Job Description
Evolver Federal is looking for an Information System Security Officer (ISSO)/Security Tester to join our team in support of our federal health IT customer. The Information System Security Officer (ISSO)/Security Tester supports all Risk Management Framework (RMF) activities including the process managing security and privacy risk, including information system categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. This person also supports the security activities associated with evaluating, implementing, managing security practices and continued operations of new and existing technologies across the Program. This person will work closely with IT teams, developers, and CMS stakeholders to maintain a secure, compliant, and operational CMS that effectively protects organizational data. Responsibilities: • Risk Management Framework (RMF) Activities: Support all activities as outlined in the NIST SP 800-37, Risk Management Framework for Information Systems and Organizations. This includes the process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. • Security Authorization Documentation: Initial development and, at least, annual reviews/updates of the FIPS 199, e-Authentication, Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA), Security Plan (SP), Contingency Plan (CP), and Contingency Plan Test (CPT), Interconnection Security Agreement (ISAs) and Memorandum of Agreement/Understanding (MOA/Us) and any other FISMA related security documentation. • Security Control Assessment Response: Support all assessment activities by responding to interview questions as well as working with the system teams to gather appropriate evidence as directed by the CMS Security Team. • Change Management: Review all change requests for potential impact to the system security posture. • Continuous Monitoring: Conduct audit log and account management reviews, and update the Control Allocation Table and Trigger Accountability Log. • Configuration/Patch/Vulnerability Management: Review scan results for the system assets, identify the respective remediation's for misconfigurations and weaknesses, and work with the system team to ensure timely implementation of fix. • Incident Response: Work with the CMS Security Team and system teams to investigate and analyze any incidents affecting assigned system(s). • Pipeline Engineering: Seamlessly integrate Snyk and TruffleHog into Jenkins CI to provide "shift-left" security feedback to developers. • Vulnerability Management: Triaging and prioritizing findings from Fortify and Burp Suite, working directly with engineering teams to provide remediation guidance. • Security Advocacy: Act as the subject matter expert for the security toolchain, conducting training sessions for developers on how to interpret scan results. • Have the ability to apply a comprehensive knowledge across key tasks and high impact assignments • Evaluate performance results and recommend major changes affecting short-term project growth and success • Function as a technical expert across multiple project assignments • Work on high priority ad-hoc request such as data calls, Senior Management Initiatives (CIO, CISO, etc.), CMS mandates, etc Basic Qualifications: • 3 years of specialized experience in one of the following positions: Information Systems Security Officer, Information Systems Security Engineer, Information Systems Security Auditor, or Information Systems Security Manager • 3 years of experience with analyzing, assessing and implementing corrective actions based on vulnerability management tools • 3 years of experience with leading projects, technical writing, administrative tasks, and conducting briefings • 3 years of experience working with NIST SP 800-53, RMF, FISMA, CMS policies • 3 years of experience with Static Analysis (SAST) configuring and scaling Fortify for deep-source code analysis, including custom rule tuning to reduce false positives. • 3 years of experience of Secret Detection, implementing and managing TruffleHog within CI/CD pipelines to prevent credential leakage and manage historical secret remediation. • 3 years of experience with Software Composition Analysis (SCA), utilizing Snyk to monitor and gate third-party dependency vulnerabilities, ensuring a secure Software Supply Chain. • 3 years of experience with Dynamic Testing (DAST) with Burp Suite Professional or Enterprise for manual penetration testing and automated web vulnerability scanning. • Must have and maintain at least one (1) active certification such as CASP, GSEC, GSLC, CISSP, CEH, CISM, and CISA, or other comparable certification which must be approved in advance by our customer. Proof of certification is required. • US Citizen or Permanent Resident required, and all applicants shall
Apply tot his job
Apply To this Job