This position is located in the Department of Technology Services (DTS), IT Security Office (ITSO), Security Programs Assessment Division (SPA). The incumbent of this position will function as a Security Control Assessor and will play a critical role in evaluating and assessing the security controls implemented within National Program Office systems as part of the A&A process.

Duties

The Security Control Assessor (SCA) will play a critical role in evaluating the effectiveness of security controls implemented within the organization's information systems. The incumbent will be responsible for conducting assessments using a variety of methods, including examinations, interviews, and testing, to identify vulnerabilities, weaknesses, and areas for improvement within our information systems. The incumbent must have a strong background in information security, risk management, and a thorough understanding of regulatory requirements such as NIST standards and industry-specific compliance frameworks. This position requires a deep understanding of security assessment methodologies, strong analytical skills, and the ability to communicate findings effectively to stakeholders. Duties of the position include, but are not limited to: Collaborating with stakeholders to develop assessment plans that outline the scope, objectives, and methodology for conducting security assessments. This involves understanding the organization's information systems, business processes, and security requirements. Conducting thorough examinations of security controls implemented within information systems, including technical, administrative, and physical controls. Analyzing documentation, policies, and procedures to assess the adequacy of security measures and identify areas of non-compliance or weakness. Conducting structured interviews with key personnel, including IT staff, system administrators, and business stakeholders, to gather insights into security practices, procedures, and challenges. Identifying potential security gaps or vulnerabilities through dialogue and questioning during interviews. Performing technical testing activities, such as vulnerability scanning, penetration testing, and security configuration reviews, to assess the effectiveness of security controls. Utilize automated tools and manual techniques to identify and exploit security vulnerabilities and assess the organization's resilience to cyber threats. Analyzing assessment findings from examinations, interviews, and testing to identify trends, patterns, and areas for improvement. Preparing comprehensive assessment reports that summarize findings, highlight areas of concern, and provide actionable recommendations for enhancing security posture. Presenting assessment results to stakeholders, including management, IT teams, and regulatory authorities, in a clear and concise manner. Documenting assessment findings in the Governance and Risk Compliance (GRC) system, including identified vulnerabilities, weaknesses, and recommendations for remediation. Staying informed about emerging threats, vulnerabilities, and best practices in security assessment methodologies. Collaborating with internal teams to implement remediation plans and security enhancements based on assessment findings and recommendations. Participating in ongoing monitoring and evaluation activities to track the effectiveness of security controls and ensure continuous improvement. Performing the tasks and meeting the skills, knowledge and abilities as described in NIST Special Publication 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce for the roles of Security Control Assessor (SP-RSK-002).

Requirements

Qualifications

Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions. Specialized Experience: Applicants must have at least one full year (52 weeks) of specialized experience which is in or directly related to the line of work of this position. Specialized experience is demonstrated experience in ALL of the following: Extensive experience with various security assessment methodologies, including NIST SP 800-53, ISO/IEC 27001, CIS Controls, and other industry-recognized frameworks. This includes knowledge of assessment planning, control evaluation, risk analysis, testing, and reporting; Hands-on experience with security tools and techniques such as vulnerability scanning, penetration testing, security configuration reviews, and forensic analysis; Experience interpreting and applying regulatory guidance to ensure the organization's adherence to security requirements such as HIPPA, GDPR, PCI DSS, FISMA, and other industry-specific regulations; Developing risk mitigation strategies and recommending controls to address identified vulnerabilities and threats; Preparing comprehensive assessment reports that effectively communicate findings to stakeholders, including management, IT teams, and regulatory authorities; and Conducting interviews, facilitating meetings, and presenting assessment results in a clear and understandable manner.

Education

This position does not require education to qualify.

Contacts

• Address Department of Technology Services One Columbus Circle, NE Washington, DC 20544 US
• Name: Kymberli Camber
• Phone: (210) 301-6303
• Email: [email protected]