Position Overview

The Contractor shall provide Cybersecurity Services throughout the cybersecurity lifecycle process for Information Systems (IS), Platform Information Technology (PIT), Information Technology (IT) Services, and IT products that are or will be assessed or assessed and authorized by Authorizing Officials (AOs) within the F-35 Enterprise. The contractor shall prepare materials for, and participate in, weekly staff meetings. The contractor shall perform all six steps of the RMF/JSIG processes as captured below, with a focus on Steps 4 and 5, Assessing Security Controls and Authorizing the System.

Duties and Responsibilites

Step 1: Categorize System. The Contractor shall participate, as required, in the system categorization of each system and maintain the formal decision document as a part of the F- 35 System's Security Assessment Package

Step 2: Select Security Controls. The Contractor shall provide assistance to the Information System Owner (ISO) in Security Control Traceability Matrix (SCTM) negotiations for formal tailoring of system security control requirements. The Contractor shall maintain the formal SCTM submission as part of the F-35 System's Security Assessment Package

Step 3: Implement Security Controls. The Contractor shall participate in Preliminary and Critical Design Reviews (PDR/CDR) to ensure proposed design and implementation of controls are in accordance with DoD cybersecurity standards and have not deviated from the tailored SCTM

Step 4: Assess Security Controls. The Contractor shall create a Security Assessment Report which shall encompass evaluation of all written artifacts within the formal Security Assessment Package submitted by the ISO, results of the Independent Validation and Verification (IV&V) test, and Security Assessment (SA) event

Step 5: Authorize System. The Contractor shall validate all required artifacts in the Information System Security Manager / Engineer (ISSM / ISSE) assembled Security Assessment Package are current and representative of the systems being presented for AO adjudication. The Contractor shall provide a formal written recommendation within the Security Assessment Report to the AO for review and final acceptance

Step 6: Monitor Security Controls. The Contractor shall evaluate Continuous Monitoring (ConMon) Plans and shall participate in Operational Assessments

Provide Security Control Assessment Services. The Contractor shall perform oversight of the development, implementation and evaluation of information system security program policy, with special emphasis placed upon integration of existing SAP network infrastructures. The Contractor shall perform analysis of network security, based upon the RMF Assessment and Authorization (A&A) process and advise customer on IT certification and accreditation issues. Perform oversight of the development, implementation and evaluation of information system security program policy; special emphasis placed upon integration of existing SAP network infrastructures

• Perform analysis of network security, based upon the RMF and Joint Special Access Program Implementation Guide (JSIG) authorization and assessment processes (A&A); advise customer on IT and A&A issues
• Perform risk assessments and make recommendations to customers
• Advise the AO, Delegated Authorizing Official (DAO), Office of Chief Information Officer (OCIO), Chief Information Security Officer (CISO), and/or Program Security Officer (PSO) on assessment methodologies and processes
• Evaluate certification documentation and provide written recommendations for accreditation to Government Program Managers (PMs)
• Review system security to accommodate changes to policy or technology
• Evaluate IT threats and vulnerabilities to determine whether additional safeguards are needed
• Advise the government concerning the impact levels for confidentiality, integrity, and availability for the information on a system
• Facilitate ensuring certification for each information system
• Develop, implement, provide guidance, and enforce Automated IS (AIS) security policies and procedures
• Facilitate the necessary technical training for Information System Security Officers (ISSOs), network administrators, and other AIS personnel to carry out their duties
• Develop, review, endorse, and recommend action by the DAO of system certification documentation
• Facilitate ensuring procedures are in place for clearing, purging, declassifying, and releasing system memory, media, and output
• Conduct certification tests that include verification that the features and assurances required for each protection level fare functional
• Maintain a repository for all system certification/accreditation documentation and modifications
• Coordinate AIS security inspections, tests, and reviews
• Develop policies and procedures for responding to security incidents and for investigating and reporting security violations and incidents
• Facilitate ensuring proper protection and/or corrective measures have been taken when an incident or vulnerability has been discovered within a system
• Facilitate ensuring that data ownership and responsibilities are established for each AIS, to include accountability, access rights, and special handling requirements
• Develop and implement an information security education, training, and awareness program, to include attending, monitoring, and presenting local AIS security training
• Complete and document security testing and evaluations
• Evaluate threats and vulnerabilities to ascertain whether additional safeguards are needed
• Assess changes in the system, its environment, and operational needs that could affect the accreditation
• Conduct periodic testing of the security posture of the AIS
• Facilitate ensuring configuration management for security-relevant AIS software, hardware, and firmware are properly documented.
• At the conclusion of each security assessment activity, prepare the final Security Assessment Report containing the results and findings from the assessment
• Evaluate and monitor Plan of Action and Milestone (POA&M) activities to ensure proper and timely remediation actions are taken with respect to identified weaknesses and suspense dates for each IS based on findings and recommendations from the Security Assessment Report
• Facilitate ensuring that system recovery processes are monitored to ensure that security features and procedures are properly restored
• Facilitate ensuring all AIS security-related documentation is current and accessible to properly authorized individuals
• Facilitate ensuring that system security requirements are addressed during all phases of the system life cycle
• Participate in self-inspections; identify security discrepancies and report security incidents
• Coordinate all technical security issues outside of area of expertise or responsibility with Senior Systems Engineer (SSE)
• Provide expert research and analysis in support of expanding programs and area of responsibility
• Perform file transfers between local systems to storage devices
• Provide Program Protection Cybersecurity (CS) Specialist Services. The following subtasks are not assigned to any one specific security business area and are intended to provide maximum flexibility and support to the enterprise.
• Provide cybersecurity compliance assessments, contractor shall provide tasks that include but are not limited to:
• Perform cybersecurity compliance assessments in alignment with Security with Staff Assistance Visits (SAVs) and Operational Assessment (OA) both CONUS and OCONUS.
• Provide written accounts of OA or SAV cybersecurity compliance assessments to event lead(s),and maintain knowledge and share site/files for lessons learned.
• Maintain and update Cybersecurity SAV and OA Checklists, database entries and required files. Schedule OA/SAV meetings and provide updates to Government entities.

Provide CS Specialist Services to F-35 Partners and FMS Security Professionals.

Contractor shall provide tasks that include but are not limited to: Provide Cybersecurity Specialist support to perform on-site cybersecurity compliance and oversight for Partner and/or FMS sites. Provide a full range of Information Assurance/Cybersecurity services which include but are not limited to: planning, developing, implementing, and maintaining programs, policies, and procedures to protect the integrity and confidentiality of systems, networks, and data; monitor the compliance of Partner/FMS participants with Authority to Operate (ATO) requirements for authorized F-35 information systems through on-site visits and email communication; develop, administer, and conduct cybersecurity training; train Partner/FMS personnel in cyber positions on cybersecurity best practices, procedures, industry standards, processes, and protocols; and participate in periodic meetings with Government entities to facilitate compliance activities being met, properly captured and reported.

System High values the power and strength of diverse backgrounds on the culture and performance of our company. We strive to maintain an inclusive culture to encourage each employee to bring their whole self to the mission.

Additional Information

• This job description is not designed to cover or contain all job duties required of the employee. There may be additional activities, duties and/or responsibilities that are required for this position that are not listed in this job description.
• In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification document form upon hire.

• System High is a Military friendly employer. Our extensive work on behalf of the U.S. government offers those who have served in uniform an opportunity to continue to serve their country in a new and exciting way while enjoying a successful civilian career.

• System High values the power and strength of diverse backgrounds on the culture and performance of our company. We strive to maintain an inclusive culture to encourage each employee to bring their whole self to the mission.
• System High Corporation is an Equal Opportunity/Affirmative Action Employer. We consider applicants without regard to race, color, religion, age, national origin, ancestry, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, veteran status, disability, genetic information, citizenship status, or membership in any other group protected by federal, state, or local law.
• Equal opportunity legal notices can be viewed on the following PDF's: ; EEO is the Law Supplement; Pay Transparency Nondiscrimination

Warning: Beware of recruitment scams: System High will never request money or personal purchases during the hiring process. Verify all communications come from a systemhigh.com or msg.paycomonline.com email address.