Security Control Assessor
Location: Silver Spring, Maryland
Type of Work: Onsite
Work Schedule: 40 hours/week. Strict Core Hours: 7:30 AM – 4:30 PM EST.
Duration: 12 Months
Position Summar
yThe Security Control Assessor will perform an independent Federal Information Security Modernization Act (FISMA) assessment for information system. The role is responsible for evaluating security and privacy controls, reviewing authorization documentation, conducting technical and non-technical assessments, performing penetration testing activities, identifying security risks, and developing assessment deliverables that support Authorization to Operate (ATO) decisions
.Key Responsibilitie
- sConduct independent FISMA security and privacy control assessments in accordance with NIST, FISMA, DOC, requirements
- .Review System Security Plans (SSPs), POA&Ms, authorization packages, policies, procedures, and supporting artifacts
- .Develop Security Assessment Plans (SAPs) and Security Requirements Traceability Matrices (SRTMs)
- .Execute control assessments using Examine, Interview, and Test methodologies
- .Perform technical security validation and penetration testing activities
- .Assess Moderate-impact systems with High Value Asset (HVA) and Privacy overlays
- .Validate security control implementation and effectiveness
- .Review vulnerability scan results and evaluate associated risks
- .Document findings, recommendations, and risk determinations
- .Prepare Security Assessment Reports (SARs), Risk Assessment Reports (RARs), Assessment Findings Reports (AFRs), Penetration Testing Reports (PTRs), and Assessment Results Briefings (ARBs)
- .Present assessment results and recommendations to System Owners, ISSOs, and Authorizing Officials
- .Ensure all assessment activities comply with NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, NIST SP 800-37, FISMA, and NOAA cybersecurity requirements
.Required Qualification
- sMinimum 5 years of experience supporting cybersecurity assessments, compliance, or risk management activities
- .Minimum 5 years of experience working with NIST 800-series publications
- .Experience with FISMA, FIPS 200, Risk Management Framework (RMF), Privacy Act requirements, and Federal authorization processes
- .Experience conducting security control assessments and documenting assessment results
- .Experience preparing security assessment documentation and executive briefings
- .Strong analytical, technical writing, and communication skills
- .Ability to work independently and interact effectively with government stakeholders
.Required Certification
sCandidates must possess and maintain at least one of the following certifications
- :CISSP – Certified Information Systems Security Professiona
- lCGRC – Certified in Governance, Risk and Complianc
- eCISA – Certified Information Systems Audito
- rCEH – Certified Ethical Hacke
- rGCIH – GIAC Certified Incident Handle
- rGSNA – GIAC Systems and Network Audito
rPreferred Qualification
- sExperience conducting FISMA assessments for Moderate and High impact systems
- .Experience with FedRAMP and cloud security assessments
- .Experience assessing High Value Assets (HVAs)
- .Experience performing penetration testing and vulnerability assessments
- .Experience developing SARs, SRTMs, RARs, AFRs, and ATO package documentation
.Educatio
nBachelor’s degree in Cybersecurity, Information Technology, Computer Science, Information Systems, or a related field. Relevant experience may be considered in lieu of a degree
.