Cybersecurity Analyst

Overview

LMI is seeking a Cybersecurity Specialist to support the mission to develop, manage and perform end to end life cycle logistics on medical equipment to protect and sustain the Warfighter’s and their families for the Nation. The Cybersecurity Specialist will work directly with DoD and vendors running tests and evaluations on their medical equipment operating systems that will be sitting on the DoD network validating that the systems meets the DoD Risk Management Framework (RMF) requirements ensure the system is not vulnerable to inside and outside threats. This position requires the ability to obtain a Public Trust Clearance (NACI). You must be a U.S. citizen. The position can be performed mostly in a remote capacity with onsite requirements needed one day/week at the client site in Frederick, MD.

LMI is a consultancy dedicated to powering a future-ready, high-performing government, drawing from expertise in digital and analytic solutions, logistics, and management advisory services. We deliver integrated capabilities that incorporate emerging technologies and are tailored to customers’ unique mission needs, backed by objective research and data analysis. Founded in 1961 to help the Department of Defense resolve complex logistics management challenges, LMI continues to enable growth and transformation, enhance operational readiness and resiliency, and ensure mission success for federal civilian and defense agencies.

LMI has been named a 2024 #BestPlacestoWork in the United States by Built In! We are honored to be recognized as a company that values a people-centered culture, and we are grateful to our employees for making this possible!

Responsibilities

• Meet with COTS vendors on weekly or biweekly basis to discuss RMF project and status.  Provide them with guidance on how to address STIGs provide SME information.  Ensure that the vendor is complying with delivering ACAS scans every 30 days and updating STIGs quarterly with DISA version releases.  

• Review system documentation and STIG comments for completeness, clarify any discrepancies found.  Review core documentation (diagram, HW/SW list, PPS, and system security plan or manual) to determine applicable STIGs to assess the target system components. 
• Tailor control listing based on STIGs selected and system categorization.
• Complete test results to determine control assessment procedure or common correlation identifier (CCI) compliance status.
• Submit help desk tickets to register system PPS to DHA PPSM registry. 
• Review eMASS record required fields for completeness. Create new eMASS records as needed.  Complete the system implementation plan (based on the control compliance) and record identify responsible entities. 

• Document system vulnerabilities (technical and documentation related) in the eMASS record POAM.  Complete all POAM fields and work with vendor to determine best way to mitigate and remediate each individual vulnerability. 

• Submit Cost Estimates for IV&V assessments, and A&I assessments.  Submit help desk tickets for Risk Management Executive Division services such as Assess Only, IV&V, Security Plans, and Risk Assessment Change Requests.

• Submit RMF workflows in eMASS for ATO Extensions, ATO-C requests, Assess Only (A&I) approvals, Change Requests, Security Plans and Decommissions. 

• Supervise IV&V on behalf of the PMO as a stakeholder.  Answer any questions that either the validator or the vendor might have regarding addressing STIG checks or vulnerabilities discovered.  Document control AP and STIG/Scan technical findings discovered at IV&V in the system POAM.

• Be proficient with using the following tools: STIG viewer, Portable Cybersecurity Assessment Tool (PCAT), eMASS and Excel Spreadsheet.

• Brief RMF project statuses once a week to government supervisor.  Record statuses and notes in CSTAR (Consolidated System Tracking & Reporting) – DHA enterprise-wide project status reporting.  Brief project statuses roughly once a month to ICS team and Civilian PM lead. 

• Maintain and update ICS PMO cybersecurity documentation such as:  installation mandate, deployment guide, A&I checklist.

• Maintain and update eMASS import templates: control deck, and implementation plans.

Qualifications

• Minimum of two (2) years relevant experience
• Bachelor's degree preferred.
• Ability to obtain a Public Trust Clearance (NACI)
• Must have an active CompTIA Security Plus certification
• Working knowledge internal controls & IT Risk Assessment and Mitigation procedures
• Technical experience in security-related technologies such as encryption, remote access, anti-virus systems, etc.
• A basic knowledge of the 8 domains of the Common Body of Knowledge for information security:
• Security & Risk Management
• Asset Security
• Security Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

Target salary range: $71,326 - $125,534

Disclaimer: 

The salary range displayed represents the typical salary range for this position and is not a guarantee of compensation. Individual salaries are determined by various factors including, but not limited to location, internal equity, business considerations, client contract requirements, and candidate qualifications, such as education, experience, skills, and security clearances.