Security Compliance Engineer

NR Labs • Remote (Washington DC-Baltimore Area, US) • 2m ago

About the Role: NR Labs is seeking a self-motivated Security Compliance Engineer. The Security Compliance Engineer will play a key role providing guidance to our client for multiple FISMA systems. This role involves the use of a mixture of technical and compliance skills, supporting system security from design inception through to system decommission. The role will provide security guidance on system architectures, review and improve documentation, and identify risk and develop remediation plans. Additionally, the role will directly support business efficiency by working to make security as seamless as possible.

The selected candidate must have current knowledge and skills in the most current cloud security technologies including but not limited to AWS, GCP, and Azure. Have expert knowledge of security best practices and engineering principles such as virtualization security, web application security, network architecture, container technology, CICD pipeline, logging tools, hardening best practices, encryption, FIPS validation, vulnerability management, configuration management, and multi-factor authentication.

The selected candidate must stay abreast of threats, vulnerabilities, and emerging issues that stand to impact Federal information systems. In addition, the candidate must understand the governing laws, regulations, methodologies and/or policies to provide authoritative technical guidance on all issues related to the assigned program.

Role Description:

Provide security guidance for systems during the design and development of systems so the system achieves an ATO
Develop and improve security compliance and privacy documentation in support of system ATOs and their maintenance during on-going authorization
Collaborate with multiple security and infrastructure teams on the integration of security tooling and mechanisms
Perform detailed architecture and technical design reviews on the full stack for vendor solutions (example of some areas requiring detailed analysis):
Assess and document encryption standards for encryption at rest and in transit (what cipher sets are used? What type of encryption? etc)
Assess and document authentication mechanisms for all points in the system (Is MFA implemented at all authentication points? Is the MFA solution approved and compliant with NIST and agency standards?)
Assess and document session management and control for all layers of the system
Schedule and lead screen sharing sessions with the vendors to gain full understanding of the technology stack, document all security relevant information required for the architecture review, and create a full report for presentation to the CISO
Serves as the IT security POC (ISSO) for assigned systems to ensure agency information systems comply with FISMA OMB and agency Policies.
Oversee and manage relationships for assigned systems that may be contractor owned and contractor operated, ensuring vendors comply with agency security and privacy requirements.
Assist stakeholders with IT security related activities to ensure project deadlines are met.
Ensure security activities are implemented throughout the SDLC from beginning to end.
Ensure all systems are operated, maintained and disposed of IAW documented security policies and procedures including but not limited to Assessment & Authorization (A&A).
Support the development and maintenance of all security documentation such as the System Security Plan, Privacy Impact Assessment, Configuration Management Plan, Contingency Plan, Contingency Plan Test Report, POA&M, annual FISMA assessment, and incident reports.
Research assigned IT security systems to provide insight on IT security architectures and IT security recommendations for assigned systems.
Report, and respond to security incidents.
Assess vulnerabilities to ascertain if additional safeguards are needed and ensure systems are patched and security hardened at all levels of the “stack,” and monitor to see that vulnerabilities are re-mediated as appropriate.
Promote Information Security Awareness and provide training.

Required Qualifications & Education:

Bachelor's degree in Computer Science, Information Systems, Mathematics, Engineering, or related degree or an additional three (3) years of relevant experience.
5+ years of experience in the IT security field
3+ years of experience with current cloud security technologies such as AWS and GCP.
4+ years experience supporting A&A (NIST 800-53) and compliance activities
4+ years of hands-on technical experience as a System Architect or Security Engineer
Security+, CISSP, CISM, CISA, or equivalent Security certifications are strongly preferred
Direct experience with NIST 171 is preferred
Experience in reviewing 3rd party security assessment reports
Have detailed knowledge and experience with NIST Policies, Governance, Security Planning and Architecture, FISMA Compliance, RMF, Incident Analysis, and General Security Best Practices.
Possess strong written and oral communication skills to support customers, internal stakeholders, peers, and public audiences.
Ability to communicate, both written and orally, to both technical and non-technical stakeholders.
Technical expertise with Nessus Tenable Security and NetSparker reports.
Strong communications skills to interact with senior managers, junior staff, and business unit (non-technical) customers.

Clearance and Location Requirements:

Able to be cleared for a Public Trust clearance.
This is a remote position.

About NR Labs

At NR Labs, our passion is to solve the hard problems that keep security leaders up at night in a way that caters to their unique technical, financial, political, and business posture. Our company empowers every organization to achieve its cyber potential. NR Labs focuses on cybersecurity for public and private sector clients and is dedicated to solving their most complex cyber challenges. If you are curious in learning more about NR Labs, please visit our website at nrlabs.com.