IT Risk Assessment Auditor

The Security Services Department’s overall mission is to identify and counter security threats to the MIT Lincoln Laboratory’s mission of development of game-changing technology in support of National Security, including guarding against compromise by foreign intelligence agencies and insider threats. To accomplish this mission, this department formulates and implements policies, plans, and actions designed to protect facilities against threats of vandalism, accidental destruction, and sabotage; and safeguards personnel, classified and unclassified information systems, personal identifiable information, property, and other assets from exploitation and recruitment by foreign intelligence agencies.

We foster a diverse and inclusive culture where security professionals from a wide range of backgrounds are empowered to solve complex security problems in close collaboration with Laboratory research teams and Government counterparts. Our people are our most important resource, and we encourage a casual and flexible opportunity-filled working environment that is technology-focused. Where mission needs can be met, the Security Services Department encourages flexible schedules and hybrid remote work arrangements

Who are we?

MIT Lincoln Laboratory is a Federally Funded Research and Development Center (FFRDC) whose mission is research in support of National Security.

* Mission - The Security Services Department’s (SSD) overall mission is to identify and counter security threats to the MIT Lincoln Laboratory’s mission of development of game-changing technology in support of national security, including guarding against compromise by foreign intelligence agencies and insider threats
* Culture – We foster an inclusive, opportunity-filled environment of empowered team members from diverse backgrounds

What will you do?

The IT Security Risk Auditor position performs audits of classified Information Systems (IS) to ensure that they are being maintained in a compliant manner and are following applicable laws and government regulations, such as National Industrial Security Program Operation Manual (NISPOM) guidelines regarding the protection of classified information systems, National Institute of Standards and Technology (NIST) standards and special publications, and Laboratory Information System Security Procedures. The candidate must be knowledgeable in fundamental computer security principles and policies: Security Technical Implementation Guides (STIGs), NIST 800-53/Risk Management Framework (RMF), Joint SAP Implementation Guide (JSIG), Intelligence Community Directive (ICD) 503, CNSSI 1253, and DOD Manual 5205.07 Volumes 1-4. 

General: The IT Security Risk Auditor is responsible for maintaining and auditing programs to validate compliance with various government regulations and Laboratory Information Security policies. The position is responsible for conducting comprehensive assessments of the management, operation, monitoring and technical security controls employed within or inherited by Information Systems to determine the overall effectiveness of the controls (i.e. the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome) with respect to meeting the security requirements of the Authorization to Operate (ATO) for the system and for the ability to conduct open source and internal research to identify current threat indicators, exploits, and vulnerabilities.

* Materials Control & Accountability: Will help maintain an audit program to validate compliance with various government regulations and Laboratory Information security policies
* Personnel Security: Will assist and serve as a subject matter expert for all Laboratory inspection and compliance by following the DCSA and DoD system of record for clearance process and reporting
* Security Education, Training and Awareness: Will assist and maintain any new/updated government security regulations and requirements as it relates to classified and unclassified information protection

How will you grow?

You will find significant opportunities to do meaningful work in an environment intentionally designed to be one where you will learn, thrive and belong.
* Leadership: Room to advance on your team or to lead cross-functional projects.
* Growth Opportunities: Potential for lateral and vertical movement.
* Education/Training: Management training, mentorship, in-house and external courses.
* Exposure: Engagement with sponsors, stakeholders, Laboratory leadership and other Departments and Divisions.
* Community: Participation is encouraged for Laboratory social events, Employee Resource Groups (ERGs), clubs and study groups, volunteering and community service projects

What you need:

For this position, you must meet these basic requirements.
* Bachelor’s degree in Computer Science, Information Technology, Computer Information Systems, or related field is required with a minimum of seven (7) years’ experience conducting risk assessments within Special Access and Sensitive Compartmented Information Programs. 
* Information Assurance Certifications preferred (CISSP/CISA, Security+, GSEC, CRISC or equivalent).
* Advanced academic degrees and/or certifications in information Assurance, Information Security or IT certifications may be considered substitutes for DoD experience. 
* Experience in compliance auditing, security reviews, or vulnerability assessments.
* Technical experience and skills, course work completed toward a degree, and industry IT certifications (i.e. CISSP, CISA) may be considered substitutes for education and experience. 
* Candidate must possess an in-depth knowledge of information security principles and policies such as Risk Management Framework (RMF) as presented by the National Institute of Standards and Technology (NIST), Joint Special Access Program (SAP) Implementation Guide (JSIG), Intelligence Community Directive 503 (ICD-503), and all applicable Security Technical Implementation Guides (STIGs). 
* DoD 85770 IAM Level I Baseline Certification required. 
* Working experience directly related to Assessment and Authorization using any of the following: 
o NIST 800-53/Risk Management Framework (RMF)
o Joint SAP Implementation Guide (JSIG)
o Intelligence Community Directive (ICD) 503
o National Industrial Security Program Operating Manual (NISPOM) Chapter 8 
* Must be able to obtain and maintain a Top-Secret level DoD security clearance

Regulatory compliance experience: The ability to read, understand and apply government regulation, policies and procedure National Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117, computer security principles and policies, to include, Security Technical Implementation Guides (STIGs) and NIST 800-53 / Risk Management Framework (RMF).

Ideally, you will have:

 The Laboratory values experiences from diverse backgrounds and occupations. The most successful candidates will have the following skills and qualifications.

* Valued competencies: Interpersonal, organizational, written and verbal communication skills.
* Computer skills: Familiarity with security management software, such as SIMS and government databases such as DISS (Defense Information Security System). Knowledge of business software: Excel, Word, PowerPoint, Office, etc.
* Flexibility: Comfortable responding to off-hours emergencies and local/overnight travel as needed (infrequent, but a possibility)

At MIT Lincoln Laboratory, our exceptional career opportunities include many outstanding benefits to help you stay healthy, feel supported, and enjoy a fulfilling work-life balance. Benefits offered to employees include:
• Comprehensive health, dental, and vision plans
• MIT-funded pension
• Matching 401K
• Paid leave (including vacation, sick, parental, military, etc.)
• Tuition reimbursement and continuing education programs
• Mentorship programs
• A range of work-life balance options
• ... and much more

Please visit our Benefits page for more information. As an employee of MIT, you can also take advantage of other voluntary benefits, discounts, and perks.