Lead Cybersecurity Specialist/Analyst

At Criterion Systems, we developed a different kind of business—a company whose real value is a reputation for excellence built upon the collective skills, talents, perspectives, and backgrounds of its people. By accepting a position with Criterion Systems, you will join a group of professionals with a collaborative mindset where we share ideas and foster professional development to accomplish our goals. In addition to our great culture, we also offer competitive compensation and benefit packages, company-sponsored team building events, and advancement opportunities. To find out more about how Criterion can help you take your career to the next level please visit our website: www.criterion-sys.com. Criterion Systems is a Military/Veteran Friendly Company therefore we encourage Veterans to apply.

We are seeking a mission-focused Lead Cybersecurity Specialist to support and contribute to our government customer’s success at the U.S. Department of Transportation (DOT) Headquarters in Washington, DC. 

The position is hybrid on-site/telework.

The individual shall support and provide assistance in Cybersecurity and IT security compliance of the DOT Maritime Administration (MARAD) IT cybersecurity program.

Duties, Tasks & Responsibilities

• Develop and maintain MARAD's Information System’s core security and privacy documentation, in accordance with each phase of the System Development Life Cycle (SDLC) with standardized templates, baseline management with supporting checklists and technical guides, and policies. This includes:
  • Working with stakeholders to create or update and update Privacy Threshold Analyses (PTAs and other privacy docs, FIPS 199 Security Categorization document, control selection listing, System Security Plan (SSP), Information System Configuration Management Plan, and Account Management Plan.
  • Develop information system contingency plans, including Business Impact Analysis (BIA), in accordance with NIST SP 800-34 Revision (Current), Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities and ensure contingency plan test exercises results are documented in an after-action report, and Lessons Learned corrective actions are captured for updating information in the Information Systems Contingency Plan (ISCP).
  • Developing and maintaining Inventory of Information System Interconnections and review, develop / update Interconnection Security Agreements and MOUs in accordance with NIST 800-47.
  • Providing security support and evaluation to development teams to develop core and privacy documentation, integrating information assurance/security throughout the System Life Cycle Development of major and minor application releases.
• Support security in the system engineering process, supporting Risk Management Framework (RMF) task(s) in accordance with NIST Special Publication 800-37, and the DOD Risk Management Framework, including supporting security assessments and other audits requests, Information System Continuous Monitoring (ISCM), Contingency Planning, incident handling risk analysis and mitigation IT security baseline compliance and security (Role-based and Awareness) training, in accordance with supporting DOT policy and guidelines and NIST standards.
  • The individual shall provide on-going recommendations for mitigation of all threats and risks affecting the MARAD environment
  • The individual shall assist in the mitigation / remediation process, following corrective action plans approved by MARAD leadership i.e. Contracting Officer (CO), Contracting Officer’s Representative (COR), and/or Task Area COR.
  • The individual shall provide support in tracking and ongoing evaluation of weakness, vulnerabilities identified by Nessus and other security scan tools, identifying critical and high weakness via insecure application development techniques, cloud environments, networked enclaves, and provided remediation or corrective actions to improve the MARAD security posture.
  • The individual shall maintain a current MARAD information system endpoint inventory that will include but is not limited to, all MARAD network ranges, assets, groups, and custom groups within the DOT’s Continuous Diagnostic and Mitigation (CDM) tool suite i.e. BigFix, Nessus and other. The individual shall evaluate endpoints migration to and from the operational environment to ensure inventory accuracy and security tool suites are installed in accordance with approved baseline.
  • The individual shall support MARAD’s SDLC and DevSecOps implementation. Individual shall maintain architecture diagrams, process and standard operation procedures documentation, and the integration and management of static code vulnerability detection applications into the process. Individual shall evaluate applications including Websites with applicable tool suite(s) and techniques to provide recommendation and track approved remediation pertaining. h) The individual shall manage MARAD’s Information System’s core documentation, in accordance with each phase of the system engineering process / SDLC with standardized templates, baseline management with supporting checklists and technical guides, including but not limited to the DOT Security Authorization and Continuous Monitoring Guide, Weakness Guide and other DOT procedures.
• The individual shall assist the System Owner, Information Owner, and ISSM in recording all known security weaknesses of assigned information systems in the Plans of Action and Milestones (POA&M’s) in accordance with DOT policy, guides and procedures.

Required Experience, Education, Skills & Technologies

• US Citizenship and ability to obtain a public trust
• Must have at least 6 years total information system and network security experience.
  
• Must have at least 4 years of experience with the federal government creating and maintaining IT Authorization to Operate (ATO) packages and RMF documentation for operational systems and interfacing/coordinating with the System Owners (SO), Business Owners, System Maintainers, and Developers.
• Bachelor’s Degree in relevant field or 4 years of equivalent work experience in lieu of degree
• Have the ability to go onsite in DC 2 times a week.
• Experience in maritime/vessel cybersecurity. Specifically, an understanding of marine operations and IT methods, techniques, and practices sufficient to select, recognize, adapt, and apply shipboard principles and practices
• Understanding of IT governance and management in the federal sector
• Expert level knowledge of Federal Cybersecurity and Privacy Laws, Regulations, Policies, Procedures, and implementation standards
  
• Understanding of information assurance, cybersecurity, privacy policies disciplines, methodologies including but not limited to National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), NIST Cybersecurity Framework (CSF)
• Understand the Federal Government's deployment of Information Security Continuous Monitoring (ISCM), the Continuous Diagnostics and Mitigation (CDM) Program, organizational phases and technologies.
• Ensure the DOT enterprise information security management system, Cyber Security Assessment and Management (CSAM), accurately contains required information and supporting artifacts.
• Provide project support and coordination with functional teams to gather documentation and support draft responses for audits or evaluations.
  
• Understanding of Identity, Credential and Access Management (ICAM) implementation.
• Ability to work with customers to assess needs, provide assistance, resolve problems, satisfy expectations; knows products and services.
• Understanding of the principles, methods, or tools for developing, scheduling, coordinating, and managing projects and resources, including monitoring work, and performance.
• Understanding of the principles, methods, and tools of quality assurance and quality control used to ensure a product fulfills functional requirements and standards.
• Proficient in Microsoft Office products: Word, Excel, PowerPoint, Visio, Teams, Power BI, Tableau, and SharePoint.
• Experience with managing Federal contracts projects and must have the ability to communicate effectively both orally and in writing
• Equivalent of IAM Level III certification in accordance with DoD 8570.01M, such as CISSP or CISM or ability to obtain it within 6 months
  
• Experience with Operational Technology cybersecurity controls and principles
• Ability to perform risk assessment and risk management
• Understand domain structures, network protocols, user authentication, digital signatures, firewall and security best practices.
• Ability and expertise to provide guidance in the design of new application and database configurations and connectivity.
• Ability to administer cybersecurity systems and provide technical recommendation to maintain and improve mission functionality.
• Ability to plan, execute and develop report for application, network (internal or external) vulnerability analysis and provides technical recommendations to maintain and improve mission functionality.
• Understand the FISMA assessment and accreditation process.
• Understand the DOD Risk Management Framework and Reporting process.
• Understanding of the principles and methods to configure and /or administer:
  • Network devices security devices such as network firewall, data loss prevention, network intrusion detection systems, and intrusion prevention systems.
  • Operating Systems and systems services (Windows Server, Linux/ Unix, and Active Directory)
• Conduct dynamic web application security testing, both manual testing and utilizing application security tools to discover exploitable vulnerabilities.
• Vulnerability Application and database security assessment, scanning and results interpretation.

Additional Experience

• Must be comfortable communicating with system owners, business sponsors, and IT ops personnel to gather needed information to update system core ATO documentation.
• Experience developing privacy documentation such as PTAs, PCMs, and PIAs (desired)
• Must have the ability to multitask. Will be expected to work with developers and business owners to develop core documentation for a new system while working with the system owner and infrastructure/ops teams to update a system in production.
• Must have the ability to communicate effectively both orally and in writing.

Certifications:

• BS in Cybersecurity or related technical field
• Must possess the following verifiable and current Industry Certifications or be able to obtain certification within 6 months of hire date:
• Certified Information Systems Security Professional (CISSP) or similar type certification
• Desired certifications:
• ITILv3
• CASP
• Project Management Professional (PMP) or Certified Information Systems Manager (CISM)

Clearance: Must possess or be able to obtain a DOT Public Trust clearance

Pay Rate 

• The projected compensation range for this position is $130,000 - $150,000. Please note that the salary information is a general guideline only. Criterion Systems considers factors such as (but not limited to) scope and responsibilities of the position, candidate's work experience, education/ training, key skills as well as market and business considerations when extending an offer.

Benefits Offered

• Medical, Dental, Vision, Life Insurance, Short-Term Disability, Long-Term Disability, 401(k) match, Tuition/Training Assistance, Parental Leave, Paid Time Off, and Holidays.

Criterion Systems, LLC. and its subsidiaries are committed to equal employment opportunity and non-discrimination at all levels of our organization.  We believe in treating all applicants and employees fairly and make employment decisions without regard to any individual’s protected status:  race, ethnicity, color, national origin, ancestry, religion, creed, sex/gender, gender identity/gender expression, sexual orientation, physical and mental disability, marital/parental status, pregnancy (including childbirth, lactation, and related medical conditions), age, genetic information (including characteristics and testing), military and veteran status, or any other characteristic protected by law. For our complete EEO/AA and Pay Transparency statement, please visit https://careers-criterion-sys.icims.com/.