Must have minimum active Top-Secret Clearance and be onsite in Idaho Falls Idaho.
NO EXEPTIONS.
As a member of the Classified Cybersecurity team, the Risk Management Analyst is a senior-level position responsible for supporting the following core functions within the Classified Cybersecurity Program:
- Execution and operation of the Classified Cybersecurity Vulnerability Management Program
- Conducting analysis and assessment of NIST/CNSS security control deviations, DISA Security Technical Implementation Guides (STIGs) non-compliance, vulnerability scan findings, and Cybersecurity Service Provider (CSSP) directive non-compliance, working with the classified ISSOs and ISSEs in determining risks associated with deviations/exceptions identified in those assessments, and developing associated documentation (e.g. exception requests, exception tracking, POA&Ms, etc.)
- Ensuring internal vulnerability scanning of National Security Systems (NSS) is performed IAW CSSP requirements, supporting external vulnerability scanning by the CSSP, and ensuring that applicable security patches are being deployed to address vulnerability scan findings
- Ensuring proper implementation of DISA STIGs IAW CSSP requirements
- Providing guidance to classified Information System Security Engineers (ISSEs) for solutions that support information security objectives including Security Information and Event Management (SIEM), intrusion detection, and e-discovery
- Providing risk related metrics for cybersecurity reports such as the monthly cybersecurity health report, weekly DOE-ID risk review report, CSSP monthly vulnerability status report, and others as required
- Coordinating the evaluation and risk assessment of hardware and software that will be used on classified systems
- Coordinating the collection, analysis, and presentation of computer-related evidence in response to incidents associated with classified systems (e.g. intrusion, malware, criminal, fraud, counterintelligence)
- Interfacing and collaborating with other risk assessment professionals outside of the classified cybersecurity team (e.g. unclassified cybersecurity, CSSP staff, other DOE national laboratory personnel, vendors, etc.)
- Maintaining awareness of global cybersecurity threats, how they pertain to the classified environment, and sharing that information with the classified cybersecurity team, classified system owners, and DOE oversight
Position Requirements