Overview

At Criterion Systems, we developed a different kind of business—a company whose real value is a reputation for excellence built upon the collective skills, talents, perspectives, and backgrounds of its people. By accepting a position with Criterion Systems, you will join a group of professionals with a collaborative mindset where we share ideas and foster professional development to accomplish our goals. In addition to our great culture, we also offer competitive compensation and benefit packages, company-sponsored team building events, and advancement opportunities. To find out more about how Criterion can help you take your career to the next level please visit our website: www.criterion-sys.com . Criterion Systems is a Military/Veteran Friendly Company therefore we encourage Veterans to apply.

Responsibilities

We are seeking aInformation Systems Specialist II (Mid)to support our Department of Transportation (DoT) customer inWashington, DC!

Selected incumbent will support in the area of information system cybersecurity management ensuring security posture and compliance tasks, to include but not be limited, program and information system / application support ensuring security in all phases of system engineering process, supporting information system / application Risk Management Framework (RMF) task(s) in accordance with NIST Special Publication 800-37, addressing and documenting system requirements (controls). Support in contingency planning, incident handling, risk analysis and mitigation IT security and privacy baseline compliance, respond to and support security assessments (internal and self-conducted) and other audits requests, and develop and adhere to approved Information System Continuous Monitoring (ISCM) plans in accordance with supporting DOT policy, standards, and guidelines.

Duties, Tasks & Responsibilities

• Provide support to the continuous monitoring process, assessing and evaluating Information System (Hardware and Software) inventory to detect vulnerabilities, identifying critical and high weakness via insecure application development techniques, inherited controls from Common Control Provider including FedRAMP cloud service providers (CSP), networked enclaves, and provide remediation or corrective actions to improve the security posture.

• Provide support in tracking and ongoing evaluation of weakness, vulnerabilities in DOT’s Continuous Diagnostic and Mitigation (CDM), other identified security tool suite or other detection reports, issued corrective action plans, re-mediating addressing issues affecting the security posture of applications information system infrastructure.

• Provide cybersecurity expertise to support cybersecurity in the System’s Development Life Cycle (SDLC) process, including supporting processing for requirements review in development phases (Agile, Spiral, DEVSECOPS or Waterfall model), annual Security Assessment and Authorization (SA&A), and Information System Continuous Monitoring (ISCM).

• Develop / update information system’s data for Privacy Impact Assessments (PIAs), Privacy Threshold Analyses (PTAs), and System of Record Notices (SORNs). This includes interfacing/coordinating with the System Owner (SO) that originates/has responsibility for the document to ensure the PIA/PTA/SORN contains appropriate information to be approved/adjudicated by DOT Privacy Office for inclusion in System Authorization package.

• Assist the System Owner, Information Owner, Component Privacy Officer and Information System Security Manager (ISSM) in recording all known security weaknesses of assigned information systems in the Plans of Action and Milestones (POA&M’s) in accordance with DOT policy, guides and procedures.

• Develop Draft Plan of Action and Milestones (POA&M) for observed control level deficiencies or gaps control implementation(s) in accordance with DOT policy, guides and procedures.

• Conduct quality assurance reviews of existing POA&Ms to ensure completeness, accuracy and identified solutions are cost effective.

• Support the information system contingency planning process in accordance with NIST SP 800-34 Revision (Current), Guide to Test, Training and Exercise Programs for Information Technology Plans and Capabilities and ensure contingency plan test exercises results are documented in an after-action report, and Lessons Learned corrective actions are captured for updating information in the Information Systems Contingency Plan (ISCP).

Qualifications

Required Experience, Education, Skills & Technologies

• With Bachelor's degree in Information Systems or related 6 years experience

• With no Bachelor's degree 10 years related experience required

• Minimum of 6 years information system and network security experience with an emphasis in Information Assurance

• 3 years of experience with federal government customers creating and maintaining IT Authorization to Operate (ATO) packages for new systems and interfacing/coordinating with the System Owners (SO), Business Owners, System Maintainers, and Developers

• Keen understanding Federal Information Security Modernization Act 2014 (FISMA) and federal requirement for reporting.

• Keen understanding of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) in detail of all supporting steps and Cybersecurity Framework (CSF) and Privacy Act.

• Knowledge General Services Administration Federal Risk and Authorization Management Program (FedRAMP) including process for continuous monitoring

• At least 3 years of experience:

• Assisting system owners with the mitigation/remediation process, following corrective action plans.

• Conducting weekly and monthly vulnerability and compliance scans of Linux, Windows, and virtual environments with vulnerability tools such as Nessus, Splunk, Invicti (formerly Netsparker), and BigFix.

• Performing vulnerability application and database security assessment, scanning and results interpretation.

• With enterprise security architecture methodologies, concepts, procedures, principles, and tools.

• Contingency planning and backup and recovery best practices and application of NIST guidance in this area.

• Ability to plan, execute and develop report for application, network (internal or external) vulnerability analysis and provides technical recommendations to maintain and improve mission functionality.

• Using security control and privacy control findings and status from assessment to develop POA&M for controls that should be put in place to re-mediate vulnerabilities.

  Preferred Experience, Education, Skills & Technologies

• Experience developing privacy documentation such as PTAs, PCMs, and PIAs

• Experience with security analysis of security controls for systems in the cloud

• Understanding of Identity, Credential and Access Management (ICAM) implementation

• ITILv3

• Certified of Cloud Security Knowledge (CCSK), Azure Certified or other Cloud Certification

• Information Systems Security Professional (CISSP) or similar

• Certified Data Privacy Solution Engineer (CSDPE)

• Certified in Risk and Information Systems Control (CRISC) or CompTIA Advanced Security Practitioner Study (CASP)

  Security Clearance Level

• Public Trust

  Certification

• Minimum of CompTIA Security plus required within 6 months of hire if not in possession of one of the preferred certifications.

  Work Schedule

• Full-time, Hybrid Remote 50%

  Benefits Offered

• Medical, Dental, Vision, Life Insurance, Short-Term Disability, Long-Term Disability, 401(k) match, Tuition/Training Assistance, Parental Leave, Paid Time Off, and Holidays.

  Criterion Systems, LLC and its subsidiaries are committed to equal employment opportunity and non-discrimination at all levels of our organization. We believe in treating all applicants and employees fairly and make employment decisions without regard to any individual’s protected status: race, ethnicity, color, national origin, ancestry, religion, creed, sex/gender, gender identity/gender expression, sexual orientation, physical and mental disability, marital/parental status, pregnancy (including childbirth, lactation, and related medical conditions), age, genetic information (including characteristics and testing), military and veteran status, or any other characteristic protected by law. For our complete EEO/AA and Pay Transparency statement, please visit https://careers-criterion-sys.icims.com/.

Job LocationsUS-DC

ID 2024-3142

Category Information Technology

Type Junior