Candidate will provide information system security testing (i.e., Security Test and Evaluation (ST and E) and/or Certification Test and Evaluation (CT) for initial accreditation, re-accreditation, continuous monitoring and remedial actions required to comply with accreditation (information systems accredited with a lien).
Techniques used in the CT and STE may include Gold Disk scan, System Readiness Review (SRR), penetration testing, network vulnerability scans, source code scan, web application scan, or a manual check of each of the security controls using the security guides. This includes, but is not limited to, performing all required information system security certification tasks during definition/concept; development; installation, checkout and verification; penetration testing; and operations and maintenance phases for new or legacy information systems in accordance with our client's Certification and Accreditation Handbook.
The candidate shall develop penetration test plans, conduct penetration testing and prepare penetration testing reports for Tier 3-5 new or legacy information systems in accordance with our client's C and A Handbook, per government provided schedule.
In addition to the critical skills listed above, the contractor shall ensure every SAT member possesses the below basic requirements:
All SAT candidates shall be comfortable using, configuring, troubleshooting, and administering both UNIX and Microsoft operating systems with extensive system engineering experience with at least one of these operating systems.
Have a broad knowledge of security best practices, security solutions, and methodologies for conducting advanced security assessments, to include manual assessments and malicious user testing.
Have a solid understanding of the Intelligence Community, DOJ, security policies, and NIST security guidelines and special publications - especially 800-53 rev 3 and 800-53a.
Have a broad and expert knowledge of security assessment tools (commercial, free/shareware) and manual security testing techniques. Advanced understanding of security tool strengths and weaknesses and ability to select, configure, troubleshoot and use the best “tool for the job”.
Have a broad knowledge of cyber security threats and techniques used by adversaries to compromise systems – both technical and non-technical techniques.
Have the ability to think creatively, to think critically, to analyze complex concepts, to articulate themselves clearly and concisely, and to conduct themselves in a professional manner.
SAT members responsible for leading the assessment of web applications shall possess the GWAPT or equivalent certification and those leading penetration testing engagements shall possess the GPEN or equivalent.
SAT members must possess extensive experience with methodologies for both Vulnerability Assessments and Penetration Test activities. Also, having solid experiences conducting both in environment of varying size and business function.
Must have ONE of the following certifications: Certified Information Security Professionals (CISSP), SANS GIAC Certified Incident Handler (GCIH), GIAC Certified Penetration Tester (GPEN), or GIAC Certified Web Application Penetration Tester (GWAPT). SAT members responsible for leading the assessment of web applications shall possess the GWAPT or equivalent certification and those leading penetration testing engagements shall possess the GPEN or equivalent.
Approximately 40% travel within 50 miles of Washington, DC.
Top Secret / SCI