Risk Management Framework (RMF) Analyst

Risk Management Framework (RMF) Analyst

**Contingent Upon Contract Award

Company Overview:

Dutch Ridge Consulting Group LLC (DRCG) a United States (US) Small Business Administration (SBA) Certified Service-Disabled Veteran-Owned Small Business (SDVOSB) and ISO 9001:2015 Certified Company was established in 2016. DRCG is 100% US owned has over 50 employees and provides high-quality support staff at ten client locations throughout the US with corporate offices in Ashburn VA and Beaver PA. DRCG delivers expertise in Cybersecurity Engineering and Operations; Cyber Threat Intelligence; Insider Threat Prevention and Detection; Information Technology Solutioning; Systems Integration; Program Management; Policy Planning Communications and Compliance Support; Workflow Solutioning; Risk Management; Business Process Reengineering; and Professional Business Consulting Services. DRCGs technical approach optimizes client investments by leveraging expertise in managing growth and transformation of existing IT environments.

Support cyber OT&E mission by applying expertise in enterprise and system-level security design throughout the development lifecycle ensuring alignment with evolving laws regulations and DoD and DON cybersecurity policies. Responsibilities include translating 11 complex technical and environmental requirements into effective security architectures and contributing to RMF efforts across all steps. Assist in system categorization policy documentation control selection and control implementation and perform comprehensive assessments of management operational and technical security controls to evaluate their effectiveness. Additional duties include RMF support outlined in the RMF Process Guide (RPG) for the ISSE role. Provide project management and subject matter expertise to guide certification and accreditation activities for OT&E test infrastructure and toolsets working closely with internal stakeholders and external oversight organizations to ensure timely and compliant system approvals.

Duties and Responsibilities:

• Create review update and validate cybersecurity Standard Operations Procedures (SOPs) as required.
• Review and maintain an inventory of authorized software (software custodian).
• Review and maintain an inventory of government furnished devices and media.
• Ensure configurations on laptops and servers are validated prior to being deployed (as required)
• Audit and validate configurations of network devices based on STIGs or defining and implementing compensating controls of such STIGs as required to ensure mission execution.
• Maintain and update all RMF and A&A documentation to ensure relevancy and alignment with OPTEVFOR cyber OT&E mission assets to include required revisions and updates in eMASS.
• Conduct comprehensive annual RMF package reviews to ensure continued compliance of the cyber OT&E mission toolset networks and/or systems.
• Ensure traceability is maintained throughout the RMF submission process (e.g. A&A plan Plan Of Action and Milestones (POA&M) Security Assessment Report (SAR) topology software ports protocols and services test plan).
• Maintain network and system documentation in DoD Information Technology Portfolio Repository-DON / DADMS.
• Maintain documentation and registration of network ports protocols and services.
• Maintain circuit registrations in Global Interconnection Approval Process System (GIAP) and Systems/Network Approval Process (SNAP).
• Maintain and report on the status (weekly) of all outstanding A&A items and supporting documentation.
• As a member of the Configuration Control Board (CCB) ensure CCB approved changes are timely and accurately reflected in the A&A documentation.
• Support compliance validation of current and future directives (e.g.: IAVs STIGs TASKORD/CTOs).
• Provide recommendations for corrective action of any non-compliant security controls.
• Execute DISA STIG validations for systems in conjunction with RMF/A&A package reviews annually in accordance with eh DoD Instruction 8510 series Risk Management Framework for DoD systems.
• Provide security expertise to ensure security controls are implemented and the resulting documentation and artifacts are current.
• Prepare and maintain documentation vulnerability scan results system security assessments and configuration management findings to support RMF compliance and inform system authorization decisions.
• Document assessment activities and results in sufficient detail to enable external review of all assessment processes activities results and conclusions.
• Conduct and document a semi-annual tabletop exercise twice in a calendar year.
• Develop or contribute to security test plans and supporting documentation that verifies the implementation of assigned security controls and inform ongoing risk determinations.
• Review and analyze IT contingency / disaster recovery plans for NIST and DoN compliance and produce checklists for IT systems.
• Assist with exercise and/or training and documentation of IT contingency plan and execution Able to work alone or in a small group to resolve tasks independently with minimal supervision.
• Adhere to guidance outlined in RMF Process Guide
• Knowledge of the organizations enterprise information security architecture system.
• Ability to design and integrate security architectures and frameworks.
• Skill in translating technology and environmental conditions (e.g. laws regulations) into security designs and processes.
• Knowledge of integrating organizational goals into security architecture.
• Ability to apply network security architecture concepts including topology protocols components and principles (e.g. defense-in-depth).
• Skill in designing multi-level security and cross-domain solutions.
• Knowledge of cybersecurity-enabled software products and how they fit into security designs.
• Perform comprehensive assessments of management operational and technical security controls and enhancements.
• Document and address information security cybersecurity architecture and systems security engineering requirements throughout the acquisition lifecycle.
• Evaluate security architectures and designs to determine their adequacy.
• Develop and integrate cybersecurity designs for systems and networks with multilevel security requirements up to TS/SCI.
• Define and document the impact of new systems or interfaces on the security posture of the environment.
• Develop as needed security compliance processes and/or audits for external services (e.g. cloud service providers).
• Provide project management and subject matter expertise in OPTEVFOR Cyber OT&E test infrastructure and toolset certification and accreditation efforts.
• Employ secure configuration management processes and ensure systems and architectures align with cybersecurity guidelines.
• Provide advice on project costs design concepts and design changes.
• Skill in applying cybersecurity methods such as firewalls demilitarized zones and encryption.
• Knowledge of IT architectural concepts including baseline and target architectures.
• Knowledge of key telecommunications concepts and principles.
• Knowledge of network systems management principles and tools.
• Knowledge of Cloud-based knowledge management technologies related to security and administration.
• Skill in using PKI encryption and digital signatures.
• Document and update architecture and related activities.
• Translate proposed capabilities into technical requirements and security requirements into application design elements.
• Provide input to the Risk Management Framework process and related documentation.
• Knowledge of Personally Identifiable Information (PII) data security standards and program protection planning.
• Knowledge of local specialized system requirements (e.g. critical infrastructure) and network security principles.
• Ability to optimize systems to meet enterprise performance requirements.
• Skill in using design methods and developing data management capabilities.

Qualifications/Requirements:

• TS/SCI clearance
• Minimum 5 years experience designing and integrating enterprise and systems security throughout the development lifecycle.
• Minimum 3 years experience conducting thorough assessments of RMF-related management operational and technical security controls within DOD IT systems.
• Minimum 3 years experience providing project management subject matter expertise and hands-on experience for systems certification and accreditation efforts in accordance with applicable DOD and DON cybersecurity policies and RMF guidance.

Job Location:

Norfolk VA 23505

DRCG LLC. is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race color religion sex national origin or any other criteria the consideration of which is made impermissible by applicable law.

Required Experience:

IC