO)
• Conducted and coordinated (via risk assessments) security mitigations of vulnerability assessments and static-code reviews of software applications under development. Utilized HP Fortify tool.
• Participated in Agile SCRUM activities such as daily standup, sprint planning and retrospective meetings.
• Monitor COTS application security related tools, conducted tool analysis & provided recommendations.

Confidential, Melbourne, FL

Safety-Critical & Embedded Systems Security Software Engineer

Responsibilities:

• Developed & enhanced in C/C++ the device driver Confidential ISR of the On - Board Computer (OBC) Confidential Zilog Confidential Z85230 Enhanced Serial Communication Controller (ESCC) to conduct via auto detection Synchronous & Asynchronous message communications over serial EIA RS-232 & RS-422/RS-485 with High Level Data-Link Control (HDLC) protocol between the OBC and the GPS Remote Interface Modules (RIM) Confidential .
• Defined, developed, and maintained real time embedded software applications for use in train communication and control systems as well as their corresponding Systems, Software Requirements & Software Design Specs.
• Utilized GHS INTEGRITY MULTI IDE for compiling & debugging, StarTeam for configuration management & source control and Understand for C/C++ for software static analysis and worked cross functionally with other H/W, Confidential /W, and Systems engineers.

Confidential, Lawrenceville, GA

Lead Embedded Systems Security Software & Network Architect

Responsibilities:

• Concurrently conducted detailed data security assessments including applications, servers, databases, and other network components and associated processes against the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards to identify areas of non-compliance for Medical Practitioner Offices/Centers. Developed the HIPAA Security Plan, Policies & Procedures documents as well as the supportive artifacts of Information Security Plan, Contingency & Disaster Recovery, etc.
• Concurrently involved in product developments & enhancements/platforms commercialization of Confidential Trustzone-enable with secure partitions running Linux, and/or Android, and/or hosted/ embedded apps.
• The Confidential is specifically used as a machine emulator on a Linux host for the ARMv7 architecture (GitHub version of Confidential with basic support for ARM Trustzone (security extensions)) and booting with MMU setup (by adapting the ARM specific parts of QEMU' Confidential MMU simulation - effectively treating the Trustzone memory protection like an additional layer of MMU protection) of the microkernel, that allows “secure world” L4 tasks to create, isolate and interact with “normal world” operating systems via secure channeling to the outside world using mutual authentication and standard encryption methods & L4’ Confidential SecIPC/built-in capability-based mechanism respectively for information flow control, enabling safety execution with guaranteed memory for security and applications, CPU time resources, and device access control, regardless of what is happening in the “normal world”.
• The objective is for the “normal world” to act as a virtual machine under control of the Visor running in the “secure world”/Trustzone and also, for other security related code and data to be housed in the “secure world”/Trustzone such as cryptographic algorithms, network security protocols (such as SSL/TLS) and keying material, digital rights management (DRM) software, access control functions, and/or electronic payment & identity data.
• The SMC can be thought as kind of a "system-call from normal world kernel to secure world kernel"); Secure Memory Management is created during execution after SMC call, while on the actual ARM Trustzone is created during booting time; Monitor Mode is using the non-secure bit of the Secure Configuration Register (SCR.NS) and the corresponding secure bit (SCR. Confidential ) value changes according to transit between the worlds as it is also used by the actual ARM Trustzone
• Trusted Applications are loaded during execution time and thus it is dynamic while on the actual ARM Trustzone are loaded during boot time and thus it is not dynamic; Interrupts (Normal World - IRQs & Normal and Secure Worlds - FIQs) are taken care by the operating system as they are also used by the actual ARM Trustzone; Debugging is accomplished via native C/C++ code while in the actual ARM Trustzone cannot debug application since its already compiled; and for Registers, variables are used versus ARM registers on the actual ARM Trustzone.