Job ID: S002 (multiple positions)
Location: Northern Virginia
Clearance: Top Secret Clearance Required.
About Special Aerospace Security Services:
Started in 1988, Special Aerospace Security Services (SASSI) is a Woman Owned Small Business (WOSB) focused on delivering national security mission solutions to the U.S. Government in support of their vital role in protecting the United States of America. Known for highly interactive training provided by nationally recognized security experts from a wide variety of different security disciplines. SASSI has three operating Divisions that cover all aspects of security services: Integrated Security Solutions (ISS), Health Security Services (HSS), and the National Security Training Institute (NSTI). Our areas of expertise include: Personnel, Physical, Cyber, and Health Security, including Management Consulting, Risk Management, Emergency Preparedness and Response, and Working Dog Health and Wellness Support.
Job Summary:
Provide Cybersecurity Governance, Risk, and Compliance (GRC) services to assist our clients with planning, implementing, and maturing their cybersecurity program activities in alignment with the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). A qualified candidate will be responsible for the following primary duties and responsibilities, but are not limited to:
Design and develop GRC processes, procedures, and metrics;
Work with test team to document risk based on system architecture diagrams and vulnerability reports;
Build a Cybersecurity Awareness & Outreach Program;
Lead a team of junior and mid-level cybersecurity analyst by providing templates, quality standards, coaching and mentoring.
Duties will include but are not limited to:
Provide Cybersecurity Governance, Risk, and Compliance (GRC) services to assist our clients with planning, implementing, and maturing their cybersecurity program activities in alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. A qualified candidate will be responsible for the following primary duties and responsibilities, but are not limited to:
Develop of a policy framework, and independently author policies that encompasses all NIST Cybersecurity Framework (CSF) categories and topics;
Design, develop and implement governance processes, procedures, and metrics to ensure adequate enforcement and oversight of the organization’s cyber activities in conformance with written policies;
Perform and document organizational risk assessments using system architecture diagrams, vulnerability reports, and an understanding of the threat vectors and the operating environment;
Design a Cybersecurity Awareness & Outreach Program, complete with branding materials, a communication strategy and creative development of awareness products to create a “cyber aware” culture.
Required Qualifications:
10+ years of experience developing or assisting clients with the implementation of cybersecurity policy and regulatory compliance
8+ years of experience leading a team in the Assessment and Authorization (A&A) process, in accordance with NIST Risk Management Framework
2+ years assessing cloud-hosted systems for the purposes defining security control responsibility between providers and consumers,
2+ years of experience generating, analyzing, and reporting GRC program metrics using Microsoft Excel
Experience independently authoring complex business process documentation
Experience reviewing system architectures, decomposing systems into testable components, and selecting applicable configuration standards to achieve NIST 800-53, NIST 800-171, NIST CSF, Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) or International Organization for Standardization (ISO) standards and security requirements.
Experience with risk assessment and mitigation, Information Assurance principles, NIST special publications
Possession of excellent oral and written communication skills
B.A. or B.S. degree in Information Technology (IT) related field (may be waived for equivalent experience)
Professional security certification such as CISSP, Security+, CEH, ISSEP (alternative certifications will be considered)
Desired Qualifications:
Experience with Microsoft Azure and AWS
Experience with Tableau, Splunk, or Power BI for security data analytics
Experience with ServiceNow for GRC workflow management and tracking
Experience with RedSeal for networking mapping and vulnerability impact assessments
Experience generating RMF A&A Packages or overseeing a team and resolving challenges
Experience with both commercial and government organizations (e.g., Legislative Branch, DoD, or State and Local