NXTKey Corporation has been delivering Information Technology, Information management, Information Assurance (IA) and cybersecurity solutions to US Federal Government since 2005.
NXTKey Corporation is a 15 year old ISO 9001, ISO 27001, ISO 20000, CMMI Level 3 (SVC) + SSD certified and agile Highly Adaptive Cybersecurity Services (HACS) qualified Woman Owned Small Business (WOSB), that has refined our Information Technology, Information management, Information Assurance (IA) and cybersecurity solutions by supporting highly complex Information Technology (IT) environments at the Department of Justice (DOJ) United States Marshals Service (USMS), Justice Management Division (JMD), Office of Justice Programs (OJP), Federal Prison Industries (FPI) and National Oceanic and Atmospheric Administration (NOAA).
Our depth of experience allows us to provide IT security support for a wide range of IT General Support Systems (GSS) and major applications (MAs) within the Federal Enterprise and following the guidance in the Federal Enterprise Architecture (FEA) and information systems security support services in accordance with OMB Circular A-130, NIST guidelines and standards, as well as other federal policies and regulations.
Candidate must possess the following experiences –
1. Experience with Tenable Nessus.
2. Experience with CSAM.
3. Experience with SA&A/ATO.
4. Experience with FISMA.
5. Experience with FedRamp.
Job Description:
1. Manage the RMF process to include but not limited to Assessment & Authorization (A&A) package submission/maintenance, System Network Approval Process (SNAP) package submissions/maintenance and Configuration Management (CM) services which encompasses the change control board meetings. In regard to the A&A package, the candidate will be responsible for Authority to Operate (ATO) and Authority to Connect (ATC) approval packages which is needed in order for the NIPR and SIPR enclaves (network) to function.
2. Maintain the CM process which manages all current and new requirements that affect the enclave in regard to interface, functionality, data storage and manipulation, security, and environment.
3. Conduct comprehensive IT security control assessments on systems identified within the scope of this contract. Assessments shall determine the condition of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).
4. Provide an assessment on the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions and or controls to address identified vulnerabilities.
5. Review the System Security Plan (SSP), prior to initiating the security control assessment and ensure the plan provides a set of security controls for the information system that meet the stated security requirements.
6. Evaluate threats and vulnerabilities to information systems to ascertain the need for additional safeguards and controls to mitigate vulnerabilities.
7. Review and approve the information system security assessment plan, which is comprised of the SSP, the Security Controls Traceability Matrix (SCTM), and the Security Control Assessment Procedures.
8. Ensure security control assessments are completed for each information system and ensure controls are working as intended and these controls protect the confidentiality, integrity and availability of IT resources at the appropriate levels.
9. Prepare the final Security Assessment Report (SAR) containing the results and findings from the assessment at the conclusion of each security control assessment activity.
10. Support compliance with RMF controls to include, as necessary, development of Plans of Action and Milestones (POA&Ms) and mitigation of control deficiencies.
11. Evaluate security control assessment documentation and provide written recommendations for security authorization to the AO.
12. Assemble and submit the security authorization artifacts to the AO (consisting of, at a minimum, the SSP, the SAR, the POA&M, and a Risk Assessment Report (RAR).
13. Provide solutions and recommendations to remedy security vulnerabilities, threats, to ultimately improve the protection of IT resources.
14. Apply IT security control requirements to address the level of security required to protect the confidentiality, integrity and availability of system data and resources. Solutions shall be compatible with system or network hardware and software configurations and shall be approved by the configuration managers of the system and network. Recommendations shall include test plans and procedures to ensure results support the required objectives and capabilities.
15. Perform Security Test and Evaluation (ST&E) for each system prior to the assessment phase for each system. The candidate shall perform scans of systems and architectures using AF approved scanning tools during the ST&E event and provide reports.
16. Make edits to existing Government documents, prepare briefings as required to update the Government on the status of actions and coordinate with all project members to meet the goals and objectives of the assigned task. If required to implement a cybersecurity initiative, the PM shall complete the A&A documents required to obtain an ATO. The contractor shall complete POA&Ms for the project to address security vulnerabilities.
17. Ensure risk management is integrated into the technical, physical and administrative controls throughout the network, system, database, and application lifecycle.
18. Perform IA support services to assist IA Program Managers (PM) and ISSO/ISSMs in maintaining an effective cybersecurity program that supports missions and adequately protects the confidentiality, integrity and availability of information resources.