Duties
The Security Control Assessor (SCA) will play a critical role in evaluating the effectiveness of security controls implemented within the organization's information systems. The incumbent will be responsible for conducting assessments using a variety of methods, including examinations, interviews, and testing, to identify vulnerabilities, weaknesses, and areas for improvement within our information systems. The incumbent must have a strong background in information security, risk management, and a thorough understanding of regulatory requirements such as NIST standards and industry-specific compliance frameworks. This position requires a deep understanding of security assessment methodologies, strong analytical skills, and the ability to communicate findings effectively to stakeholders.
Duties of the position include, but are not limited to:
- Collaborating with stakeholders to develop assessment plans that outline the scope, objectives, and methodology for conducting security assessments. This involves understanding the organization's information systems, business processes, and security requirements.
- Conducting thorough examinations of security controls implemented within information systems, including technical, administrative, and physical controls. Analyzing documentation, policies, and procedures to assess the adequacy of security measures and identify areas of non-compliance or weakness.
- Conducting structured interviews with key personnel, including IT staff, system administrators, and business stakeholders, to gather insights into security practices, procedures, and challenges.
- Identifying potential security gaps or vulnerabilities through dialogue and questioning during interviews.
- Performing technical testing activities, such as vulnerability scanning, penetration testing, and security configuration reviews, to assess the effectiveness of security controls. Utilize automated tools and manual techniques to identify and exploit security vulnerabilities and assess the organization's resilience to cyber threats.
- Analyzing assessment findings from examinations, interviews, and testing to identify trends, patterns, and areas for improvement. Preparing comprehensive assessment reports that summarize findings, highlight areas of concern, and provide actionable recommendations for enhancing security posture. Presenting assessment results to stakeholders, including management, IT teams, and regulatory authorities, in a clear and concise manner.
- Documenting assessment findings in the Governance and Risk Compliance (GRC) system, including identified vulnerabilities, weaknesses, and recommendations for remediation.
- Staying informed about emerging threats, vulnerabilities, and best practices in security assessment methodologies. Collaborating with internal teams to implement remediation plans and security enhancements based on assessment findings and recommendations. Participating in ongoing monitoring and evaluation activities to track the effectiveness of security controls and ensure continuous improvement.
- Performing the tasks and meeting the skills, knowledge and abilities as described in NIST Special Publication 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce for the roles of Security Control Assessor (SP-RSK-002).
Requirements
Conditions of Employment
CONDITIONS OF EMPLOYMENT
- All information is subject to verification. Applicants are advised that false answers or omissions of information on application materials or inability to meet the following conditions may be grounds for non-selection, withdrawal of an offer of employment, or dismissal after being employed.
- Selection for this position is contingent upon completion of OF-306, Declaration of Federal Employment during the pre-employment process and proof of U.S. citizenship for competitive status positions or conversion to a competitive status position with the AO. If non-citizens are considered for hire into a temporary or any other position with non-competitive status or when it is confirmed by the AO Human Resources Office there are no qualified U.S. citizens for a competitive status position (unless prohibited by a law or statue), non-citizens must provide proof of authorization to work in the U.S. and proof of entitlement to receive compensation. Additional information on the employment of non-citizens can be found at USAJOBS Help Center | Employment of non-citizens / . For a list of documents that may be used to provide proof of citizenship or authorization to work in the United States, please refer to Form I-9, Employment Eligibility Verification .
- All new AO employees will be required to complete an FBI fingerprint-based national criminal database and records check and pass a public trust suitability check.
- New employees to the AO will be required to successfully pass the E-Verify employment verification check. To learn more about E-Verify, including your rights/responsibilities, visit https://www.e-verify.gov/ .
- All new AO employees are required to identify a financial institution for direct deposit of pay before appointment.
- You will be required to serve a trial period if selected for a first-time appointment to the Federal government, transferring from another Federal agency, or serving as a first-time supervisor. Failure to successfully complete the trial period may result in termination of employment.
- If appointed to a temporary position, management may have the discretion of converting the position to permanent depending upon funding and staffing allocation.
Qualifications
Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions.
Specialized Experience : Applicants must have at least
one full year (52 weeks) of specialized experience which is in or directly related to the line of work of this position.
Specialized experience is demonstrated experience in
ALL of the following:
- Extensive experience with various security assessment methodologies, including NIST SP 800-53, ISO/IEC 27001, CIS Controls, and other industry-recognized frameworks. This includes knowledge of assessment planning, control evaluation, risk analysis, testing, and reporting;
- Hands-on experience with security tools and techniques such as vulnerability scanning, penetration testing, security configuration reviews, and forensic analysis;
- Experience interpreting and applying regulatory guidance to ensure the organization's adherence to security requirements such as HIPPA, GDPR, PCI DSS, FISMA, and other industry-specific regulations;
- Developing risk mitigation strategies and recommending controls to address identified vulnerabilities and threats;
- Preparing comprehensive assessment reports that effectively communicate findings to stakeholders, including management, IT teams, and regulatory authorities; and
- Conducting interviews, facilitating meetings, and presenting assessment results in a clear and understandable manner.
Education
This position does not require education to qualify.
Additional Information
The AO is an Equal Opportunity Employer.