Apply on Employer Site

ECS · 14 hours ago

Cloud Service Provider Common Control Analyst

Washington, DC

Full-time

Onsite

Senior Level, Lead/Staff

$145K/yr - $160K/yr

10+ years exp

ECS is a leading mid-sized provider of technology services to the United States Federal Government. They are seeking a Cloud Service Provider Common Control Analyst to support the Department of State, ensuring compliance with federal cybersecurity policies and executing common control tasks throughout the Risk Management Framework.

Artificial Intelligence (AI)Cloud InfrastructureComplianceConsultingCyber SecurityInformation TechnologyMachine LearningSecuritySoftware

No H1B

Security Clearance Required

U.S. Citizen Only

Responsibilities

Review and update existing information security policy, standards, and procedures based on federal and departmental regulations

Perform independent security and privacy control assessments in support of Security Assessment & Authorization (SA&A)

Conduct assessments of existing and new FISMA systems, including subsystems in the respective system boundary, and communicate the results and potential implications of identified control weaknesses

Reviews and analyze, Assessment & Authorization (A&A) packages to include System Security Plans (SSP), Risk Assessments, Information System Contingency Plans (ISCP), Back-up Standard Operating Procedures (SOP), Incident Response Plans (IRP), Configuration Management Plans, (CMP), Hardware/Software lists, Network Diagrams, Data Flows, System Change Requests/Proposals, Vulnerability scan reports, test reports, and Plan of Actions & Milestones (POA&Ms) for completeness, accuracy, and document effectiveness of controls, plans and procedures implementation

Create and maintain test cases for security assessment testing and perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.)

Develop and execute a security and privacy assessment plan in accordance with NIST SP 800-53A, as amended, requirements, for each security assessment project. SA&A activities shall include support for RMF steps 4-6

Document and provide findings and recommendations that are concise, system-specific, and actionable

Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings

Qualification

Cybersecurity experienceSecurity control assessmentsNIST SP 800-53FedRAMP cloud environmentRisk-based documentationSecurity Assessment & AuthorizationBachelor’s degreeCloud technology AWSCloud technology AzureCommunication skills

Required

Ten (10+) years experience in the cybersecurity field

Three (3+) years plus experience performing security control assessments in FedRAMP cloud environment

Experience in planning assessments and be a senior member in a team of security control assessors

Experience in presenting control requirements and deficiencies to both technical and non-technical audiences

Experience performing detailed, full-scope technical security control testing for each of the component types, including development of security and privacy assessment plans is required

Ability to analyze information system configurations and technical specifications against NIST SP 800-53 and other overlays

Possesses a strong understanding of the NIST Special Publication 800-53 security and privacy controls, the NIST Cybersecurity Framework and other information security and privacy laws and regulations

Experience with development and writing of risk-based documentation

Experience with Step 4 of RMF process- Assessing Security Controls

Strong written and verbal communication skills

Strong communication ability across all levels of management

Bachelor's degree or higher in Computer Science's, MIS/IT, Engineering, Information Security/IA, or related discipline to work requirement

ACTIVE Secret Clearance

Preferred

Five (5+) years experience directly related to security control evaluation and compliance with Federal RMF requirements

Two (2+) years of experience with the use of eGRC tools in Federal environment

Experience performing Assessment and Authorization (A&A) activities, including risk assessments, Security Plans, Security Controls Assessments (SCA), Authorization document development and/or review

Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities

Experience with cloud technology offerings from AWS and Azure and assessing systems hosted within those environments

Experience performing assessment in accordance with the policies, procedures, and standards of the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the Department of State

Company

ECS

Glassdoor3.6

ECS is a fast-growing 4,000-person, $1.2B provider of advanced technology solutions for federal civilian, defense, intelligence, and commercial customers.

Founded in 2001

Fairfax, Virginia, USA

1001-5000 employees