Our organization is looking for an experienced Information Technology Security Certification and Accreditation (C&A) for a (12+ months) position in Washington, DC. Please see the below job description and if interested submit a current resume.
1. Job Title: Information Technology Security Certification and Accreditation (C&A) (US Citizen or Green Card)
2. Job Location: Washington, DC
3. Job Duration: 12+ months
4. Assignment Type: W2, 1099, C2C
5. Pay Rate: Negotiable
6. Special Requirements: security, c&a, pci, cissp, cap, csslp, niacap, ditscap, nist
Duties and Responsibilities:
Provide the following Security Certification and Accreditation Support:
a. Provide Information Technology Security Certification and Accreditation (C&A) guidance.
b. Facilitate initial briefings and subsequent meetings of the C&A core team.
c. Coordinate the completion of a BIA for each information resource.
d. Work with the Privacy Office on privacy-related requirements.
e. Recommend security requirements to executive sponsors and portfolio managers during the BIA process based on generally accepted industry practices, the operating environment [e.g., hosted in the de-militarized zone (DMZ)], and the risks associated with the information resource.
f. Provide guidance on how information resources are vulnerable to threats, what controls and countermeasures may be appropriate, and the C&A process.
g. Review and evaluate C&A documentation, including the BIA, Risk Assessment, Security Plan, Security Test and Evaluation (ST&E) plan and report, and independent reviews of the information resource.
h. Prepare the C&A Evaluation Report.
i. Escalate security concerns or forwarding the C&A Evaluation Report and supporting C&A documentation package to the certifier.
j. Work with the ISSO to complete C&A artifacts and sending the other required artifacts (e.g., TAD and security specifications for procurements) to the ISSO.
Additional responsibilities include:
a. Promoting information security awareness on the project team.
b. Ensuring that security controls and processes are implemented.
c. Notifying the executive sponsor, portfolio manager, and ISSO of any additional security risks or concerns that emerge during development, acquisition, or integration of the information resource.
d. Developing security-related documents required by the C&A process.
e. Working with the ISSO to complete C&A artifacts and sending the other required artifacts (e.g., TAD and security specifications for procurements) to the ISSO.
A thorough understanding of the Information Resource Security Certification and Accreditation (C&A) processes
Managed the end-to-end C&A process for Business Applications and Infrastructure Systems
Knowledge and experience with managing Payment Card Industry (PCI) applications through the C&A process
1. Holds one or more of the following credentials:
a. Certified Information Systems Security Professionals (CISSP) - Desirable
b. Certified Authorization Professional CAP) - Desirable
c. Certified Secure Software Lifecycle Professional (CSSLP) - Desirable
2. Has direct experience with any of the following Certification and Accreditation (C&A) programs/processes listed below or a comparable program as an Information Systems Security Officer (ISSO), Information Systems Security Representative (ISSR), application software developer, or database administrator:
a. National Information Assurance Certification and Accreditation Process (NIACAP) - Desirable
b. Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) - Desirable
c. Systems Security Certification and Accreditation (C&A) within the Defense Logistics Agency (DLA) for Defense-in-Depth- Desirable
d. Certification and Accreditation Process for Certifiers—Defense Information Systems Agency (DISA) - Desirable
3. Has familiarity with the following information security functional areas:
a. Government and industry best practices - Mandatory
b. Assessment of sensitivity and criticality - Mandatory
c. Configuration and change control - Mandatory
d. Risk assessment methodology - Mandatory
e. Secure software development- Desirable
f. Security code review standards- Desirable
g. Business continuity management - Mandatory
h. Hardware security- Desirable
i. Software security - Mandatory
j. Network security- Desirable
k. Perimeter protection- Desirable
l. Connectivity management- Desirable
m. Remote access management- Desirable
n. Ongoing testing of controls - Mandatory
o. Secure enclaves- Desirable
p. Virus and malicious code protection- Desirable
q. Intrusion detection and prevention- Desirable
r. Penetration testing- Desirable
s. Vulnerability scans and audit- Desirable
t. Certification and accreditation (C&A) - Mandatory
u. Incident management - Mandatory
v. Monitoring - Mandatory
w. Compliance - Mandatory
x. Defense in depth - Mandatory
y. Encryption- Desirable
4. Has familiarity with the following NIST Special Publications
- 800-12, An Introduction to Computer Security: The NIST Handbook - Mandatory
- 800-13, Telecommunications Security Guidelines for Telecommunications Management Network- Desirable
- 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems - Mandatory
- 800-18, Guide for Developing Security Plans for Information Technology Systems - Mandatory
- 800-21, Guideline for Implementing Cryptography in the Federal Government- Desirable
- 800-25, Federal Agency Use of Public Key Technology for Digital Signature and Authentication- Desirable
- 800-28, Guidelines on Active Content and Mobile Code- Desirable
- 800-30, Risk Management Guide for Information Technology Systems - Mandatory
- 800-32, Introduction to Public Key Technology and the Federal PKI Structure- Desirable
- 800-34, Contingency Planning Guide for Information Technology Systems - Mandatory
- 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems - Mandatory
- 800-39, Managing Risk from Information Systems—An Organizational Perspective - Mandatory
- 800-40, Creating a Patch and Vulnerability Management Program- Desirable
- 800-41, Guidelines on Firewalls and Firewall Policy- Desirable
- 800-44, Guidelines on Securing Public Web Servers- Desirable
- 800-45, Guide on Electronic Mail Security- Desirable
- 800-46, Security for Telecommuting and Broadband Communications- Desirable
- 800-47, Security Guide for Interconnecting Information Technology Systems- Desirable
- 800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks- Desirable
- 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme- Desirable
- 800-53, Recommended Security Controls for Federal Organizations and Information Systems - Mandatory
- 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations - Mandatory
- 800-57, Recommendation for Key Management—Part 1: General- Desirable
- 800-57, Recommendation for Key Management—Part 2: Best Practices for Key Management Organization- Desirable
- 800-57, Recommendation for Key Management—Part 3: Application-Specific Key Guidance- Desirable
- 800-60 Volume I, Guide for Mapping Types of Information and Information Systems to Security Categories- Desirable
- 800-60 Volume II, Appendixes to Guide for Mapping Types of Information and Information Systems to Security Categories- Desirable
- 800-61, Computer Security Incident Handling Guide - Mandatory
- 800-63, Electronic Authentication Guideline- Desirable
- 800-64, Security Considerations in the System Development Life Cycle - Mandatory
- 800-83, Guide to Malware Incident Prevention and Handling- Desirable
- 800-88, Guidelines for Media Sanitization- Desirable
- 800-92, Guide to Computer Security Log Management- Desirable
- 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) - Desirable
- 800-95, Guide to Secure Web Services- Mandatory
- 800-100, Information Security Handbook: A Guide for Managers - Mandatory
- 800-111, Guide to Storage Encryption Technologies for End User Devices- Desirable
- 800-114, User’s Guide to Securing External Devices for Telework and Remote Access- Desirable
- 800-115, Technical Guide to Information Security Testing and Assessment- Desirable
- 800-121, Guide to Bluetooth Security- Desirable
- 800-122, Guide to Protecting the Confidentiality of Personal Identifiable Information (PII) - Mandatory
- 800-123, Guide to General Server Security- Desirable
5. Has familiarity with the following NIST FIPS Publications
- 180-3, Secure Hash Standard (SHS) - Desirable
- 186-2, Digital Signature Standard (DSS) - Desirable
- 190, Guideline for the Use of Advanced Authentication Technology Alternatives- Desirable
- 196, Entity Authentication using Public Key Cryptography- Desirable
- 197, Advanced Encryption Standard (AES) - Desirable
- 198, The Keyed-Hash Message Authentication Code (HMAC)
- 199, Standards for Security Categorization of Federal Information and Information Systems – Mandatory