System Security Officer

Description

About Us 

eSimplicity is a modern digital services company that works across government, partnering with our clients to improve the health and lives of millions of Americans, ensure the security of all Americans—from soldiers and veterans to kids and the elderly, and defend national interests on the battlefield. Our engineers, designers, and strategists cut through complexity to create intuitive products and services that courageously equip Federal agencies with solutions to transform today for a better tomorrow for all Americans. 

Purpose of Scope: 

We’re seeking a Hybrid - System Security Officer (SO) with strong service delivery acumen and deep technical security engineering expertise that demonstrates keen leadership abilities and is responsible for serving as a key technical contributor that provides security support services while meeting security compliance requirements for a portfolio of systems at various states of maturity and modernization. This role will provide support for continuously monitoring the cybersecurity posture of systems to secure against cyber threats. The SO’s primary responsibility is to ensure adherence to all applicable federal IT security and privacy standards, policies, statutes, and reporting requirements, as well as all National Institute of Standards and Technology (NIST) standards and guidelines, and other Government-wide laws and regulations for the protection and security of Government Information by facilitating security tool implementation, security tool usage, ensuring tools remain compliant and configured properly, all the while ensuring a successful program Authorization to Operate (ATO).  

To fulfill its primary responsibilities the SO will provide subject matter expertise throughout all phases of the Software Development Life Cycle (SDLC) and is expected to share ownership in delivering security services through active participation in the Scaled Agile Framework (SAFe) for promoting a proactive approach to embedding security architecture and engineering priorities and considerations throughout the SDLC process resulting in improved Risk Management, enhanced collaboration, communication, visualization and coordination among cross-functional agile teams and stakeholders. The SO role owns coordination and response to agency security related inquiries, compliance with security controls, maintenance of security documentation and artifacts.  The SO will act as the primary liaison to provide timely and accurate responses to security related data calls (System Security & Compliance Status, Vulnerability and Compliance scanning issues) and annual security assessments.  The SO will interface with multiple stakeholders through multiple touchpoints weekly.  

Responsibilities:  

• Provide security oversight for user provisioning, role-based access control (RBAC), least privilege enforcement, and access auditing. 
• Perform periodic user and privileged access reviews. 
• Establish, lead and facilitate all aspects of onboarding/offboarding personnel to include granting and revoking system access. 
• Lead and participate in triggered contingency planning events, incident response investigations, reporting, and lessons learned processes. 
• Lead, develop and conduct annual Contingency Plan and Incident Response Plan Test and Training exercises. 
• Work closely with the Product Owners, agency ISSOs, engineering and infrastructure staff to provide guidance on implementation if security policies, standards, and procedures 
• Analyze new or updated security requirements, collaborate with stakeholders, and develop responses that are clear and accurate. 
• Support the review and update of ATO artifacts such as System Security & Privacy Plans, Security Boundary Diagrams, Information System Contingency Plans, Configuration and Change Management Plans, Incident Response Plans, Security Impact Analysis (SIA), Privacy Impact Analysis (PIA), and more. 
• Interpret security risk assessment and security scan results, assess security vulnerabilities and support the remediation of vulnerabilities and compliance issues via Plan of Action and Milestones (POA&Ms). 
• Support the design, development and implementation relating to security features. 
• Work with engineering and infrastructure personnel in support of system development, and remediation of vulnerabilities and non-compliance issues. 
• Analyze and interpret agency security requirements and provide governance communication to non-security personnel. 
• Collaborate with product teams, ISSOs and other stakeholders in support of continuous monitoring and ATO efforts. 
• Conduct vulnerability assessments and monitor systems, networks, databases and Web-based assets for potential system breaches. Recommend and take the lead on implementing changes to enhance security mechanisms and safeguards, to prevent unauthorized access and unauthorized modifications, and help mitigate security vulnerabilities. 
• Respond to alerts from information security tools; report, investigate, and resolve security incidents.  
• Respond to outages and degradations in service; configure and tune security tools, rules and alerting controls, and setup/maintain security tool dashboards and reporting. 
• Research security trends, new methods, and techniques used in unauthorized access of data to preemptively eliminate the possibility of a system breach; ensure compliance with regulations and privacy laws; conduct research and develop a threat model to identify new attack vectors. 
• Educate and communicate security requirements and procedures to all users and new employees. Comply with personnel security of new and existing team members to ensure staff is compliant with security and privacy awareness, rules of behavior, records management responsibilities, safeguarding Personal Identification Information (PII) and Personal Heath Information (PHI) and continued role-based training.  
• Recommend process improvements to the information system for risk mitigation. 
• Apply iterative security automation to all program aspects increasing overall security posture; never accepting the status quo. 
• Provide audit log reviews in Splunk, present any security findings to agency ISSOs, and plan for any investigation or remediation activities. 

Required Qualifications: 

• All candidates must pass public trust clearance through the U.S. Federal Government. This requires candidates to either be U.S. citizens or pass clearance through the Foreign National Government System which will require that candidates have lived within the United States for at least 3 out of the previous 5 years, have a valid and non-expired passport from their country of birth and appropriate VISA/work permit documentation. 
• Minimum of 7+ years related experience. 
• A bachelor's degree in computer science, Information Systems, Engineering, Business, or other related scientific or technical discipline. With six years of general information technology experience and at least four years of specialized experience, a degree is not required. 
• Familiarity with Agile Methodologies. 
• Working knowledge of AWS Security tools, their functionality, and purpose. 
• Assist customer with defining appropriate management processes (Responsible for documenting application criticality, privacy, and security impact analysis). 
• Knowledge of hardening standards (DISA STIG, CIS). 
• Understanding of NIST Risk Management Framework and NIST 800-53 rev5 and FedRAMP. 
• Experience with DevSecOps, CI/CD pipeline and defining/maintaining security decision quality gates. 
• Know the difference between SAST, DAST, IAST, OAST tools and their functions, benefits, and weaknesses within CI/CD  
• Understanding business security practices and procedures; knowledge of current security tools available; hardware/software security implementation; different communication protocols; encryption techniques/tools; familiarity with commercial products; and current Internet technology. 
• Understands continuous automated security practices applied to data and application engineering teams. 
• Prior experience managing systems in AWS cloud environments, familiarity with AWS Tools and Services 
• Experience with designing security “baked-in” to any architecture: Cloud service offerings and managed service inherited, hybrid and system-specific security controls, Cloud and IaC, Applications, Web application, Data Processing, Data Centric Applications, AI/ML, CICD Pipelines; seeks automation driven designs. 
• Demonstrated work experience with the following: computer networking, cryptography, security engineering and architecture, vulnerability assessments, or operating systems required.  
• Broad experience using cloud services, Linux systems, and Development/Data engineering core tools Github, GitHub Actions, Security Tools, etc. 
• Demonstrated working knowledge of vulnerability and compliance scanning tools. 
• Understands how to assess vulnerabilities and provide recommendations regardless of first-hand knowledge of the application or system. 
• Proven ability to work effectively both independently and/or in a team setting.  
• Must possess strong analytical and problem-solving abilities; and strong critical-thinking skills in complex communication environments.  
• Strong attention to detail. Required to manage/follow-through of multiple independent tasks, dependencies across intra/inter-project teams 
• Excellent organizational and time-management skills in a fast-paced environment.  
• Excellent customer service skills with the ability to deal tactfully, confidently, and ethically with both internal and external customers. 
• Experience with Government Agency Security Assessment Process in support of maintaining and/or establishing an ATO and the appropriate security boundary. 
• Experience with Atlassian Jira & Confluence 
• Excellent command of written and spoken English.   

Requirements

Desired Qualifications: 

• Federal Government contracting work experience 
• Highly preferred industry certification such as the CISSP, CEH, GIAC, etc. 
• Experience with Security Information and Event Management (SIEM) systems (i.e Splunk) 
• Ability to provide design and implementation of Zero Trust security controls across SaaS, PaaS, and IaaS components support. 
• Ability to provide design and implementation of authentication and authorization strategies including, Identity Federation (e.g., SAML, OAuth, OIDC); MFA, Adaptive Access, Risk-Based Authentication; Privileged Access Management (PAM); and Identity Governance & Administration (IGA) support. 
• Ability to provide Security Automation, DevSecOps & CI/CD Integration support. 
• Salesforce Government Cloud Plus – SaaS development and administration. 
• Copado – DevOps, Copado Robotic Testing, AppOmni, SNYK and Anti-virus malware solutions. 

Working Environment: 

eSimplicity supports a hybrid work environment operating within the Eastern time zone so we can work with and respond to our government clients. Expected hours are 9:00 AM to 5:00 PM Eastern unless otherwise directed by your manager. 

Occasional travel for training and project meetings. It is estimated to be less than 25% per year.   

Benefits: 

We offer highly competitive salaries and full healthcare benefits. 

Equal Employment Opportunity: 

eSimplicity is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, gender, age, status as a protected veteran, sexual orientation, gender identity, or status as a qualified individual with a disability.