Leidos Defense Group currently has an opening for an Information Assurance Specialist to work in our O’Fallon, IL office. This is an exciting opportunity to use your experience by providing support to a major DoD transportation program. You must hold an active DOD Secret clearance with an open SSBI investigation to be qualified for this role.
Supports the program requirements using the Risk Management Framework (RMF) for DoD Information Technology (IT) process (Categorize the Information System, Selecting the Initial Baseline of Security Controls, Define the Security Control Assessment Approach, Implement Security Controls, and Assess Security Controls).
Ensures Information Assurance (IA) Checklist for releases is submitted no later than fifteen (15) business days prior to the Verification – Test Readiness Review (V-TRR) and tracks Government evaluation/approval status of IA Checklist.
Ensures security issues are identified and addressed in program specific minor modification checklists and Department of Defense (DOD) security controls are applied as part of system sustainment to ensure the confidentiality, integrity, availability, authentication and non-repudiation of program’s sensitive unclassified and classified systems and data.
Monitors and analyzes IA Vulnerability Management (IAVM) Notices, USTRANSCOM Security Notifications, United States Computer Emergency Readiness Team (US-CERT), and vendor security advisories for customer servers not managed by DISA and make recommendations to the Government for applicability to the program.
Provides Security Analysis and Assessment Results in support of the weekly Information Assurance (IA) Integrated Product Team (IPT) of risk advisories (based on the Security Technical Implementation Guide (STIG) Finding Severity Category listed in the IA Vulnerability Advisories (IAVAs), IA Vulnerability Bulletins (IAVBs) and Technical Advisories) to the Government.
Ensures required COTS/Operating System (OS) security patches are applied and the DISA Continuous Monitoring and Risk Scoring (CMRS) system is updated to document the installation of vendor application security patches and/or generates Plans of Action and Milestones (POA&M) when patches cannot be applied.
Reviews security advisories from United States Cyber-Security Command, Secunia, and vendor web sites for applicability to program assets.
Provides a weekly IAVM report input for the weekly IA IPT which includes the IAVA number, and if applicable to the program, an IA Patch Plan of Action and Milestones (POA&M).
Ensures that information system security engineering is employed during any/all changes to the System Architecture, is in compliance with all analogous or interfacing cybersecurity component(s) of the DoD Information Network (DODIN) Architecture, and is designed to make maximum use of the DOD enterprise cybersecurity capabilities and services.
Participates in the change control process and evaluates the impact of each change on security.
Ensures applicable DOD STIGs, checklists, vendor security guidance, industry best practices, and applicable vendor product security patches are applied to the design, development, and implementation of secure applications and configurations.
Ensures applications are in compliance with DOD Instruction 8500.1 Cybersecurity (current version) and DODI 8551.1 Ports, Protocols, and Services Management (current version).
Ensures an approved code analysis tool is used to scan the developed source code in order to identify and remediate vulnerabilities or weaknesses in the application code.
Ensures code scan reports to the government are delivered prior to installing source code into the production environments so the government can evaluate the security status of the code.
Ensures code scan report identifies fix actions for any discovered vulnerabilities such as those described in Common Weakness Enumeration/System Administration, Networking, and Security Institute (CWE/SANS) TOP 25 Most Dangerous Programming Errors and Open Web Application Security Project (OWASP) Top Ten, that could be exploited by unauthorized sources.
Participates in Government and Contractor formal and informal design reviews to identify potential security weaknesses, deficiencies, and/or vulnerabilities in the design.
Ensures appropriate security requirements are included as part of the requirements traceability matrix and are evaluated as part of the security test and evaluation (ST&E).
Updates system security documentation that facilitates the security accreditation of the system according to DODI 8510.01, Risk Management Framework (RMF) for DOD Information Technology (IT) and the associated System Categorization as defined in DODI 8510.01 and CNSSI 1253 (current version).
Updates the DOD Enterprise Mission Assurance Support Service (eMASS) system as required and provides supporting cybersecurity documentation for upload as artifacts in eMASS.
Ensures the Security Plan addresses all of the applicable DODI 8510.1 security controls and is maintained to support the DOD IA RMF authorization decisions.
Monitors and analyzes Information Assurance Vulnerability Management (IAVM) Notices, USTRANSCOM Security Notifications, United States Computer Emergency Readiness Team (US-CERT), and vendor security advisories for the program's servers not managed by Defense Information Systems Agency (DISA) and makes recommendations to the Government for applicability to the program.
Provides Security Summary Analysis and Assessment Results for inclusion in IPR presentation materials.
• Bachelor’s degree in related field with 4 - 8 years of prior relevant experience OR Associate’s degree in related field with 8 - 12 years of prior relevant experience. Experience may be considered in lieu of degree.
• Must hold active DOD Secret Clearance with an open Single Scope Background Investigation (SSBI)
• Must hold current CISSP Certification
Knowledge and/or Experience with the following:
• DoD Information Assurance Vulnerability Management (IAVM)
• IA Vulnerability Advisories (IAVAs)/IA Vulnerability Bulletins (IAVBs)
• USTRANSCOM Security Notifications
• United States Emergency Readiness Team (US-CERT)
• Vendor Security Advisories
• DISA Continuous Monitoring and Risk Scoring (CMRS)
• Plan of Action and Milestones (POA&M)
• Risk Management Framework (RMF) for DOD Information Technology (IT)
• DoD Information Assurance Certification and Accreditation Process (DIACAP)
• Security Technical Implementation Guide (STIG)
• Vulnerability Management System (VMS)
• Enterprise Mission Assurance Support Service (eMASS)
• DOD Instruction 8500.1 Cybersecurity
• Common Weakness Enumeration/System Administration, Networking, & Security Institute (CWE/SANS) TOP 25
• Open Web Application Security Project (OWASP) TOP 10
• National Institute of Standards and Technology Special Publication (NIST)
External Referral Bonus:Eligible
Potential for Telework:No
Clearance Level Required:Secret
Scheduled Weekly Hours:40
Job Family:Information Assurance
Leidos is a Fortune 500® information technology, engineering, and science solutions and services leader working to solve the world's toughest challenges in the defense, intelligence, homeland security, civil, and health markets. The company's 33,000 employees support vital missions for government and commercial customers. Headquartered in Reston, Virginia, Leidos reported annual revenues of approximately $10.19 billion for the fiscal year ended December 28, 2018. For more information, visit www.Leidos.com.
Pay and Benefits
Pay and benefits are fundamental to any career decision. That's why we craft compensation packages that reflect the importance of the work we do for our customers. Employment benefits include competitive compensation, Health and Wellness programs, Income Protection, Paid Leave and Retirement. More details are available here.
Securing Your Data
Leidos will never ask you to provide payment-related information at any part of the employment application process. And Leidos will communicate with you only through emails that are sent from a Leidos.com email address. If you receive an email purporting to be from Leidos that asks for payment-related information or any other personal information, please report the email to firstname.lastname@example.org.
Commitment to Diversity
All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law. Leidos will also consider for employment qualified applicants with criminal histories consistent with relevant laws.