Information Systems Security Engineer

5 months ago


, United States Kina'ole Foundation Full time
Job DescriptionJob Description

GPSI Guam is a Professional Technical Services Company, headquartered in Hagatna, Guam. We are a SBC Native 8(a) and HUBZone certified, Small Disadvantaged Business providing Program/Project management, administration, management, technical support, general contracting, logistics, commodities, and training resources.


GPSI is a wholly-owned subsidiary of the Kina'ole Foundation, a 501(c)(3) non-profit established to benefit Native Hawaiian communities. GPSI offers a competitive salary and comprehensive benefits package that includes:

  • Health insurance
  • Dental insurance
  • Life insurance
  • Professional training reimbursement
  • 401K
  • Disability insurance

Duties and Responsibilities:

  • Work with the Regional Information Systems Security Manager (ISSM), with Information Systems Security Officers (ISSOs), and other J6 CIO staff in the creation, completion, and maintenance of various security related documents such as the Assess and Authorization packages (previously Certification and Accreditation).
  • Perform vulnerability scans on all systems and network devices to ensure all Information Assurance Vulnerability Alerts and Bulletins (IAVA/B) and Computer Task Orders (CTOs), Task Orders (TASKORDS) and other security related tasking is applied as required by current Government directives.
  • Perform all account and data functions ensuring proper clearances for users; maintain information ownership responsibilities for each information system to include accountability, access approvals, and special handling requirements; maintain user agreements; SIPRNet network account information; and user validation forms.
    • Monitoring and maintenance of user training certificates (Cyber Awareness and Cybersecurity Workforce training requirements).
    • Ensure physical space requirements for Restricted Access Areas (RAA), Controlled Access Areas (CAA), and Open Storage Secret spaces meet the mandated classification requirements. Complete annual Physical Security STIGs for all spaces with ONE-NET
      computers under JRM's purview.
  • Develop and implement Configuration Management (CM) control policies and practices for authorizing the use of software and hardware. Monitor changes to system software, hardware, etc.to ensure security is not adversely impacted. Update appropriate documentation and upload into eMASS.
  • Oversee, monitor, coordinate, and conduct System Security evaluations, audits, and reviews; coordinate and direct Command Information Assurance Vulnerability Management (IAVM) and Computer Task Order (CTO) Programs.
  • Inspect and certify physical space requirements for Restricted Access Areas (RAA) and Controlled Access Areas (CAA) ensuring the mandated classification requirements are met. Provide protection requirements against intruders, vandals, accidents, and environmental dangers (i.e., fire, water, etc.). Develop and maintain Command IT security policies; provide Public Key Infrastructure (PKI) and Common Access Card (CAC) support; monitor existing and new Department of Defense (DoD), Department of Navy (DON), Defense Information Systems Agency (DISA), and other agency IT and Security policies to stay current.
  • Provide Information Security (INFOSEC) training management; Physical Security support; Vulnerability Remediation Asset Manager (VRAM) management; Assured Compliance Assessment Solution scanning and support; Host Base Systems Security (HBSS) management and
    support; creation, modification, and maintenance of Assessment and Authorization packages via eMass.
  • Provide Security Compliance and Risk Mitigation Support to the Information Systems Security Manager (ISSM)/Information Systems Security Officer (ISSO). Conduct Risk Management Framework (RMF) steps 1-4 assessment and implementation based on the collection, analysis, and reporting of data in accordance with the appropriate security technology and Government policy methods.
  • Analyze assessments and implement an overall risk-based decision to effectively certify security controls and countermeasures, and the overall security posture of systems and programs, networks and infrastructures throughout IT engineering lifecycles. Security compliance and risk mitigation support may include the following:
    • Security Policies
    • Management Support
    • Security Integration into the Systems/Software Development Life Cycle (SDLC)
    • Security Personnel
    • Security Infrastructure and Tools
    • Threat and Vulnerability Management
    • Configuration Management
    • Access Control
    • Audits and Assessments
    • Business Continuity
    • Incident handling
    • Training and Awareness
  • Provide support for JRM systems cybersecurity assessment and analysis, generating scorecards, inventories, develop POA&Ms, and other artifacts as required by the ISSM/ISSO or authorized representative
  • Perform ACAS, STIG and SRG compliance, Discovery scans, and other scans on systems when authorized and directed to. Investigate rogue devices on the network. Update appropriate Hardware List and diagrams in eMASS based on scan results.
  • Develop and maintain logs tracking facility systems status, POA&M execution, POCs, and other pertinent information related to securing the systems tracked. Provide support services for enclaves and systems to achieve an Authorization to Operate (ATO) and an Authorization to Connect (ATC) and maintain an appropriate IA posture.
  • Maintain JRM systems' accreditation status through implementation of RMF Step 6 Continuous Monitoring phase. This includes maintenance and updates of the system's POA&M, performing quarterly STIG verification, performing updates as needed to the system's Hardware/Software/Firmware list, Ports/Protocols/Services list, and Network Diagram, and updating/re-testing IA controls in eMASS.
  • The contractor must have experience in utilizing Enterprise Mission Assurance Support Service (eMASS), VRAM, or similar systems repositories for IA purposes. The contractor must also have experience in assessing and mitigating technical security and operational risks to organization enclaves and technologies.
    • Overseeing the development and maintenance of a system's cybersecurity solutions.
    • Identifying system type (IS, PIT, IT product, IT service) and any special considerations including multi-service/agency, joint, cross domain, Privacy Impact Information (PII), Protected Health Information (PHI), tactical, space, etc., to support RMF Step 1 System categorization.
    • Identifying mission criticality.
    • Identifying the security control baseline set and any applicable overlays and tailoring.
    • Assisting with development, maintenance, and tracking of the Security Plan.
    • Leading the security control implementation and testing efforts.
    • Initiating the RAR.
    • Assisting with any security testing required as part of A&A or annual reviews.
    • Assisting in the mitigation and closure of open vulnerabilities under the system's change control process.
    • Overseeing cybersecurity testing to assess security controls; recording security control compliance status during the continuous monitoring phase of the lifecycle.

Qualifications:

  • Minimum Baseline Certifications: CompTIA Advanced Security Practitioner
  • Minimum Operating System Certification: Microsoft OS or VMware

GPSI is an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.



Job Posted by ApplicantPro