Senior Cyber Security Analyst
Information and Data are some of the most important organizational assets in today’s businesses. As a Security Consultant, you will be a key advisor for IBM’s clients, analyzing business requirements to design and implement the best security solutions for their needs. You will apply your technical skills to find the balance between enabling and securing the client’s organization with the cognitive solutions that are making IBM the fastest growing enterprise security business in the world.
Your Role and Responsibilities
Octo, an IBM company, is an industry-leading, award-winning provider of technical solutions for the federal government. At Octo, we specialize in providing agile software engineering, user experience design, cloud services, and digital strategy services that address government’s most pressing missions. Octo delivers intelligent solutions and rapid results, yielding lower costs and measurable outcomes.
Our team is what makes Octo great. At Octo you’ll work beside some of the smartest and most accomplished staff you’ll find in your career. Octo offers fantastic benefits and an amazing workplace culture where you will feel valued while you perform mission critical work for our government. Voted one of the region’s best places to work multiple times, Octo is an employer of choice!
As a Senior Cyber Security Analyst at Octo, you will help support a multi-year, high-profile software modernization project in support of the Department of Veterans Affairs. This individual will work with a team of other cybersecurity specialists and analysts to support the delivery and sustainment of reliable, scalable, and high-performance commercial SaaS solutions for the Department of Veterans Affairs. This is a cross-functional role that will work closely with technical team members and various VA and external stakeholders, including many at the leadership level. They will apply their skills and experience to provide the support and expertise needed to get cloud-based software solutions (i.e. SaaS) to VA customers and keep them in compliance with Federal and VA security requirements.
We were founded as a fresh alternative in the Government Consulting Community and are dedicated to the belief that results are a product of analytical thinking, agile design principles and that solutions are built in collaboration with, not for, our customers. This mantra drives us to succeed and act as true partners in advancing our client’s missions.
This program supports the VA Office of Information Security (OIS) by providing investigative Technical Risk Analysis reports and remediation support across all critical systems within eMASS consisting of SaaS, PaaS, and On-Prem classifications, for the purposes of technical risk, VA compliance, and resiliency.
- Applies experience and knowledge of NIST Risk Management Framework (RMF) and how Federal agencies apply this to secure their information systems.
- Applies experience and knowledge with the Assessment and Authorization (A&A) process, including Authority To Operate (ATO) packages and its alignment with RMF processes.
- Coordinates FedRAMP authorization on behalf of VA BO including FedRAMP intake, kickoff, Work Breakdown Structure (WBS), remediation, and Authority to Operate (ATO).
- Builds out Implementation Plan, Security Test Results, and Evidence management.
- Responsible for Plan of Action and Milestone (POA&M) development, which includes any necessary remediation.
- Drafts Standard Operating Procedures (SOPs) for user account provisioning and end user controls (VA responsibility).
- Updates technical security specs within eMASS packages to accurately reflect new information.
- Supports Authorizing Official System Brief (AOSB) development regarding successes, POA&Ms, and all stakeholder input.
- Coordinates Incident Response Plan (IRP), and Memorandum of Understanding/Information System Agreement (MOU/ISA) development including all final signatures.
- Facilitates (Incident Response Plan) IRP Tabletop exercises.
- Ensures detailed and efficient hand-off to Implementation team.
- Works to maintain compliance for SaaS Systems in Continuous Monitoring (RMF Step 6) through reauthorization (RMF 1-5) prior to the Authorization Termination Date (ATD).
- Continuously maintains the VA’s eMASS security controls in alignment with status of FedRAMP package.
- Tracks document expiration statuses in eMASS. Identifies items that are approaching expiration and proactively work to complete new versions of those documents and upload them as artifacts into eMASS.
- Attends and participates in monthly ConMon meetings with the Vendor and VA stakeholders.
- Completes eMASS POA&M remediation actions and updates.
- Coordinates with ConMon personnel on Significant Changes, Deviation Requests, and Operational Requirements in the Vendor’s and Enterprise FedRAMP package.
- Creates monthly POA&Ms for each eMASS package to reflect the status of monthly vulnerability scans conducted by Vendor as well as Enterprise (VA)-responsible controls.
- Implement Annual Assessment SOP requirements, validate prescribed controls, re-complete RMF Steps 1-5 annually.
- Supports Authorizing Official System Brief (AOSB) development regarding successes, POA&Ms, and all stakeholder input to the system going up for reauthorization.
Years of Experience: Must have at least 5+ years of related security experience, preferably for a federal or government agency AND 3+ years of hands on experience working cloud-based systems (SaaS and/or PaaS) through the FedRAMP authorization process (RMF Steps 1-5, and ideally step 6 (Continuous Monitoring)).
Education: Bachelor’s Degree or 4 years additional years of work experience.
Location: Fully Remote within the United States.
Clearance: Ability to obtain a Public Trust security clearance.
Required Technical and Professional Expertise
- Clearance: Ability to obtain a Public Trust security clearance.
- Bachelor’s Degree or 4 years of demonstrated work experience in the specific field.
- Must have at least 5 plus years of related cyber security experience, preferably for a Federal or government agency.
- Strong conceptual understanding of how and when to apply NIST SP 800-53 (Revision 5) security controls for information systems.
- Must have 3+ years of hands on experience working cloud-based systems (SaaS and/or PaaS) through the FedRAMP authorization process (RMF Steps 1-5, and ideally step 6 (Continuous Monitoring)).
- Working knowledge of the software development life cycle (SDLC) for SaaS applications
- Excellent professional verbal and written communication and technical documentation skills.
- Ability to read technical documentation and identify alignment and/or conflict with process requirements and policies. Ability to translate these findings into customer communications along with action-items to resolve potential issues.
- Ability to prioritize and work on multiple projects and initiatives simultaneously and adapt to changes in requirements, priorities, and deadlines.
- Strong analytical and organizational skills to include strong attention to detail.
- Strong interpersonal skills and ability to work collaboratively in a dynamic team environment.
- Superb soft skills including the ability to gain the trust of stakeholders and senior management and negotiate priorities with external teams
- Must be able to use a computer.
- Must be able to obtain a government security clearance.
- Must be eligible to work in the United States.
- Must have fast and reliable internet service that allows for effective telecommuting.
Preferred Technical and Professional Expertise
- Experience supporting Department of Veterans Affairs (VA) and/or other Federal organizations.
- Experience working with Enterprise Mission Assurance Support Service (eMASS) or similar cybersecurity management tools.
- Prefer industry-recognized certifications such as Certified Information Systems Security Professional (CISSP) or Certified Authorization Professional (CAP) or Certified Ethical Hacker (CEH).
- Experience working within a combination Waterfall-Agile hybrid methodology (“Wagile”).