Peraton
Basic Qualifications
0 years with BS/BA; 4 years no degree Certifications: Certified Authorization Professional (CAP) OR meets current DCWF qualification requirements DCWF Code: 722 - Advanced: Certified Information Security Manager (CISM) or Certified Information Systems Security Officer (CISSO) or Certified Information Systems Security Professional (CISSP) or Federal IT Security Professional-Manager-NG (FITSP-M) or GIAC Certified Incident Handler (GCIH) or GIAC Certified Intrusion Analyst (GCIA) or GIAC Cloud Security Automation (GCSA) or GIAC Global Industrial Cyber Security Professional (GICSP) or GIAC Security Essentials Certification (GSEC) or GIAC Security Leadership Certification (GSLC) or Information Systems Security Management Professional (ISSMP). AND DCWF code 531 Intermediate: Certified Cloud Security Professional (CCSP) or Certified Ethical Hacker (CEH) or Cisco Certified CyberOps Associate or CompTIA Cloud+ or CompTIA PenTest+ or CompTIA Security+ or Federal IT Security Professional-Operator-NG (FITSP-O) or GIAC Certified Enterprise Defender (GCED) or GIAC Information Security Fundamentals (GISF). Experience collecting and analyzing event information and performing threat or target analysis. Experience supporting operations related to persistent monitoring on a 24/7 basis of all designated networks, enclaves, and systems. Demonstrated competence in managing and executing first-level responses and addressing reported or detected incidents. Comfort level with reporting to and coordinating with external organizations and authorities. Background in coordinating and distributing directives, vulnerability, and threat advisories to identified consumers. U.S. citizenship required. Possess a Secret security clearance with the ability to qualify for a Top Secret with SCI Security Clearance. Ability to work shift hours. Secure Division Support — CSSP Roles and DoDIN Operations
The GCC provides CSSP responsibilities and conducts DODIN Operations and DCO – Internal Defensive Measures (IDM) to protect the DODIN in accordance with the DoDM 8530.01 and the DoD Cybersecurity Services Evaluator Scoring Metrics (ESM). Responsibilities are organized into five CSSP functions: Identify, Protect, Detect, Respond, and Recover. GCC conducts these functions for its assigned portion of the DODIN for both unclassified and classified networks/systems. The division provides support services for the protection, monitoring, analysis, detection, and response to unauthorized activity within the DoD Information Systems and Networks. DCO-IDM services defend against unauthorized activity on all Army assets residing on the NIPRNet and SIPRNet. The division provides defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction. The division provides sensor management and event analysis and response for network and host-based events. For sensor management, the division manages in-line Network Intrusion Protection System/Network Intrusion Detection System (NIPS/NIDS) sensors monitoring all CONUS DoDIN-A NIPRNet and SIPRNet Enterprise traffic to detect sensor outages and activities that threaten confidentiality, integrity, or availability. In coordination with GCC Operations, DCO initiates defensive security procedures upon detection of these attacks. Event analysis and response includes processes to reduce multiple cyber incidents to actual malicious threat determinations and mitigate those threats in accordance with guidance from GCC leadership. Support the Government in providing CSSP services on both the NIPRNet and SIPRNet in accordance with Appendix E: Secure Division Workload Assessment in support of the CONUS portion of the DoDIN-A. Develop reports and products, both current and long-term, in support of CSSP and course of action development. Prepare Tactics, Techniques, and Procedures (TTPs), SOPs, Executive Summaries (EXSUMS), trip reports, and information/point papers. Contribute to the preparation of agreements, policy, and guidance documents such as Memorandums of Understanding / Agreement (MOU/A), Service Level Agreements (SLA). • Cyber Defense Operations (CDO) Support. Provide sufficient staffing to maintain on-site capability in compliance with the PWS. Place of Work and Work Hours to work directly with GCC Operations personnel in conducting initial triage/cyber incident analysis, review correlated events, system/device logs, and SIEM event data to determine and recommend/take immediate DCO-IDM response actions. Immediate response actions can include submission of a cyber-incident response ticket, categorization of the incident as per CJCSM 6510, and/or notifying DCO/ARCYBER/Higher Headquarters as required by CCIR reporting requirements. All other CDO operations must have on-call capability to respond to cyber incidents as directed by policy or Government direction. • Incident Analysis and Mitigation. Provide incident analysis and mitigation support by conducting incident analysis and recommending mitigation measures in response to general or specific Advanced Persistent Threats (APT), attempted exploits/attacks, or malware delivery on Army networks. • Block/deny access by hostile sites or restrict access by specific ports/protocols and/or applications. Provide recommendations to the supporting operations and maintenance organization to take necessary action where the CSSP-D division does not control the sensor grid. Provide justification of IDMs and/or operational impact to a Configuration Control Board (CCB) and/or Authorizing Official (AO) for mitigation action (IDM) approval. If appropriate, coordinate a Network Damage Assessment (NDA), Network Assistance Visit (NAVs), or other CDAP missions. • Monitor all sensors and agents managed by the GCC for security event analysis and response and maintain/update the triage database with current threat data and response methods in real-time, with follow-up within 72 hours of last response. Respond to detected events, ensure proper handling of the associated trouble ticket (TT), and process events according to TTPs. • Provide all initial cyber incident reports to Law Enforcement and Counterintelligence (LE/CI) agencies and maintain an up-to-date POC list for LE/CI agencies as routinely provided by the Major Cybercrimes Unit (MCU) and Cyber Counterintelligence agencies. In case of an active investigation, LE/CI agencies will provide a written request that includes the official case number, specific data logs, and other required information in accordance with local TTPs. Provide data and analysis in response to LE/CI requests as required by CSSP-D TTPs. Provide all initial cyber incident investigation reports to LE/CI and maintain a Master Station Log (MSL) to document high-visibility cyber incidents, defined as events identified in an ARCYBER Task Order, Named Operation, or Category 1 (CAT1). The MSL must be available for Government inspection at any time to ensure accurate tracking and reporting to GCC Leadership and Operations.
#J-18808-Ljbffr
0 years with BS/BA; 4 years no degree Certifications: Certified Authorization Professional (CAP) OR meets current DCWF qualification requirements DCWF Code: 722 - Advanced: Certified Information Security Manager (CISM) or Certified Information Systems Security Officer (CISSO) or Certified Information Systems Security Professional (CISSP) or Federal IT Security Professional-Manager-NG (FITSP-M) or GIAC Certified Incident Handler (GCIH) or GIAC Certified Intrusion Analyst (GCIA) or GIAC Cloud Security Automation (GCSA) or GIAC Global Industrial Cyber Security Professional (GICSP) or GIAC Security Essentials Certification (GSEC) or GIAC Security Leadership Certification (GSLC) or Information Systems Security Management Professional (ISSMP). AND DCWF code 531 Intermediate: Certified Cloud Security Professional (CCSP) or Certified Ethical Hacker (CEH) or Cisco Certified CyberOps Associate or CompTIA Cloud+ or CompTIA PenTest+ or CompTIA Security+ or Federal IT Security Professional-Operator-NG (FITSP-O) or GIAC Certified Enterprise Defender (GCED) or GIAC Information Security Fundamentals (GISF). Experience collecting and analyzing event information and performing threat or target analysis. Experience supporting operations related to persistent monitoring on a 24/7 basis of all designated networks, enclaves, and systems. Demonstrated competence in managing and executing first-level responses and addressing reported or detected incidents. Comfort level with reporting to and coordinating with external organizations and authorities. Background in coordinating and distributing directives, vulnerability, and threat advisories to identified consumers. U.S. citizenship required. Possess a Secret security clearance with the ability to qualify for a Top Secret with SCI Security Clearance. Ability to work shift hours. Secure Division Support — CSSP Roles and DoDIN Operations
The GCC provides CSSP responsibilities and conducts DODIN Operations and DCO – Internal Defensive Measures (IDM) to protect the DODIN in accordance with the DoDM 8530.01 and the DoD Cybersecurity Services Evaluator Scoring Metrics (ESM). Responsibilities are organized into five CSSP functions: Identify, Protect, Detect, Respond, and Recover. GCC conducts these functions for its assigned portion of the DODIN for both unclassified and classified networks/systems. The division provides support services for the protection, monitoring, analysis, detection, and response to unauthorized activity within the DoD Information Systems and Networks. DCO-IDM services defend against unauthorized activity on all Army assets residing on the NIPRNet and SIPRNet. The division provides defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction. The division provides sensor management and event analysis and response for network and host-based events. For sensor management, the division manages in-line Network Intrusion Protection System/Network Intrusion Detection System (NIPS/NIDS) sensors monitoring all CONUS DoDIN-A NIPRNet and SIPRNet Enterprise traffic to detect sensor outages and activities that threaten confidentiality, integrity, or availability. In coordination with GCC Operations, DCO initiates defensive security procedures upon detection of these attacks. Event analysis and response includes processes to reduce multiple cyber incidents to actual malicious threat determinations and mitigate those threats in accordance with guidance from GCC leadership. Support the Government in providing CSSP services on both the NIPRNet and SIPRNet in accordance with Appendix E: Secure Division Workload Assessment in support of the CONUS portion of the DoDIN-A. Develop reports and products, both current and long-term, in support of CSSP and course of action development. Prepare Tactics, Techniques, and Procedures (TTPs), SOPs, Executive Summaries (EXSUMS), trip reports, and information/point papers. Contribute to the preparation of agreements, policy, and guidance documents such as Memorandums of Understanding / Agreement (MOU/A), Service Level Agreements (SLA). • Cyber Defense Operations (CDO) Support. Provide sufficient staffing to maintain on-site capability in compliance with the PWS. Place of Work and Work Hours to work directly with GCC Operations personnel in conducting initial triage/cyber incident analysis, review correlated events, system/device logs, and SIEM event data to determine and recommend/take immediate DCO-IDM response actions. Immediate response actions can include submission of a cyber-incident response ticket, categorization of the incident as per CJCSM 6510, and/or notifying DCO/ARCYBER/Higher Headquarters as required by CCIR reporting requirements. All other CDO operations must have on-call capability to respond to cyber incidents as directed by policy or Government direction. • Incident Analysis and Mitigation. Provide incident analysis and mitigation support by conducting incident analysis and recommending mitigation measures in response to general or specific Advanced Persistent Threats (APT), attempted exploits/attacks, or malware delivery on Army networks. • Block/deny access by hostile sites or restrict access by specific ports/protocols and/or applications. Provide recommendations to the supporting operations and maintenance organization to take necessary action where the CSSP-D division does not control the sensor grid. Provide justification of IDMs and/or operational impact to a Configuration Control Board (CCB) and/or Authorizing Official (AO) for mitigation action (IDM) approval. If appropriate, coordinate a Network Damage Assessment (NDA), Network Assistance Visit (NAVs), or other CDAP missions. • Monitor all sensors and agents managed by the GCC for security event analysis and response and maintain/update the triage database with current threat data and response methods in real-time, with follow-up within 72 hours of last response. Respond to detected events, ensure proper handling of the associated trouble ticket (TT), and process events according to TTPs. • Provide all initial cyber incident reports to Law Enforcement and Counterintelligence (LE/CI) agencies and maintain an up-to-date POC list for LE/CI agencies as routinely provided by the Major Cybercrimes Unit (MCU) and Cyber Counterintelligence agencies. In case of an active investigation, LE/CI agencies will provide a written request that includes the official case number, specific data logs, and other required information in accordance with local TTPs. Provide data and analysis in response to LE/CI requests as required by CSSP-D TTPs. Provide all initial cyber incident investigation reports to LE/CI and maintain a Master Station Log (MSL) to document high-visibility cyber incidents, defined as events identified in an ARCYBER Task Order, Named Operation, or Category 1 (CAT1). The MSL must be available for Government inspection at any time to ensure accurate tracking and reporting to GCC Leadership and Operations.
#J-18808-Ljbffr