You Are:

The Security Controls Assessor will work in the Information Security Delivery Risk & Compliance team in the CISO organization. This role focuses on conducting comprehensive assessment of management, operational, and technical security controls and control enhancements as defined in NIST SP 800-171 and employed by AFS client delivery project teams. 

A strong understanding of cloud computing (SaaS, PaaS, and IaaS) and application security fundamentals, end-to-end security compliance, and risk management principles, practices, and methods is desired.

The Work:

• Review and understand information system security compliance, including system connectivity (administrative, technical and organizational factors) and develop risk management alternatives for securing environment requirements based on understanding of the application and environments.
• Build relationships and work with the project teams to identify, document, and evaluate the security controls following the NIST RMF and SDLC methodologies.
• Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Here's What You Need:

• U.S. Citizenship required.
• 3 years demonstrated experience with Risk Management Framework (RMF) practices and policies, particularly FISMA/FedRAMP and NIST SP 800-53 (ISO 27001 considered)
• 3 years of experience performing system analysis, system audits, system monitoring, security control assessment/testing (or ST&E), risk management, incident response.
• 3 years of experience with Federal Assessment and Authorization (A&A)
• Experience in IT security, including Assessment and Authorization (A&A) and IT security risk analysis/advice, preferably in support of Federal, Civilian, or DoD.
• Understand different information categories (e.g. CUI, PHI, PII, agency-sensitive) required data handling, and data protection requirements.
• Working knowledge of secure coding, application and/or cloud security best practices
• Working knowledge of secure configuration and vulnerability management and best practices

Bonus Points if you have:

• Certifications: Security , CISM, GSLC, or CISSP
• Experience with auditing the security aspects of various operating systems and with certifying compliance of various platforms.
• Experience with the preparation of Assessment and Authorization (A&A) documents (e.g. SSP) and procedures in accordance with Risk Management Framework (RMF), and assuring systems compliance with all required security controls.
• Familiarity with different technology architectures/platforms, threats associated with technologies, and what to do to protect against those threats.
• Understand cloud computing (SaaS, PaaS, and IaaS) fundamentals, end-to-end security compliance and risk management principles, practices, and methods.