General Dynamics Information Technology

Req ID: RQ174850

Type of Requisition: Regular

Clearance Level Must Be Able to Obtain: Secret

Job Family: Information Security

Skills:

Change Management,Cybersecurity,Information Security,RMF,Security Requirements

Certifications:

CISSP: Certified Information Systems Security Professional - ISC2

Experience:

10 + years of related experience

US Citizenship Required:

Yes

Job Description:

Information Systems Security Manager – NAVSUP OIS - Secre Clearance Required

Overview/ Job Responsibilities

GDIT is looking for an experienced Information Systems Security Manager (ISSM) who can prepare, submit, and monitor accreditation packages through the Risk Management Framework (RMF) process ensuring receipt of Interim Authority to Test (IATT) or Authority to Operation (ATO) in support of the Naval Supply Systems Command (NAVSUP) Ordnance Information System (OIS) program. The ISSM will not only maintain current operating cybersecurity environment (data center) but will also support the program’s transition to AWS GovCloud operating environment.

The ISSM will apply their knowledge of Cybersecurity engineering best practices used to secure technical solutions, including applications, systems, architectures, and infrastructures that are operationally viable and efficient on-site in either Mechanicsburg, PA, or Yorktown, VA.

This critical role will also be responsible for:

• Develop and maintain a formal IS security program and policies for their assigned area of responsibility.

• Provide technical and procedural Information System (IS) Security advice to government and industrial teams.

• Develop and oversee operational information systems security implementation policy and guidelines.

• Coordinate with PSO or cognizant security official on approval of External Information Systems (e.g. guest systems, interconnected system with another organization).

• Oversee ISSOs under their purview to ensure they follow established IS policies and procedures.

• Assume ISSO responsibilities in the absence of the ISSO; maintain required IA certifications.

• Ensure System Administrators (SA) monitor all available resources that provide warnings of system vulnerabilities or ongoing attacks.

• Ensure approved procedures are used for sanitizing and releasing system components and media.

• Maintain a repository of all security authorizations for IS under their purview.

• Coordinate IS security inspections, tests, and reviews.

• Ensure proper measures are taken when an IS incident or vulnerability is discovered.

• Ensure data ownership and responsibilities are established for each IS, and specific requirements (to include accountability, access and special handling requirements) are enforced.

• Ensure development and implementation of an effective IS security education, training, and awareness program.

• Ensure CM policies and procedures for authorizing the use of hardware/software on an IS are followed. Any additions, changes or modifications to hardware, software, or firmware must be coordinated with the appropriate AO prior to the addition, change or modification.

• Serve as a voting member of the Configuration Control Board (CCB) and/or the Risk Executive Board, if applicable. The ISSM shall have authority to veto any proposed change they feel is detrimental to security. Appeals on an ISSM/ISSO veto may be taken to the AO. The ISSM may elect to delegate this responsibility to the ISSO.

• Maintain a working knowledge of system functions, security policies, technical security safeguards, and operational security measures.

• Manage, maintain, and execute the information security continuous monitoring plan.

• Ensure a record is maintained of all security-related vulnerabilities and ensure serious or unresolved violations are reported to the AO/DAO; and Assess changes to the system, its environment, and operational needs that could affect the security authorization.

Primary Responsibilities:

• Meeting and maintaining CYBER certification and accreditation requirements, including researching, testing and providing technical information for obtaining CYBER accreditation.

• Developing Security Requirements Traceability Matrix (STRM), aligning security requirements with the individual components of a system.

• Performing checks of systems and applications for IA vulnerabilities using approved automated IA tools (ACAS, SCAP-compliant scanners, DISA STIG Viewer, etc.), custom scripts and manual processes (i.e., Security Technical Implementation Guides [STIGS]).

• Monitoring OIS security posture, documenting raw findings in a quick look report, for customer notification. Create and maintain system Plan of Action and Milestones (POA&Ms) of open vulnerabilities and applied mitigations utilizing Department of Defense Enterprise Mission Assurance Support Service (eMASS) tool.

• Supporting the development and documentation of risk assessment results and recommendations using identified threats, applicable vulnerabilities, and likelihood of occurrence within context of risk tolerances

• Monitor all database and application software used in OIS for version change control and nearing/exceeding last date allowed in the Department of Navy Application Database Management System (DADMS).

• Coordinating/interfacing with OIS Technical Team, Defense Information Systems Agency (DISA), IA Staff, and Fleet Cyber Command to document, review, revise, and submit changes related to Ports, Protocols, and Services (PPS), Access Control Lists (ACLs), and Whitelists. This support includes preparing and submitting the registration forms for new requirements.

• Supporting DOD Portfolio Repository–DON (DITPR-DON) to support the annual review.

• Providing recommendations for corrective actions and mitigation strategies.

• Producing security risk assessment briefs and reports for delivery to stakeholders and senior management.

• Support the DevSecOps team in implementing Cyber Security requirements to achieve and maintain IATT and ATO

• Interpret OS, web server, and database scans to facilitate resolving security findings with the DevSecOps team and external teams

• Ensure systems are scanned, patched, and compliant with DoD policy

• Troubleshoot Windows and RHEL security policies

• Support with configurations including CloudWatch logs, registering systems, reporting and manage findings

• Assess systems to determine applicable IA controls based on design, architecture, and data

• Attend risk management and system meetings to provide status updates and take action items

Minimum Qualifications:

• Must have DOD Secret level clearance to start

• Certification Requirement: Directive 8570.1/8140 – IAM-III: Certified Information Systems Security Professional (CISSP)

• Bachelor’s degree with a minimum of 10 years of relevant experience

• Experience performing risk assessments and audits

• Experience using DoD approved tools (ACAS, SCAP-compliant scanners, eMASS, etc.).

• Knowledge of the overall Risk Management Framework and NIST compliance as a security professional

• Experience presenting to clients or management to present technical and non-technical information to allow key personnel to make informed decisions

• Experience successfully advising stakeholders through the ATO process

• Familiarity with information security documents, government orders, notices, and guidelines

• Experience documenting and maintaining systems running in AWS GovCloud (DoD preferred)

• Ability to work independently to create and update Security Plans, Contingency Plans, and other security documents

• Solid understanding in DoD Cyber Security policies and requirements

Preferred Qualifications:

• Bachelor’s degree in Engineering, IT, Computer Science, or related field or equivalent

• 5 years’ experience in ISSM capacity

• Experience supporting DoD (Navy preferred) enterprise application transition to the AWS GovCloud (up to IL 6) in a security capacity

• AWS Certified Security certification

The likely salary range for this position is $127,500 - $172,500. This is not, however, a guarantee of compensation or salary. Rather, salary will be set based on experience, geographic location and possibly contractual requirements and could fall outside of this range.

Our benefits package for all US-based employees includes a variety of medical plan options, some with Health Savings Accounts, dental plan options, a vision plan, and a 401(k) plan offering the ability to contribute both pre and post-tax dollars up to the IRS annual limits and receive a company match.To encourage work/life balance, GDIT offers employees full flex work weeks where possible and a variety of paid time off plans, including vacation, sick and personal time, holidays, paid parental, military, bereavement and jury duty leave. To ensure our employees are able to protect their income, other offerings such as short and long-term disability benefits, life, accidental death and dismemberment, personal accident, critical illness and business travel and accident insurance are provided or available.We regularly review our Total Rewards package to ensure our offerings are competitive and reflect what our employees have told us they value most.

We are GDIT. A global technology and professional services company that delivers consulting, technology and mission services to every major agency across the U.S. government, defense and intelligence community. Our 30,000 experts extract the power of technology to create immediate value and deliver solutions at the edge of innovation. We operate across 30 countries worldwide, offering leading capabilities in digital modernization, AI/ML, Cloud, Cyber and application development. Together with our clients, we strive to create a safer, smarter world by harnessing the power of deep expertise and advanced technology.

We connect people with the most impactful client missions, creating an unparalleled work experience that allows them to see their impact every day. We create opportunities for our people to lead and learn simultaneously. From securing our nation’s most sensitive systems, to enabling digital transformation and cloud adoption, our people are the ones who make change real.

GDIT is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status, or any other protected class.