SECURITY CONTROL ASSESSOR (SCA)
Navy Exchange Service Command, Virginia Beach, VA, United States
Job Description - SECURITY CONTROL ASSESSOR (SCA) (260001BU)
Job Description
SECURITY CONTROL ASSESSOR (SCA)
Job Number
260001BU
Primary Location
N/A
Organization
NEXCOMHQ
Pay Range
$90,925 to $116,717 based upon experience
Job Summary
The Security Control Assessor (SCA) oversees NEXCOM NAF IT cybersecurity risk assessment process which determines aggregate cybersecurity risk in support of an Authorization.
Duties and Responsibilities
Incumbents of this position must be U.S. Citizens.
Responsibilities include:
Provides NEXCOM cybersecurity support by performing full package analysis of all IT systems, as defined by the Navy Risk Management Framework (RMF) guide.
Assists in the development of risk assessment requirements and participates in the execution of RMF assessment processes for authorization of systems to the Navy Exchange enterprise network, ensuring that system hardware and software adheres to security standards that minimize risk to the Navy Exchange enterprise from cyber security threats based on the POA&M and other supporting documentation.
Participates in the development and maintenance of Navy Exchange cyber defense architectures, processes, standards, specifications, cyber threat profiles and enterprise risk assessments.
Independently and impartially assess and quantify aggregate cybersecurity risk using metrics consistent with DON guidance for both inherent system residual risks and system accessibility related risks in support of the Risk Management Program (RMP).
Produce the risk determination using the security assessment plan (SAP) and make a recommendation regarding system authorization.
Provides review and analysis of FedRAMP, PCI, and other third party package authorizations for reciprocity and use within the NEXCOM organization.
Provide initial concurrence on the SAP, ensuring all appropriate security controls will be assessed for compliance.
Support NEXCOM’s NAF IT continuous monitoring requirements. Determines and documents compliance with the assigned security controls.
Actively work with the Cybersecurity Compliance Assessor and Validator, and program management office to provide support and guidance throughout the RMF cybersecurity assessment and lifecycle.
Represent the system during DoD and DON Cybersecurity inspections, while responding to information requests and addressing identified findings.
Provides RMF/RMP Subject Matter Expert (SME) guidance on the following: Understanding of the RMF/RMP risk assessment process; Knowledge of implementation and applicability of security controls; Use of appropriate test procedures and tools and mitigation measures; Understanding of policies and their effects on the risk of a system; Review and assessment of individual vulnerabilities in the POA&M.
Keeps supervisors up to date on all assignments.
Performs other related duties as assigned.
Certifications Required
The SECNAV M-5239.2, DoN, Information Assurance (IA) Workforce Manual requires incumbents to possess and maintain current, two types of certifications:
IA Certification: Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), CompTIA Advanced Security Practitioner (CASP+), GIAC Security Leadership Certification (GSLC).
Technical Certification: Operating System/Computing Environment (OS/CE) certificate of training as dictated by Supervisor and approved by Command Cyber IT/CSWF-PM.
Candidates are required to sign a Privileged Access Agreement.
Candidates without the required certification may be placed into this job but must obtain the required certification within six months of appointment; failure to obtain will result in termination of employment.
Experience
M-5239.2 requirement: A total of 8 years of experience: 3 years’ general experience in security, technical or investigative work; 5 years of specialized experience demonstrated in at least two of the following:
Risk management validation
IT security compliance and reporting
Technical risk analysis
Authorization and accreditation
Additionally, experience in the performance of:
System Security Assurance: ensuring entire systems meet security requirements, function securely, and undergo comprehensive testing for overall security assurance.
Security Assessments: conducting security assessments and developing Security Assessment Plans (SAPs).
Technical Understanding: interpreting network diagrams, vulnerability scans, and compliance scans.
Security Documentation: creating and maintaining various security documents, including Security Assessment Plans.
Risk Management Framework: conducting security control assessments following a Risk Management Framework approach, along with conducting risk assessments and developing security assessment reports.
And in-depth knowledge of NIST 800-53, risk mitigation strategies for computer operating systems, networks, or cloud services, and security controls and compliance frameworks.
Education/Qualifications
One year of related academic study above high school level may be substituted for 9 months of experience, up to a maximum of a four-year bachelor’s degree in IT security or computer information systems for the required general experience. One year of related academic study may be substituted for 3 years of general experience.
Security Clearance and Investigations
Position is designated in accordance with SECNAV M-5510.30 and requires a favorable Single Scope Background Investigation (SSBI). Candidates must be eligible for and obtain a Top Secret Clearance within six months of appointment; failure to obtain will result in termination.
EEO
Incumbents of this position must be U.S. Citizens.
#J-18808-Ljbffr
Job Description
SECURITY CONTROL ASSESSOR (SCA)
Job Number
260001BU
Primary Location
N/A
Organization
NEXCOMHQ
Pay Range
$90,925 to $116,717 based upon experience
Job Summary
The Security Control Assessor (SCA) oversees NEXCOM NAF IT cybersecurity risk assessment process which determines aggregate cybersecurity risk in support of an Authorization.
Duties and Responsibilities
Incumbents of this position must be U.S. Citizens.
Responsibilities include:
Provides NEXCOM cybersecurity support by performing full package analysis of all IT systems, as defined by the Navy Risk Management Framework (RMF) guide.
Assists in the development of risk assessment requirements and participates in the execution of RMF assessment processes for authorization of systems to the Navy Exchange enterprise network, ensuring that system hardware and software adheres to security standards that minimize risk to the Navy Exchange enterprise from cyber security threats based on the POA&M and other supporting documentation.
Participates in the development and maintenance of Navy Exchange cyber defense architectures, processes, standards, specifications, cyber threat profiles and enterprise risk assessments.
Independently and impartially assess and quantify aggregate cybersecurity risk using metrics consistent with DON guidance for both inherent system residual risks and system accessibility related risks in support of the Risk Management Program (RMP).
Produce the risk determination using the security assessment plan (SAP) and make a recommendation regarding system authorization.
Provides review and analysis of FedRAMP, PCI, and other third party package authorizations for reciprocity and use within the NEXCOM organization.
Provide initial concurrence on the SAP, ensuring all appropriate security controls will be assessed for compliance.
Support NEXCOM’s NAF IT continuous monitoring requirements. Determines and documents compliance with the assigned security controls.
Actively work with the Cybersecurity Compliance Assessor and Validator, and program management office to provide support and guidance throughout the RMF cybersecurity assessment and lifecycle.
Represent the system during DoD and DON Cybersecurity inspections, while responding to information requests and addressing identified findings.
Provides RMF/RMP Subject Matter Expert (SME) guidance on the following: Understanding of the RMF/RMP risk assessment process; Knowledge of implementation and applicability of security controls; Use of appropriate test procedures and tools and mitigation measures; Understanding of policies and their effects on the risk of a system; Review and assessment of individual vulnerabilities in the POA&M.
Keeps supervisors up to date on all assignments.
Performs other related duties as assigned.
Certifications Required
The SECNAV M-5239.2, DoN, Information Assurance (IA) Workforce Manual requires incumbents to possess and maintain current, two types of certifications:
IA Certification: Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), CompTIA Advanced Security Practitioner (CASP+), GIAC Security Leadership Certification (GSLC).
Technical Certification: Operating System/Computing Environment (OS/CE) certificate of training as dictated by Supervisor and approved by Command Cyber IT/CSWF-PM.
Candidates are required to sign a Privileged Access Agreement.
Candidates without the required certification may be placed into this job but must obtain the required certification within six months of appointment; failure to obtain will result in termination of employment.
Experience
M-5239.2 requirement: A total of 8 years of experience: 3 years’ general experience in security, technical or investigative work; 5 years of specialized experience demonstrated in at least two of the following:
Risk management validation
IT security compliance and reporting
Technical risk analysis
Authorization and accreditation
Additionally, experience in the performance of:
System Security Assurance: ensuring entire systems meet security requirements, function securely, and undergo comprehensive testing for overall security assurance.
Security Assessments: conducting security assessments and developing Security Assessment Plans (SAPs).
Technical Understanding: interpreting network diagrams, vulnerability scans, and compliance scans.
Security Documentation: creating and maintaining various security documents, including Security Assessment Plans.
Risk Management Framework: conducting security control assessments following a Risk Management Framework approach, along with conducting risk assessments and developing security assessment reports.
And in-depth knowledge of NIST 800-53, risk mitigation strategies for computer operating systems, networks, or cloud services, and security controls and compliance frameworks.
Education/Qualifications
One year of related academic study above high school level may be substituted for 9 months of experience, up to a maximum of a four-year bachelor’s degree in IT security or computer information systems for the required general experience. One year of related academic study may be substituted for 3 years of general experience.
Security Clearance and Investigations
Position is designated in accordance with SECNAV M-5510.30 and requires a favorable Single Scope Background Investigation (SSBI). Candidates must be eligible for and obtain a Top Secret Clearance within six months of appointment; failure to obtain will result in termination.
EEO
Incumbents of this position must be U.S. Citizens.
#J-18808-Ljbffr