The selected candidate shall perform analysis of applicable Cybersecurity directives, policies and instructions. The contractor shall also maintain cognizance of, and comply with Communications Task Orders (CTOs), Information Assurance Vulnerability Management (IAVM), Fragmentary/Task/Operation Orders (FRAG/TASK/OPORDs), Public Key Infrastructure (PKI) guidance, and STIG requirements. The candidate shall make recommendations to the government regarding strategies to meet the established compliance objectives, and determine the impact compliance with these directives will have on the security and operability of the SRDT&E network. Shall track and report compliance status in the Vulnerability Remediation Asset Manager (VRAM), Continuous Monitoring Risk Scoring (CMRS), and similar reporting tools as applicable.

The selected candidate shall perform testing and analysis of Information Assurance (IA) controls and secure configuration using tools to include, but not limited to the Assured Compliance Assessment Solution (ACAS), Endpoint Security Solutions (ESS), STIG Viewer, Security Content Automation Protocol (SCAP), and Compliance Checker. The candidate shall conduct continuing requirement analysis to identify and recommend implementation of new or different tools as the threat landscape changes.

The selected candidate shall provide IA engineering and support Risk Management Framework (RMF) authorization efforts for the SRDT&E network and locally developed government software tools. Shall conduct and evaluate threat, vulnerability and risk analysis of developing systems. Shall conduct continuous monitoring efforts for SRDT&E network connected systems utilizing ACAS, ESS, logging, event and asset aggregation tools to support IT Management’s implementation of the overall IA program.

Using government directed processes, the selected candidate shall enforce the compliance quarantine process for removing non-compliant systems from the network and make remediation/mitigation recommendations. Shall prepare for inspections and audits, to include, but not limited to: Inspector General audits, Command Cyber inspections, Blue Team exercises, and Cyber Protection Team reviews. The contractor shall analyze inspection criteria and develop documents and artifacts, aggregating inspection discrepancies, testing IA controls, creating executive briefings, recommending corrective actions and mitigations, and other actions required by the government.

The selected candidate shall support the port exception process. Shall maintain the external Ports, Protocols, and Services Management (PPSM) registry and coordinate any requests for deviations or exceptions to the Navy PPSM office. Continue to analyze scan results, STIG checklists, system design drawings, the PPSM Category Assurance List (CAL) and any other available relevant security artifacts in order to make risk assessment and mitigation recommendations to the government. They shall be the primary point of contact between the STCCBs and technical customers requesting exceptions to firewall policy and other proposed changes with the potential to affect the security of the network.