Leidos is seeking a Technical Subject Matter Expert as the Cloud-Information System Security Manager (ISSM) Lead for the USACE O365 Software as a Service (SaaS) environment defining and managing the cybersecurity to achieve and maintain accreditation under the Risk Management Framework.
This position performs supervisory oversight for (3) subordinate Cloud-ISSM roles performing RMF accreditation and cybersecurity readiness of the USACE L2/L4/L5 cloud environments for Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and enterprise Software as a Service (SaaS) to include O365.
Regular tasking would include but not be limited to secure baseline identification and validation per security categorization and subsequent system security plan, vulnerability and threat assessment, FEDRAMP and DISA Cloud Access Point interactions and direct the DoD RMF accreditation process to achieve ATOs through the Enterprise Mission Assurance Support Service (eMASS).
Location: Prefer Vicksburg, Mississippi or Hillsboro, Oregon, but will also consider remote work.
- Ensure the cybersecurity readiness to DoD, Army, and RMF standards of the USACE O365 SaaS.
- Interact with DISA CAP and FEDRAMP to maintain accreditation status of the USACE O365 SaaS.
- Supervise (3) subordinate Cloud-ISSM positions.
- Responsible to ensure that all USACE Cloud instances obtain and maintain appropriate DoD cloud Authorizations to Operate and maintain all required artifacts.
- Perform as well as oversee the execution of the Cloud-ISSM team successful execution of the following responsibilities:
- Categorize mission information systems in accordance with DoDI 8510.01 and CNSSI 1253 then identify the Cloud Information Impact level that most closely aligns with the defined categorization and information sensitivity.
- Ensure specific requirements be included in the Contract/SLA with the Cloud Service Provider to address/mitigate risk or deploy to DoD facilities assessed using CNSSI high baselines through the DoD RMF.
- Assess the Cloud Service Offerings (CSO)'s stated availability rating(s) during CSP selection. Ensure the language is specific and inclusive for their required availability.
- Develop and Manage RMF for cloud instances in the eMASS tool to achieve Authorizing Official's (AO) Authorization Decision Document (ADD) utilizing the RMF Package Approval Chain (PAC) process.
- Manage all Cloud instances in eMASS and conduct yearly reviews of each package to comply with Federal Information Security Management Act (FISMA), and establish process to re-certify each cloud instance every 3 years, or as required by DoD regulation.
- Manage all Cloud POA&M items in the RMF and eMASS system and ensure continuous monitoring requirements are met.
- Ensure USACE responsibilities for each CSO are documented in Standard Operating Procedures to satisfy RMF controls.
- Manage/Approve Privilege Level users for all cloud instances.
- Assess USACE ATOs as the non-DoD agency may have accepted risks that are not appropriate for DoD to accept.
- Review the Federal Risk and Authorization Management Program (FedRAMP) and DoD Provisional Authority (PA) artifacts to understand the risk that the AO will inherit.
- Responsible for any required Overlays that are not included in the FedRAMP or DoD PA for the PAAS and IAAS environments (example is privacy overlay for PII data).
- Ensure Cloud Cyber Security Service Provider (Cloud CSSP) contracts include all services required per the DoD Cloud Security Requirements Guide (SRG) and any additional controls required by the USACE AO.
- Liaison with the DISA AO office to coordinate closely for:
a. In the event that the withdrawal of a Provisional Authority (PA).
b. DISA will notify affected Mission Owner (MO) of proposed significant changes and provide its assessment of the change within the scope of the CSO PA.
c. DISA will disseminate artifacts for CSO changes to all Mission Owners utilizing that CSO.
d. Review for any adverse impact with regard to their specific usage of the CSO. Satisfy Cyber requirements (review Security Assessment Report (SAR), POA&M's and Security Plans) as a sponsor for submitting new CSO's for FedRAMP and DoD PA certifications.
- Member of the Azure/O365 Cloud Cybersecurity working Group.
- Member of USACE cloud configuration management board.
Eight (8) or more years' experience in the following areas:
1) Cyber security, Information Assurance/Information System Security Engineering for O365 SaaS and other USACE Cloud intitiatives
2) FEDRAMP certification process and DISA Cloud Access Point process
3) RMF and eMASS accreditation (NIST SP800-53A, CNSSI 1253, DOD8500.1, DOD 8510.01)
4) DISA STIG and SRR compliance test and verification
5) ACAS/SCAP vulnerability scanning and secure baseline/system security plan continuous monitoring
6) DoD and Army Information Security regulations, publications, and policy
7) Demonstrated experience applying security risk assessment methodology to system development and existing IT infrastructure, including threat model development, vulnerability assessments, and resulting security risk analysis
Required Education: Bachelor's degree in Computer Science/Information Technology preferred; Bachelor in other major with years of experience and certification is acceptable.
Desired Certifications: DOD 8570.01, IAM-II/IAM-III (CISSP or CAP or CISM-required (CCNA Security-optional))
• Azure Stack
• Firewalls: Cisco ASA, Checkpoint
• Dell Poweredge servers
• Dell laptops and workstations
Server & Operating Systems / Software
• Windows Server 2012, MS SQL Server, SQL Reporter, Windows/Powershell Scripting, Windows 10, Linux/Unix, Sun Solaris 10/11, Cisco IOS, MS Office 2013, Project 2013, Visio 2013, Tenable Security Center and Nessus
External Referral Bonus:
Potential for Telework:
Clearance Level Required:
Yes, 10% of the time
Scheduled Weekly Hours: