Company Overview TestPros is a successful and growing business, established in 1988 to provide Information Technology (IT) technical support services to a wide range of Commercial and U.S. Federal, State, and Local Government customers. Our capabilities include Program Management, Program Oversight, Process Audit, Intelligence Analysis, Cyber Security, NIST SP 800-171 Assessment and Compliance, Computer Forensics, Software Assurance, Software Testing, Test Automation, Section 508 and WCAG Accessibility Assessment, Localization Testing, Independent Verification and Validation (IV&V), Quality Assurance (QA), Compliance, and Research and Development (R&D) services.TestPros is an Equal Opportunity Employer. TestPros delivers innovative independent IT assessment solutions to critical challenges facing the nation and the world. We support the U.S. Federal Government and Commercial clients within the continental USA.TestPros is dedicated to making lives better, safer and more secure. Job Summary TestPros is seeking a Cyber Vulnerability Assessment Analyst SME to support a Federal cyber security program. Position: Full-time Citizenship: U.S. Citizenship Job Title: Location: Arlington, VA (or Pensacola, FL) and Remote Security Clearance: Top Secret SCI Project overview:POA&M ManagementThe POA&M tracker lists mitigation and milestones with completion dates and serves to trackthe resolution of vulnerabilities and non-compliance with security controls identified duringassessments and at any point during the system's life cycle. The Contractor shall provide amechanism for vulnerability and POA&M management. The status must be updated on a weeklybasis. Recommendation for closure is based on changes made to the system to remediate issuesor to mitigate the risks with the necessaiy suppo1ting evidence presented for resolution. TheContractor shall prepare a detailed weekly status of all activities, including status of open/closedaction items, POA&M status/milestones, and any other pertinent data points as requested by theGovernment.Vulnerability lManagementThe Contractor shall perform management of technical and policy related findings as a result ofcompliance, vulnerability, and penetration testing and internal reviews. The Contractor mustmeet with product and service teams as required to track progress and serve as a security subjectmatter expe1t on issues requiring clarification and resolution. The Contractor shall provideguidance to ensure vulnerabilities are prioritized, fixed, mitigated, or risk accepted. TheContractor shall deliver remediation tracking for all outstanding issues using an automatedprocess to manage results, trending, and report. Risk mitigation strategies, recommendations, andapplicable security controls must be documented and must include cost effective solutions thatsuppot mission goals.Security Review of System ChangesThe Contractor shall review change requests to ensure the proposed changes are in accordancewith all security requirements in effect at the time of the change request. The contractor mustprovide a recommendation to the Government as to whether the change request should beapproved, approved with certain conditions, or disapproved citing the reason for disapproval.The Contractor shall maintain a reposito1y where eve1y change request is stored along with theanalysis performed by the contract for each change request. The Contractor shall also caphll"eand store pe1tinent a1tifacts for each change request in a location commensurate with theclassification level of the artifacts. The Contractor shall prepare a detailed weekly status of allactivities, including status of change requests, open/closed action items, and any other pe1tinentdata points as request by the Government.Comprehensive Security Technical DocumentationActivities related to managing organizational and program risk are paramount to an effectiveinformation security program especially for complex information systems. The Contractor shallwork with the product and service teams throughout the RMF process. The Contractor shallperform reviews of the policies, procedures, and related documentation currently maintained byprogram staff to identify missing or outdated documentation. Subsequent reviews should beperformed on an annual basis at a minimum or as directed by the Government. In suppo1t of thisactivity, the Contractor shall develop and maintain documentation as required by securitycontrols outlined in NIST 800-53a which include the following: Program policies and common controls Standard Operating Procedures (SOPs)/Guides Program common controls Security artifacts and a1tifact templates, and Concept of Operations (CONOPS) Other security-related technical documentation as directed by the Government.The Contractor shall update the aforementioned processes, procedures, and other livingdocuments as needed and create new work products to fill identified gaps. The Contractor shallreview and provide guidance for documentation developed by the service and product teamsensuring that these work products are completed following NIST guidance, commercial bestpractices, and the applicable federal policies. The Contractor shall provide guidance to serviceand product teams for security information systems in accordance with CNSSI 1253, and NISTSP 800-30, 800-37, 800-39, 800-137. The Contractor shall review work products, includingsecurity artifacts to ensure that the target is secured/documented appropriately (i.e., inaccordance with CISA and DRS-defined security requirements) and that the documentationreflects and properly addresses CISA and DHS security requirements. In addition, the Contractorshall support service and product teams with the selection and tailoring of security controlsappropriate to the information system and the system's security objectives for confidentiality,integrity, and availability in accordance with NIST and CNSS guidance. The Contractor shallperform this iteratively throughout the system life cycle. The Government shall make the finaldetermination as to the work product that is considered acceptable.A scheme for storing and managing all documentation must be developed and/or maintainedunder this contract and, as appropriate, disseminated via mechanisms such as MicrosoftSharePoint. The tools and methods selected to perform this function must be approved by theCOR/GOV POC prior to implementation if different than the tools currently in use. Additional activities include ML Security Operations, Offensive Security, risk assessments, consistent communication, and detailed technical documentation. Responsibilities and Duties: The SME Cyber Vulnerability Assessment Analyst is responsible for leading penetration testing, developing advanced security scenarios and testing systems against those scenarios, developing advanced security architectures for the implementation of custom countermeasures, provides security considerations to advise system engineering teams with the objective to reduce errors, flaws, and weaknesses that may constitute security vulnerability, performing advanced code analysis, and performing advanced protocol analysis for nation-state and state-sponsored cyber threat actor capabilities.Required skills:
10+ years of proven experience as a Security Engineer with supervisory/leadership abilities to oversee large teams responsible for planning, analyzing, implementing, and maintaining many different projects.
This individual must have experience assessing security implementation of cloud and hybrid environments to include pipelines, applications and services
Experienceensuring an industry best practice implementation utilizing agile practices for scanning and end to end vulnerability remediation
Expert in all information security planning, compliance and risk management, manage teams, ensure they have appropriate skill sets, and tie the teams and results together;
experience inidentify vulnerabilities and understand and recommend countermeasures
Experience withanalyzing the network to determine if appropriate security is applied; possess and apply knowledge NIST RMF;
Developed and implemented test plans and ensure execution; and evaluates the costs and benefits of security functions and considerations from analysis of alternatives, engineering trade-offs and risk treatment decisions.
The SME Cyber Vulnerability Assessment Analyst requires an active clearance up to TS/SCI security clearance.
Preferred Qualifications and Skills
Agency experience (ideally DHS CISA)
Cyber program experience
SAFe and DevSecOps experience
.
Benefits
TestPros offers a competitive salary, medical/dental/vision insurance, life insurance, paid time off, paid holidays,401(k) retirement plan with company match, opportunities for professional growth, cell phone discounts, and much more! All benefits are per TestPros current policies and are subject to change without notice. Benefits are available to full-time employees.
TestPros, Inc. is an Equal Opportunity Employer.
EEO Statement
All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity, marital status, age, national origin, protected veteran status, or disability. VEVRAA Federal Contractor.
Powered by JazzHR