Cape Fox is seeking a highly qualified Information Security Specialist/InfoSec Engineer to join our team in support of a government customer. The ideal candidate will have direct experience developing IT security policies, architectures, and standard operating procedures with a strategic perspective. Extensive knowledge of and practical experience with implementing standard methodologies used in the Risk Management Framework (RMF) process (Formerly referred to as Certification and Accreditation (C&A)). Expert-level knowledge and experience with National Institute of Standards and Technology (NIST) guidelines and industry best practices for: Risk Assessment and Management, Vulnerability Analysis, Contingency Planning, Disaster Recovery, Configuration Management, Security Assessments and developing Mitigation Plans. This position is contingent upon award.

• Provide multi-disciplined security administrative and technical security support to the organization; areas of responsibility include Physical, Computer, Personnel, Information, Administrative, Operational, and Communications Security analysis, assessment, and reporting
• Provide recommendations to organizational stakeholders for the integration of security processes and compliance with Federal regulations and Departmental policy
• Direct security efforts to increase efficiencies and enforce a global security mindset
• Provide strategic guidance for the further development of the security program
• Develop policies and procedures supporting regulations, directives, and Departmental policy
• Assist senior management with establishing a plan of action for the remediation of weaknesses
• Provide direct information assurance guidance pertaining to the development and modification of information systems and industrial control systems
• Provide strategic insight and continuous support for the integration of the system development life cycle
• Provide recommendations concerning new and existing projects and assist project managers with security oversight
• Coordinate with representatives and Subject Matter Experts (SME) from other Federal Agencies and commercial organizations to maintain awareness of upcoming changes to regulations and technologies
• Develop Risk Assessments in accordance with NIST guidance and deliver risk analysis and guidance as needed to organizational leadership
• Work with and be supported by NPS security personnel to perform the following tasks:
  • Responsible for the mapping and implementation of the necessary defined security controls as they relate to the NPS infrastructure on NPS owned devices in accordance with government identified General Support Systems (GSS) and Subsystems
  • Develop, implement, and maintain security related documents to include:
    • System Security Plans (SSP)
    • Risk Assessments
    • Risk Acceptance documentation
    • Security Impact Analyses
    • Contingency Plans
    • Incident Response Plans
    • Plan of Actions & Milestones (POA&M)
    • Independent Security Assessment (ISA)
    • Memorandum of Understanding (MOU)
    • Service Level Agreements (SLA)
    • Assessment & Authorizations (A&A)
• Provide input to auditors, to include providing artifacts to support current configurations
• Assess existing systems, applications, and tools, in addition to existing security processes for security implications and recommend improvements to strengthen security posture based on assessment
• Conduct continuous monitoring to include maintenance of current ATO, monitoring compliance, conducting assessments, conducting periodic scans, auditing events and review of audit logs, and ensuring media is properly secured before transit or sanitized before disposal
• Provide recommendations to the NPS on methods to minimize security impacts of new requirements, technologies in accordance with policies, federal laws, and mandates
• Coordinate and facilitate meetings and regular interaction with System Owner, NPS IT Security personnel, data center personnel, change control board personnel, and data center end users providing technical and non-technical security-based expertise, guidance, and documentation
• Develop, communicate, and enforce security policies, procedures, and safeguards for all systems and staff, based upon Data Center and other government standards

• Minimum Education Experience:
  • Bachelor’s Degree and six (6) years’ relevant experience

OR

• Master’s Degree and five (5) years’ relevant experience

OR

• Eight (8) years’ relevant experience
• Industry-recognized technical certification accepted in lieu of one year experience
• Minimum of four (4) years’ direct full-time experience conducting security assessments and developing all deliverables within a system authorization package
• Must have detailed and extensive experience with implementing, evaluating, and documenting all technical, management, and operational security controls as defined by the NIST SP 800-53 (as amended)
• Direct experience developing IT security policies, architectures, and standard operating procedures with a strategic perspective
• Extensive knowledge of and practical experience with implementing standard methodologies used in the Risk Management Framework (RMF) process (Formerly referred to as Certification and Accreditation (C&A))
• Expert-level knowledge and experience with National Institute of Standards and Technology (NIST) guidelines and industry best practices for: risk assessment and management, vulnerability analysis, contingency planning, disaster recovery, configuration management, security assessments and developing mitigation plans
• Extensive knowledge and experience in delivering security administration support to the data center which includes incident reporting, planning, standards compliance, platform configuration management, cyber security vulnerability tracking (to include coordinating with customers and creating artifacts showing compliance), and the secure user access and management processes for the NPS Enterprise Data Centers
• Experience creating and submitting an Assessment & Authorizations (A&A) package and all related documents
• Knowledge of hybrid (on-premises and cloud) data center environments to include evaluation and guidance on security control implementation on network, storage, server (Windows, Linux, Oracle), and platform (Microsoft Hyper-V and Azure preferred)
• Required to pass a Moderate Background Investigation (MBI) prior to starting work
• Must have authorization to work in the United States as defined by the Immigration Reform Act of 1986