Security Business Analyst - Senior Level
Tantus Technologies, Inc.
Location
Bethesda, MD | United States
Job description
In anticipation of an award, Tantus Technologies, Inc. - recognized by the Washington Post as a Top Workplace - is seeking a Security Business Analyst - Senior Level to provide security control and assessment as well as Risk Management Framework support for a Federal Client's information systems. You will need thorough knowledge and understanding of Federal Information Security Management Act (FISMA), including the NIST 800 series Special Publications (SP), FedRAMP, and Federal Information Processing Standards (FIPS) guidelines and regulations. This position has a heavy focus on Accreditation & Authorization (A&A) assessments.
*Hybrid role: Two days a week onsite in Bethesda, MD*
*U.S. Citizenship required with eligible to obtain a Public Trust.*
- Develop and maintain Information System Security policies, standards, tools and processes based on the Risk Management Framework, including NIST (such as NIST 800-53, Revision 4)
- Create and maintain a security document repository in the Agency GRC Tool using pre-approved templates (i.e. System Security Plan (SSP) in order to be compliant with Agency requirements for an Authority to Operate (ATO).
- Ensure a Continuous Diagnostics and Mitigation (CDM) Program is implemented within the client environment that is compliant with Federal standards and Agency requirements
- Assist in the creation of: Incident Handling Procedures, Web Application Security Standards, Secure Coding Standards, Security Program Compliance and Audit Procedures, Change Management and Configuration Management procedures, InfoSec Handbook for the Program
- Assist the NIGMS ISSO and requirement analysts to develop standard SP 800- 53 Rev 5 control implementation and security requirements to make available to all developers and operations staff at the beginning of each project. Standardized controls will be documented in a control dictionary with standard test cases and comprehensive compliance descriptions. The goal is to ensure a consistent process across multiple auditors and multiple audits and a standard set of security requirements that apply to development, application, and infrastructure.
- Develop an effective Plan of Actions and Milestones (POAM) management process.
- Ensure all NIGMS systems undergo a NIST based security/risk assessment and gain authorization to operate prior to moving to production.
- Document and create templates for a control selection process based on NIH’s inheritance worksheet identifying the assessment tier in which the control is assessed (GSS, Framework or System Specific level). Document conditionals for control selection and standardized interview, examine and test activities per control.
- Work with Requirements Analysts to get security controls defined into requirements for application and infrastructure development.
- Prepare RMF documentation that meets or exceeds NIH requirements and facilitates a repeatable process for applying security to NIGMS systems implementing effective security controls and ensuring success of independent assessments.
- Provide recommendations and guidance for corrective action for all non-compliant security controls.
- Facilitate project managers understanding and participation in SA&A with training and support material.
- Bachelor’s degree in Information Technology or related field
- 5+ years of Cyber Security experience with thorough knowledge in one or more areas of Contingency Plans, Risk Assessments, System Security Plans, Incident Response Plans, NIST 800-53, Assessing 800-53 controls, FedRAMP, A&A, POA&Ms, ATO process, and working knowledge of current security tools and technologies (Heavy focus on Accreditation & Authorization, A&A work).
- Experience using security reporting tools and automated vulnerability scanners
- Experience developing and updating security policies, strong communication/presentation skills required.
- Strong understanding of network designs, protocols, and security related tools
- Required onsite two days a week in Bethesda, MD. Preference for candidates who reside within the National Capital Region, (MD, VA, Washington D.C.)
- Ability to design and conduct security control assessments
- Strong written and verbal communication skills
- Certified Authorization Professional (CAP) or equivalent infosec certification
Job tags
Salary