SUMMARY:

• A&A/ C&A Subject Matter Expert (NIST/DIACAP), Information Security/vulnerability assessments and mitigation strategies. Network security architectures, assessments, policy, Security Management, Strategic Security Plans, complete A&A packages, POA&M and continuous monitoring management, Counterterrorism experience.
• Evaluation and resolution of problem programs. Extensive experience with handling security issues and coordination with flag rank, C - level officials, and government senior level executives. Saves time and money.
• Cybersecurity customer requirements analysis, risk assessments, counterterrorism assessments and operations, system security audits, policy, and implementation.

PROFESSIONAL ACCOMPLISHMENTS:

• Program Manager for Bureau of Indian Affairs. A&A SME/Senior Security Engineer for Confidential of Information Security. Manages All BIA systems Security Controls Assessment efforts. Implemented Continuous Monitoring solution using SPLUNK, NESSUS and other COTS products. Developed and implemented standardized procedures for A&A efforts, POA&M management, and implemented new QA systems for deliverables and A&A artifacts. Specified security requirements for centralized data center, and designed new NIST-compliant authorization boundary architectures (major applications, infrastructure, enterprise, and physical and environmental). Repaired problem contract, realigned staff, and saved client funding with no loss of efficiency or profitability.

Confidential Engineering Associates/ Confidential Advisory Group

• C&A/A&A Subject Matter Expert for NOAA CIO. Designed, wrote, and implemented new methodology to ensure consistent security artifacts and deliverables across 8 contractors and 117 systems. Included assessment methodology, QA process, deliverable management, NIST compliance, POA&M management, etc. Designed NIST compliant A&A process, ensuring SDLC compatibility. Aligned processes with Risk Management Framework architecture. Wrote draft RFI, PWS, and other acquisition documents for CIO contract aligning A&A methodologies.
• Information Assurance Subject Matter Expert for Pension Benefits Guarantee Corporation (Financial management of Pension plans). At client request, completely realigned Enterprise Security program to NIST requirements. Implemented NESSUS and Accunetix vulnerability scanning, vulnerability mitigation strategies, and risk management efforts. Conducted COOP testing and evaluation, developed complete tracking metric for organization. Specified COTS security tools. Brokered sensitive investigations concerning security violations, and recommended mitigation and corrective actions. Conducted IV&V on COOP testing at two sites.
• Certification and Accreditation Subject Matter Expert for the Veteran’s Affairs Web Operations project in which the entire VA network operations required C&A support. Wrote all documents (ST&E, FISMA risk analysis, Configuration Management Plan, Security Plan, Contingency Plan, Incident Response Plan, Privacy Impact Assessment, etc.). Instituted routine systems auditing, configuration/change management, enhanced network security operations, and interconnection security agreements. Instituted NIST compliance where none existed.
• Certification and Accreditation Subject Matter Expert for National Weather Service Historical Climate Monitoring System upgrade. Wrote all C&A documents, developed security processes for program.
• Certification and Accreditation Subject Matter Expert for Centers for Medicare and Medicaid Electronic Health Records project. Wrote all C&A documents, initiated configuration management process, security auditing.
• Conducted the first U.S. Navy Platform IT Certification and Accreditation effort for a complex Homeland Defense System using modified DIACAP methodology. Directed the entire information assurance testing of the system.
• Developed and conducted training for Center for Medicare and Medicaid for Certification and Accreditation, CIO manager’s briefing and training, and others. Used various NIST guidelines (NIST 800-53, 800-53A, 800-37,various FIPS publications) to assess security controls and recommend mitigation strategies.

Confidential, President of Confidential

• Targeted, closed, and directed operations of $9 million small business.
• Worked at the request of Assistant Secretary of Defense in establishing oversight and independent assessment of Defense Security Service operations. Directly supported the Directors of DSS and the Office of Personnel Management. Efforts included vulnerability assessments (NIST 800-53, 800-53A, DITSCAP, various FIPS guidelines), establishment of critical operations call center, revamping entire security clearance process automation, establishing business analysis of DSS operations, independent verification and validation of other contractor software.
• Grew the company from zero to $9 million in under three years.

Confidential, Government Services Group.

• Developed support contract for Confidential ’s efforts in support of rebuilding IRAQ, identifying partner companies, established negotiations, and drafted proposals.

Seidcon, Confidential . Program Manager, NASA ISEM Security

• Conducted risk and vulnerability assessments of Confidential networks, including ISS scans of networks. Conducted wireless network evaluations, identified system vulnerabilities, and implemented mitigation strategies. Wrote Security Plans for Confidential networks (including financial, administrative, operational, and public access). Evaluated all networks at Confidential for inclusion into the new “one NASA” program mandated by the NASA CIO, and recommended migration strategies (including product, software and hardware evaluation). Coordinated Confidential Contingency/Disaster Recovery Plan, and conducted all training on Confidential Contingency Plan. This involved teaching NASA systems administrators, system owners, and system developers.
• Worked in the security design and operations planning for a new NASA video teleconferencing system currently being developed. Conducted vulnerability and risk assessments on the system design, and recommended system modifications.

Confidential, Senior Certification and Accreditation Engineer

• Conducted and coordinated all C&A activities at Army Materiel Command HQS. Wrote the security test and evaluation plans, SSAA, configuration management plans, security plans, and disaster recovery plans for the Army Materiel Command HQS networks. Evaluated network architectures for C&A, provided feedback to systems administrators on the network architecture, and documented the networks using VISIO and other tools. These networks had never been documented nor had a comprehensive risk assessments performed before. Wrote all necessary C&A documentation for administrative, financial, operational, executive, and Internet networks. Wrote the command’s contingency plan/disaster recovery plan, and authored test scripts for the plan’s testing.
• Requested by the AMC CIO to evaluate subordinate command’s C&A packages before receiving accreditation and approval to operate.

Confidential, Manager, Information Risk Management

• Developed Public Health Assessment methodology for Texas Commissioner of Health for hospital readiness for biological warfare attack, involving HIPAA compliance, counterterrorism vulnerability assessments, and implementation strategies. Developed assessment methodology for hospital operational networks, plans for connectivity to National Guard, local law enforcement, Centers for disease Control, National Institute of Health, and other agencies, and recommended HIPAA compliance methodology for systems accreditation. Provided checklists for biological/chemical agent recognition, and wrote hospital procedures for mass casualty operations.
• Conducted Counterterrorism Assessments at major telecommunications companies, which involved physical, network, personnel, and executive security operations. Wrote methodologies for executive evacuation, operations personnel relocation, recovery operations, and backup plans. Identified serious vulnerabilities in network architectures, and recommended mitigation strategies. Write training scenarios for corporate testing and evaluation, and wrote the evaluation methodology for these tests.
• Defined HIPAA requirements and methodologies for University Medical centers and major urban hospitals in Dallas. These hospital complexes were being combined into one large network, with dissimilar software, hardware, administration, and operations. Identified several systems vulnerabilities, and provided mitigation strategies and plans.