Security Control Assessor - Analyst (SCA-A) NF5

This position serves as the Security Control Assessor - Analyst (SCA-A) for the Information Technology Directorate (MRI), Marine Corp Community Services (MCCS), Manpower and Reserve Affairs Department, Headquarters Marine Corps (USMC). The incumbent will work under the direction of the MCCS Security Control Assessor (SCA), MCCS Deputy Director for Information Technology (IT) / Chief Information Officer (CIO) and conducts independent comprehensive analysis of management, operational, and technical security controls, and control enhancements to determine their overall effectiveness across MCCS. Advises SCA, CIO, Authorization official (AO) and other stakeholders on risks associated with technology acquisition, maintenance and deployments and provides recommendations for initial or continued operation for the AO's consideration.

The responsibilities and duties of this role are defined by Department of Defense Instruction 8510.01 Risk Management Framework for DoD Systems amplified by MCO 5239.2B and the Marine Corps Enterprise Cyber Security Manual (ECSM) 018; Marine Corps Assessment and Authorization Process (MCAAP) and applicable policies across the US Marines Corp (USMC), Navy (DoN), Department of Defense (DoD) and Federal Government at large. In this role, the incumbent will be responsible for consulting and coordinating with DC I C4 personnel at USMC including SCA and others to ensure technology solutions operate within the identified constraints and in compliance with applicable cybersecurity policies and procedures. Works closely with other IT and cyber security professionals to include Chief Information Security Officer (CISO), Security Control Validator(s) (SCV) and Information Systems Security Manager(s) (ISSM).

CORE RESPONSIBILITIES
- Assists in the development and maintenance of a comprehensive security assessment and monitoring program in-line with MCCS¿ Mission and business objectives. Assess accreditation packages for SCA and AO approval.
- Assesses RMF submission, by reviewing and identifying security gaps, and assessing supporting artifacts for comprehensive Risk Management Framework (RMF). Conducts risk analysis (e.g., threats, vulnerabilities, and probability of occurrence) whenever an application or system undergoes a major change.
- Plans and conducts security authorization reviews and assurance case development for initial installation of systems and networks.
- Provides input to the Risk Management Framework (RMF) process activities and related documentation.
- Reviews authorization and assurance documents to confirm that the level of mitigated risk is within acceptable limits for each technology solution.
- Provides guidance and recommendations regarding remediation and mitigation of identified vulnerabilities. Reviews remediation actions based on the findings and recommendations of the security assessment reports and performs reassessment of remediated controls.
- Verifies that security configurations are implemented as stated and sufficiently documented in RMF package; AO risk acceptance memos for deviations are properly signed by AO and recommend actions to mitigate risks.
- Participates in Risk Governance process to assess security risks, mitigations, and input on other technical risks.
- Assesses the level of residual risk based on the overall effectiveness of the security program and provide authorization recommendations to the SCA to be forwarded to the Authorization Official (AO) for signature.
- Assesses and ensures that plans of actions and milestones (POA&M) or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Assesses that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
- Supports necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
- Assesses that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.

Occasional travel to complete work assignments, conduct training or attend conferences and meetings may be required. Performs other related duties as assigned. 

This is a white-collar position where occasional lifting up to 20 lbs. may be required.

Bachelor's degree from an accredited college or university in information technology or business-related field appropriate to the work of position AND 3 years of experience performing Cyber Security roles, preferably at the state or federal level OR an appropriate combination of education and experience that demonstrates possession of knowledge and skill equivalent to that gained in the above. The position requires approved Baseline Certifications; GSEC or Security+ to meet minimum requirements.
Knowledge of DoD, DON and Marine Corps policy and process directives applicable to the development and administration of cybersecurity architecture, risk management framework, and cyberspace operations.

Knowledge of risk management processes, secure configuration management techniques, Government laws and policies, cyber threats and vulnerabilities, encryption algorithms, host/network access control mechanisms, vulnerability information dissemination sources, Payment Card Industry (PCI) data security standards, Personally Identifiable Information (PII) data security standards and incident response and handling practices.

Skill in applying and reviewing security controls and conducting application vulnerability assessments, interpreting vulnerability scanner results, assessing cloud security measures and microservices, preparing Test & Evaluation reports. Experience with Security Content Automation Protocol (SCAP) content and Security Technical Implementation Guides (STIGS) based tools for benchmark, compliance checks, and security configuration reviews.

As an authorized and privileged user of Department of Defense Information Systems must fulfill the requirement to complete DoD Workforce Improvement Program certification (DoD 8570.01-M) as a condition of access within six months of employment.

This position had been determined as Moderate Risk. As a condition of employment, the incumbent must be able to obtain and maintain an Access National Agency Check and Inquiries (ANACI/ Tier 3) Secret Clearance to access classified information.

Eligible for telework as determined by MR/MF policy.