Founded in 2009, RSC2, Inc. is a Small Business Administration (SBA) Certified HUBZone Professional Services company headquartered in Baltimore, Maryland. RSC2 provides breakthrough expertise, support services, and technologies to make operations, programs and systems of record perform better. Our professional staff is trained to provide world-class services to all types of customers. We uphold the integrity and quality of our work so you can expect only the best from us.
Team (Project) Introduction
This effort is for the development, monitoring, and execution of the Cybersecurity Program in support of Propulsion, Power and Auxiliary Machinery Systems at Naval Surface Warfare Center, Philadelphia, PA, which includes Risk Management Framework (RMF) services. The effort includes Cybersecurity policy, reviewing Authorization & Assessment (A&A) artifacts, performing A&A validation, implementation of security postures, Subject Matter Expertise in cybersecurity life cycle management, coordination, implementation, and sustainment of A&A. RSC2 will support NSWCPD in the following areas:
Assess & Authorize (A&A) Package Preparation and Documentation
Assess Only (AO) Package Preparation and Documentation
Risk Management Framework (RMF) Support
NSWCPD Department 40 works to ensure adherence to the Risk Management Framework (RMF) process for its Propulsion, Power, & Auxiliary Machinery systems and subsystems which includes development of technical documents across multiple platforms including configuration management, milestone/issue tracking, and RMF documentation. All RMF activities shall follow the most current applicable documents including DON RMF Process Guide, DoD Instruction 8510.01, and the business rules of cognizant review offices for each package. Contractor shall produce and maintain RMF artifacts related to the authorization or de-authorization of assigned RMF packages, applications, and systems under the cognizance of NSWCPD.
Functional Job Information:
In support of this mission RSC2 is hiring an Information Systems Security Specialist III (SISS3). This individual will be responsible for ensuring the security and confidentiality of all information systems within the organization. The individual will implement and maintain security protocols, perform vulnerability assessments, monitor and investigate security breaches, and provide security awareness training to staff. Additionally, the Information Systems Security Specialist will collaborate with other departments to develop security policies and procedures and ensure compliance with regulatory requirements.
Develop and maintain security protocols: The Information Systems Security Specialist III will develop and maintain security protocols to protect the organization's information systems from unauthorized access, modification, and disclosure. This includes implementing firewalls, intrusion detection systems, and encryption technologies. Perform vulnerability assessments: The individual will perform vulnerability assessments to identify potential security threats and weaknesses within the organization's information systems. They will analyze and evaluate the results of these assessments and develop plans to address any identified risks. Monitor and investigate security breaches: The Information Systems Security Specialist III will monitor the organization's information systems for security breaches and investigate any incidents that occur. They will identify the root cause of the breach, determine the extent of the damage, and develop plans to prevent future incidents. Provide security awareness training: The individual will provide security awareness training to staff to promote a culture of security within the organization. They will educate staff on the importance of security protocols and procedures, how to recognize security threats, and how to report incidents. Develop security policies and procedures: The Information Systems Security Specialist III will collaborate with other departments to develop security policies and procedures that align with the organization's goals and objectives. They will ensure that these policies and procedures comply with regulatory requirements. Assess & Authorize (A&A) and Assess Only (AO) Support: Cybersecurity support consists of development and validation of A&A and AO packages and artifacts; implementation of security postures regarding cybersecurity life cycle management. The intended result is obtaining and renewing Authorization to Operate (ATO). ATO is required for connection to DoD, and other Federal systems, networks, and applications.
Collect and collate system or site information and use it to evaluate and document in Enterprise Mission Assurance Support Service (eMASS) the security posture of the Propulsion, Power, & Auxiliary Machinery systems and subsystems being Assessed, Authorized, and maintained.
Review security assessment plans, test plans, and procedures to ensure they addresses the correct level of effort and are sufficiently comprehensive to assess all Information Assurance (IA) requirements applicable to the applicable system or site, for assessment, authorization, and maintenance have been met.
Optimize A&A and AO testing procedures to ensure the most accurate reporting in the appropriate format and that all IA requirements have been addressed. Evaluate all discrepancies and recommend potential mitigation measures for reducing or eliminating specific risks.
Conduct risk and vulnerability assessments of planned and installed systems to identify vulnerabilities, risks and protection needs; conduct systems security evaluation, audits, and reviews; determine the residual risk of a package based on package content and assessment results and documenting for the Security Controls Assessor’s (SCA) and higher-level review.
Conduct systems security reviews, audits, or evaluations, as appropriate, to ensure accreditation documents are accurate and represent the current risk posture of the system.
Work with the Information System Owner/ISSO/System Administrators equivalent to NSWCPD’s Information System Security Officer (ISSO) to determine applicable fixes and/or mitigation for weaknesses and to determine the adequate level of residual risk.
Perform analysis of logs, events, and reporting of various data collections tools including vulnerability monitoring via Assured Compliance Assessment System (ACAS) and related tools, Host Based Security Systems (HBSS), web content filters, Security Information and event management (SIEM), firewall systems, network devices, server devices, workstations, and intrusion detection and prevention systems (ID/PS).
Assess impacts from observed risks and report via the Cybersecurity Program chain of command.
Perform the evaluation of system administrator, security engineer, and/or system owner proposed corrections to ensure compliance and best-fit solution.
Present and submit data to management, develop reports, and produce procedural documentation in a comprehensive and cohesive manner.
Risk Management Framework (RMF) Continuous Monitoring Support: All RMF activities shall follow the most current applicable documents including: Department of the Navy (DON) RMF Process Guide, DoD Instruction 8510.01, and the business rules of cognizant review offices for each package. This individual will produce and maintain RMF artifacts related to the authorization or de-authorization of assigned RMF packages, applications, and systems under the cognizance of NSWCPD. The intended result is obtaining or maintaining ATO or De-Authorization to Operate (DATO) through validated test results, security controls assessor review, and authorization official endorsement as part of the continuous monitoring process. To support these continuous monitoring activities the individual will:
Perform remediation, patching, scanning and associated boundary maintenance risk management and security engineering for RMF Afloat systems.
Develop all required eMASS documents, to include Plan of Actions and Milestones (POA&Ms)/ Risk Assessment Reports (RARs) and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs); products shall be created in the appropriate software (i.e., Microsoft Visio, scanning software, eMASS DISA STIG Viewer, etc.)
Determine a system’s compliance with all applicable Controls and Assessment Procedures (APs) for an assigned DoN system, including developing the appropriate test procedures, if necessary; executing the test procedures; and accurately documenting the results of security testing. The analysts shall update the eMASS record for the assigned system(s).
Document residual risks in a plan of actions and milestones formatted in compliance with the current package system, currently eMASS.
Maintain current vulnerability scan data and residual risk plan of actions and milestones in Vulnerability Remediation Asset Manager (VRAM).
Track deliverables and action items in accordance with A&A guidance.
Manage, attend, and support configuration control board practices.
Ensure RMF artifacts follow published Navy, NAVSEA Business Rules (OPNAV N2N6 and/or NAVSEA), NIST SP-800-37 and SP-800-53 Rev 4. In addition, local NSWCPD policies and procedures may apply. Command Information System Security Manager (ISSM) will resolve any conflicting interpretations.
Bachelor's degree in a technical related discipline
Five (5) years professional experience performing analysis of logs and events, and of various data collection tools; as well as experience.
One of the following qualified certifications in good standing: DoD 8570.01-M Information Assurance Manager – Level 2 Qualified (CAP, CASP+CE, CISM, CISSP (or Associate), GSLC, CCISO
DoD Secret Clearance and/or Eligibility
Must be a U.S. Citizenship
Naval Surface Warfare Center Philadelphia Division, Philadelphia, PA
Legal: We’re an equal employment opportunity/affirmative action employer that empowers our people to fearlessly drive change – no matter their race, color, ethnicity, religion, sex (including pregnancy, childbirth, lactation, or related medical conditions), national origin, ancestry, age, marital status, sexual orientation, gender identity and expression, disability, veteran status, military or uniformed service member status, genetic information, or any other status protected by applicable federal, state, local, or international law. email@example.com