about 1 year ago
The SCA is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an Information System (IS) to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). SCAs also provide an assessment of the severity of weaknesses or deficiencies discovered in the IS and its environment of operation and recommend corrective actions to address identified vulnerabilities. Responsibilities will cover Collateral, SAP and/or SCI activities within the customer’s area of responsibilities.
The SCA will perform the following responsibilities:
- Perform oversight of the development, implementation and evaluation of information system security program policy; special emphasis placed upon integration of existing SAP network infrastructure
- Perform assessment of information systems, based upon the Risk Management Framework (RMF)/ Joint Special Access Program Implementation Guide (JSIG), DCID 6/3, DITSCAP, DIACAP and/or JAFAN 6/3 Certification and Accreditation (C&A)/authorization and assessment processes
- Advise the Authorizing Official (AO) and/or Delegated Authorizing Official (DAO) on any assessment and authorization issues
- Advise the Authorizing Official (AO), Delegated Authorizing Official (DAO), Office of Chief Information Officer (OCIO), and/or Program Security Officer (PSO) on assessment methodologies and processes
- Evaluate Authorization packages and make recommendation to the AO and/or DAO for authorization
- Evaluate IS threats and vulnerabilities to determine whether additional safeguards are required
- Advise the Information Security Officer (ISO) and PSO concerning the impact levels for confidentiality, integrity, and availability for information on a system
- Evaluate threats and vulnerabilities to ISs to ascertain the need for additional safeguards.
- Review and approve the IS Security Control Assessment Procedures, the Security Assessment Plan, the System Security Plan (SSP), and the Security Control Traceability Matrix (SCTM).
- Ensure security assessments are completed for each IS
- At the conclusion of each security assessment activity, prepare the final Security Assessment Report (SAR) containing the results and findings from the assessment
- Initiate a POA&M with identified weaknesses and suspense dates for each IS, based on findings and recommendations from the SAR
- Evaluate security assessment documentation and provide written recommendations for security authorization to the AO
- Develop recommendations for authorization and submit the security authorization package to the AO
- Assess proposed changes to ISs, their environment of operation, and mission needs that could affect system authorization
- Ensure approved procedures are in place for clearing, purging, declassifying, and releasing IS memory, media, and output
- Assist in team compliance inspections
- Assist PSOs with security incidents that relate to Cybersecurity and ensure that the proper and corrective measures have been taken
- Assess changes within the IS boundary that could affect the authorization of the boundary
- Ensure that IS requirements are addressed during all phases of the system life cycle
- Other duties as assigned.
Education: A High School Diploma and eleven (11) years of related experience is required. A Bachelor's Degree in a related discipline and five to seven (5-7) years of related experience is desired. A minimum of four (4) years of experience in SAP and/or SCI Security and the implementation of regulations identified in the description of duties is required.
Experience/Knowledge, Skills and Abilities: Experience with Information Assurance (IA) and applying IA Vulnerability Assessment (IAVA) patches is required. Experience creating and maintaining various security documents such as the Security Control Plan/ Vulnerability Security Review (SCP/VSR), System Backup and Recovery Plans (SBRP) and Plan of Action and Milestone (POA&M) tables is required. The selected applicant is required to possess Information Assurance Technician/ Information Assurance Manager (IAT/IAM) Level II certification at the time of hire and must possess IAT/IAM Level III certification within 6 months of date of hire.
Applicant selected may be subject to a government security investigation and must meet eligibility requirements for access to classified information.