Activate JobCopilot
The mission of the OFR is to support the Financial Stability Oversight Council (FSOC) in promoting financial stability by: collecting data on behalf of FSOC; providing such data to FSOC and member agencies; standardizing the types and formats of data reported and collected; performing applied research and essential long-term research; developing tools for risk measurement and monitoring; performing other related services; making the results of the activities of the OFR available to financial regulatory agencies; and assisting such member agencies in determining the types of formats of data authorized to be collected by such member agencies.
Design, develop, engineer, and implement solutions to MLS requirements. Perform complex risk analyses which include risk assessment, SIEM-based threat detection and monitoring, and secure code review processes to identify and mitigate security vulnerabilities throughout the development lifecycle. Establish and validate information assurance and security controls based upon the analysis of user, policy, regulatory, and incorporating vulnerability scanning results, SIEM alert correlation, and code analysis findings into security posture assessments. Perform analysis, design, and development of security features for system architectures that incorporate vulnerability management capabilities, SIEM integration points, and secure code review checkpoints to ensure comprehensive security coverage across all system components.
This highly technical role requires deep understanding of modern cybersecurity engineering principles, control validation, including security-as-code, infrastructure-as-code, and DevSecOps practices. The engineer should have proven experience conducting security assessments, hands-on experience managing a vulnerability management program, reviewing and recommending detection rules, incident response playbooks, and performing regular audits of security controls and access management systems.
Key Tasks & Responsibilities
- To effectively manage Cybersecurity risk to the Office, the contractor will assist the OFR in refining and implementing the processes and methodologies to assess internal and external/third-party systems and provide accurate accounting and tracking for risks and findings.
- Conducting comprehensive vulnerability management using Nexpose, Rapid7, and Qualys platforms to identify, prioritize, and remediate security vulnerabilities and configuration baselines across the enterprise infrastructure.
- Implements automated container vulnerability scanning tools, such as AWS Clair, to identify and evaluate critical findings.
- Perform application security testing using Fortify WebInspect to assess web applications for security flaws and conduct thorough code reviews using Veracode to identify vulnerabilities in source code.
- Create custom queries and generate detailed reports in Splunk to support security monitoring, incident analysis, and compliance reporting.
- Tracked, monitor and report on Plans of Action and Milestones (POA&Ms). Findings discovered through risk assessments, Security Controls Assessments (SCA), continuous monitoring activities, vulnerability scans, application security tests, and code analysis will be collected, analyzed and used to provide continuous reporting and support informed, risk-based decision making.
- Develop policies for least-privilege access controls, implement network segmentation strategies, integrate identity and access management solutions with network security controls, and establish continuous monitoring and validation processes to ensure all network communications are authenticated, authorized, and encrypted.
- Serving as the principal liaison between the OFR and supporting personnel for the specific subtask area (e.g., Security Controls Assessors, ISSOs, Continuous Monitoring).
Education & Experience
- Using the NIST Risk Management Framework (RMF) to conduct assessments of Information security controls to measure the effectiveness of controls and identify control gaps
- Ensure compliance with guidance, standards and regulations such as NIST Special Publications, FIPS, FedRAMP, and other federal regulations and policies
- Preparing Security Authorization Packages and including documentation such as Authorization Official Out-briefs, Security Authorization Recommendations and Security Authorizations memorandums
- Identify, assess, and prioritize identified risks
- Collect evidence, artifacts, and document findings to support conclusions
- Report on compliance with internal policies, controls, and standards Provide recommendations for remediation of identified deficiencies
- Track and report on Plans of Action and Milestones (POAMs) (i.e., findings/deficiencies to closure)
- Coordinate third-party risk assessments and IT audits
- Manage remediation efforts and report on the status of control deficiencies
- Understanding of networking technologies and concepts (routing, switching, network segmentation, etc.)
- Strong written and verbal communication skills; must be able to effectively communicate with all levels of staff up to executive-level management, customers (internal and external), and vendors.
- Ability to work effectively under pressure; previous experience as an emergency medical responder, firefighter, or related high-pressure environment preferred but not required
- Familiar with basic python, JSON, and/or PowerShell
- Familiar with AWS Cloud Services - EC2, VPC, S3, RDS, CloudFormation, Systems Manager, CloudWatch, Security Hub
- Familiar with and have worked within security frameworks such as: NIST SP 800-61, Attack lifecycle, SANS Security Controls, MITRE ATT&CK, Kill chain, OWASP Top 10
Certifications
- Certified Information Security Professional (CISSP) preferred
- Preference given for CCE, CCFE, CEH, CPT, CREA, GCFE, GCFA, GCIH, GCIA GIAC, Splunk Core, OSCP, SANS Security 500 Series or other industry standard equivalent
Security Clearance
- Public Trust High (Tier 4/BI) Risk Level
- Must be a US citizen
Other (Travel, Work Environment, DoD 8570 Requirements, Administrative Notes, etc.)
- D.C. or Remote
$145,000 - $155,000 a year
The offered rate will be based on the selected candidate’s knowledge, skills, abilities and/or experience and in consideration of internal parity.
The posted range is appropriate for a typical candidate meeting, at a minimum, all the core requirements of the position.
Computer World Services is an affirmative action and equal employment opportunity employer. Current employees and/or qualified applicants will receive consideration for employment without regard to race, color, religion, sex, disability, age, sexual orientation, gender identity, national origin, disability, protected veteran status, genetic information or any other characteristic protected by local, state, or federal laws, rules, or regulations.
Computer World Services is committed to the full inclusion of all qualified individuals. As part of this commitment, Computer World Services will ensure that individuals with disabilities (IWD) are provided reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment, please contact Human Resources at [email protected]
We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.
Your email job alert is now active!
