Senior Control Assessment Analyst

Qualifications At least five years of experience performing the functions associated with this labor category. Experience performing control assessments as part of a team in accordance with applicable NIST standards (NIST 800-53, Rev 5, or newer version, as applicable). Experience preparing control assessment plans, executing technical and non-technical assessments actions, evaluating the risk associated with areas of deficiency, and documenting detailed findings and executive-level summaries of assessment results. Experience briefing stakeholders on key findings, recommendations, risks, and impacts. Experience providing direct support of information security compliance activities, including managing plans of actions and milestones (POA&Ms) and inventories of information systems. Capabilities Board's Assessment and Authorization (A&A) program operates in alignment with the NIST Risk Management Framework (RMF) as outlined in the current release of NIST SP 800-37. The objective of Control Assessment task is to provide security subject matter expertise to develop A&A methodologies, maintain accurate assessment schedules, and conduct control assessment activities for newly developed or acquired information systems, as well as for systems and common controls in ongoing authorization. Assessment Methodology : Develop a methodology for conducting control assessments for software- as-a-service (SaaS) solutions operated by a vendor on behalf of the Board that have not received FedRAMP authorization, and assessing external organizations and systems that process, store, or transmit Board information. Align those assessment methodologies with principles set forth in FISMA, OMB, and NIST standards and publications, and consider efficient and cost-effective means of assessment to allow Board senior leaders and stakeholders to make risk-based authorization decisions. Planning and Scheduling Develop and maintain a Master Assessment Schedule that tracks new information systems that require full control assessments and existing information systems and common controls under ongoing authorization that are in the continuous monitoring phase of the RMF. Develop the Master Assessment Schedule such that it shall adjust estimated completion dates in real-time to account for unplanned assessments, changes in prioritization, delays, or changes in resource availability. Enable Board security staff to provide stakeholders with estimated completion dates for all scheduled A&As at any given time. Control Tailoring and Overlays Review and update Control Overlays that define and justify the applicable security and privacy controls for information systems with common characteristics, such as internally developed web applications, FedRAMP authorized SaaS solutions, etc. Control Assessment Plans Based on the receipt and review of artifacts provided by system owners or support staff that may include, but are not limited to, FIPS-199 Categorization Memos, System Security and Privacy Plans (SSPP), Contingency Plans, etc., develop control assessment plans (CAPs) for each system, service, or common control provider to be assessed, that includes, at minimum : The assessment methodology to be followed. The objectives and scope of the points of contact and the control assessment team members. Any recommended changes to, or questions related to, the system controlbaseline. Controls to be assessed and the assessment procedure for each control. Tasks to be accomplished, dependencies, time allocated per task, and resources allocated for each task. The CAP shall identify all system access, demonstrations, interviews, or other accommodations needed by the assessment team prior to control assessments. CAPs for systems and common controls in ongoing authorization shall ensure that all applicable controls are assessed within a three-year cycle. Control Assessments Ensure that control assessors maintain independence and avoid potential or perceived conflicts of interest with respect to the control assessments. Work with system owners, support teams, developers, vendors, and otherstakeholders as necessary to conduct control assessments for all security and privacy controls described in the CAP. Control assessments shall be conducted in accordance with NIST SP 800-53A (current version) or NIST SP 800-171A (current version) guidance, and will include assessments of technical, operational, and management controls. Document the results of each control assessed, to include the outcome of the assessment and the artifacts or evidence evaluated to support the assessment result. Include in each control assessment a review of control selections for each system or common control provider, validating control inheritance decisions, and control overlays. Ensure that applicable controls are not omitted from SSPPs or Customer Controls. Control Assessment Reports and Authorization Package Support Support the finalization of the A&A package by providing a summary of the control assessment findings in a Control Assessment Report (CAR). The CAR shall describe the risk associated with all findings resulting from the control assessment and recommendations for correcting any deficiencies. The CAR shall include a statement from the control assessor summarizing the overall risk to the Board of operating the system or service as it relates to the authorization to operate decision. Participate in issue resolution discussions and authorization briefings to describe control deficiencies and necessary remedial actions to stakeholders and authorization officials. Develop a post-authorization assessment process for internally developed systems intended to validate the carryover of specific controls from development or test environments into production. Carry out the post- authorization review and include the results as an addendum to the CAR. Control Monitoring - Impact Analysis Complete Security Impact Analysis (SIAs) to determine the security impact associated with changes to Board information systems. The SIA shall identify the risk associated with the change, identify any impacted security controls, and define applicable control assessment procedures to verify that impacted controls are still in place and operating as intended. Control Monitoring - Ongoing Control Assessments Assess a selected subset of the technical, management, and operational controls employed by the Board information systems and common control providers in accordance with the Board's continuous monitoring strategy. Annually, develop a report to summarize the results of the control assessments of systems in ongoing authorization conducted throughout the fiscal year. This annual report shall identify any systemic risks, lessons learned, or recommendations based on the results of control assessments and A&A activities. Certification Certified Information Systems Security Professional (CISSP) Certified Analytics Professional (CAP) Preferred

#J-18808-Ljbffr