Motivated IT and Cyber Security Analyst with over 7 years of professional experience performing Federal Information Security Management Act of 2002 (FISMA) compliance for the Federal government and project management. Sound background in Assessment and Authorization, Confidential 800 series, Risk Management Framework (RMF), POA&M management, Operational Policy and Procedures, and National Security Analysis. Experience in all phases of preparing and reviewing complete Assessment and Authorization (A&A) packages for information technology systems and/or applications in accordance with FISMA and implemented by the guidance of the Confidential. Ability to determine the security posture of agency network.
Assessment and Authorization (A&A) formerly Certification and Accreditation (C&A), Federal Information Security Management Act (FISMA), Confidential 800 - 37 Risk Management Framework (RMF), Confidential 800-53 and 53A Frameworks, Plan of Action and Milestones (POA&M), FIPS 199 System Security Categorization, System Security Plans (SSP), Security Assessment Report (SAR), Continuous Monitoring (CM), Ongoing Authorization program, Information System Contingency Plans (ISCP), Security Control Assessment (SCA),Cyber Security Assessment and Management (CSAM) toolkit.
Hardware/Operating Systems: Windows 10
Software / Products: Microsoft Office, Microsoft Project, CSAM, SharePoint, Splunk, RiskVision, Alloy
Confidential, Reston, VAProject Manager
- Proactively create, monitor and update the status of POA&Ms to ensure weaknesses are resolved in accordance to their scheduled completion dates
- Create of Waivers or Risk Acceptance Memos to assist in the effective management of system risks
- Conducts an annual assessment in accordance with guidance in the DHS Information Security Performance Plan
- Reviews and updates security authorization documents as needed, but at least annually
- Coordinates with the customer’s Privacy, Records, and Information Governance Divisions related to compliance documentation and other requirements
- Conducts Contingency Plan tests at least annually and updating the plan
- Performs system self-assessments as part of the customer’s Ongoing Authorization program
- Prepare systems for Ongoing Authorization enrollment
- Monitors and responds to Information Security Vulnerability Management (ISVM)/Patch Management
- Provides audit support for assigned systems (Financial, A-123, FISMA, internal, DHS, etc.), throughout the audit (Pre, During, and Post Audit)
- Maintains knowledge of inventory in accreditation boundary
- Proactively ensure security requirements are included in development cycle (Waterfall, Agile, SecDevOPs)
- Use DHS and mandated enterprise IA Compliance Tools.
- Devises a plan to certify and accredit their assigned Information system or information systems
- Ensures CM processes are followed to ensure that any changes do not introduce new security risks
- Manages system Information Security Vulnerability Management (ISVM) Compliance
- Responds to emerging requirements or policies as set by legislation, regulation or policy
- Participate in DevOps Sec (security integrated into Agile processes) requirements for assigned systems
- Supports annual assessments in accordance with guidance in the DHS Information Security Performance Plan
- Participated in on-site evaluations/audits for compliance with policy.
- Performed assessments of clients systems and environment following Confidential 800-53 rev 4 Standards.
Confidential, McLean, VA
Senior III and Project Manager
- Leverage leadership skills and information system security to gain the trust and confidence of Client, project team and government customers. Active member of the Confidential Team that won 2015 Confidential SDVOSB Contractor of the Year for providing outstanding and innovative service in the Cybersecurity and Information Assurance domain.
- Facilitate walkthrough meetings and data classification sessions with various application stakeholders and explain the purpose of information system security and Confidential SP 800-series requirements.
- Support the client in performing the Confidential RMF process to ensure that they comply with security and complete their annual SA&A requirements using the Cybersecurity Assessment and Management (CSAM) tool to manage the SA&A workflow and associated documents.
- Develop and review security categorizations using FIPS 199 and Confidential SP 800-60 to determine if the categorization is adequate and commensurate with the data that is processed.
- Review current agency policies and procedures and identify gaps in terms of compliance.
- Served as Confidential for multiple major applications and the general support system.
- Perform and develop Privacy Threshold Assessments (PTA) and Privacy Impact Assessments (PIA) in coordination with the system owners and stakeholders.
- Support security controls assessment efforts by preparing and providing evidence artifacts.
- Coordinate and tracks remediation of security weaknesses as they are discovered, via the Plan of Actions and Milestones (POA&Ms).
- Develop and review risk acceptance memorandums to ensure that accepted risks have appropriate justifications and mitigations.
- Achieves and maintains FISMA compliance and authority to operate (ATO) for systems based on guidance from the Confidential SP 800-37 Risk Management Framework (RMF).
- Provide system stakeholders with recommendations on how to best remediate identified issues based upon Confidential guidelines and industry best practice.
- Perform security testing and security control assessments on federal applications to ensure compliance with the Confidential 800-53a and agency specific requirements.
- Participate in the Control Selection Meeting, Control Assessment Meeting and Findings Review meetings with the system stakeholders.
- Work closely with the System POC to coordinate the data gathering effort.
- Review and analyze evidence to ensure each assessment objective is achieved.
- Develop security artifacts and procedures to ensure information system confidentiality, integrity and availability are in compliance with national policy
- Note taking during the SCA Walkthrough meetings.
- Review security related documentation (System Security Plans, Configuration Management Plans, etc.)
- Conducting internal control assessment in accordance with OMB A-123 Internal Controls.
- Documenting audit work paper, audit findings and recommendations.
- Participate in various integrated project teams with focus on System Development Life Cycle (SDLC),Configuration Management and other security requirements.
Confidential, Arlington, VA
- Reviewed, documented, and tested internal controls.
- Participated in on-site evaluations/audits for compliance with policy.
- Performed assessments of clients systems and environment following Confidential 800-53 rev 3 and rev 4 Standards.
- Performed gap analysis on review of Confidential 800-53- Rev 3 to Rev 4 for System Security Plans SSP updates.
- Assisted in preparing draft audit reports to communicate findings and recommendations to senior management.
- Performed all stages of audit, including planning; fieldwork/execution; reporting; and follow-up.
- Followed-up to ensure the prompt and proper resolution and implementation of corrective action plan.
- Documented control weaknesses related to testing exceptions.
- Identified and communicated IT audit findings to senior management and clients.
- Maintained a good working relationship with clients to enhance customer satisfaction and work with client management and staff at all levels to perform audit services.
- Ensured all POA&M actions are completed and tested in timely fashion to meet client deadlines.
- Interfaced with the client on a day-to-day basis
- Documented work completed by preparing work papers.
- Worked as a liaison to provide data and records for external auditors (OIG) during financial system audits.
- Reviewed and upload deliverables in A&A repository
- Determined if Personal Identifiable Information (PII) is stored, processed, or transmitted. If applicable, conduct Privacy Threshold Analysis (PTA).
- Worked with client to improve the security posture of their information systems through the implementation of the Assessment and Authorization (A&A) process.
- Helped conduct weekly meetings with upper management on updates on POA&M tracking.
- Created and compile Authorization packages to include: Designation Letters, Security Plans, Contingency Plans, and SOPs.
- Worked with auditors to identify Key Controls which must be assessed on a recurring annual basis.
- Initiated, coordinate and track the remediation of security weaknesses as they are discovered, via a "Plan of Actions and Milestones" (POAM).