Security Control Assessor (SCA)
Location: Columbia, MD
Shall be an experienced Cyber Security Professional with a minimum of six years experience certifying information systems, policy development, management of a Cyber Security program, and a working knowledge of Cyber Security policies, directives, and instructions used within the Intelligence and DoD communities. Minimum certification will be IAM level III.
Personnel providing Cyber Security related support must have a thorough understanding of systems, networks, and sites that operate under the cognizance of the DoDIIS Cyber Program and JSIG.
- Contractors assigned must have extensive experience with risk assessment technologies including analyses of the adequacy of implemented security features and research and analysis of security technology.
- Must have extensive experience in conducting security testing including actual experience as a Test Director with responsibility for recommending accreditation decisions.
- Must be proficient in the use of VISIO or other drawling software and have extensive experience in the generation of functional logical and physical diagrams from high level depictions to extremely detailed diagrams of networks and site information technology architectures.
- Must have extensive direct experience with policies, processes, and methodologies applicable to DoDIIS program and the RMF application.
- Must have excellent communication skills, both oral and written, to support considerable interface within and outside areas of responsibility (development of documents, participation in coordination of meetings and site visits, presenting briefings, etc.).
- Must have knowledge of project management fundamentals and process basic skills for use of PM associated products/tools.
- Experience in applying the Risk Management Framework is desired.
- Project Management Professional (PMP) certification and/or PM education and background are desired for the project lead of this contract.
- Knowledge of encryption algorithms (e.g., internet Protocol Security [IPSEC]. Advanced Encryption Standard [AES], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], triple Data Encryption Standard [3DES]).
- Knowledge of host/network access controls (e.g., access control list).
- Knowledge of incident response and handling methodologies.
- Knowledge of intrusion detection methodologies and techniques for detecting host and network based intrusion via intrusion detection technologies.
- Knowledge of network protocols (e.g., Transmission Critical Protocol and Internet Protocol [TCP/IP], Dynamic Host Configuration Protocol (DHCP), and directory services (e.g., Domain Name System [DNS]).
- Knowledge of network traffic analysis methods.
- Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol and Internet Protocol [TCP/IP], Open System Interconnection model [OSI], Information Technology Infrastructure Library, v3 [ITIL]).
- Knowledge of penetration testing principles, tools, and techniques (e.g., Metasploit, neosploit).
- Knowledge of system and application security threats and vulnerabilities (e.g. buffer overflow, mobile code, crosstie scripting, Procedural Language/Standard Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return oriented attacks, malicious code).
- Knowledge of information technology supply chain security/risk management policies, requirements, and procedures.
TOP SECRET/SCI CLEARANCE REQUIRED