Compliance Security Control Assessor

Job Summary / Key Responsibilities

• Compliance Management: Maintain OIG compliance with FISMA and FedRAMP requirements for systems at Low, Moderate, and High impact levels. This includes performing Independent Verification and Validation (IV&V) of Cloud Service Providers (CSPs).

• Ad-Hoc Support: Provide management and compliance support for additional systems, tools, and platforms as needed across all impact levels.

• Significant Change Assessments: Perform assessments for systems undergoing significant implementation or configuration changes. Evaluations must cover all in-scope controls based on the current NIST SP 800-53 revision.

• Annual Assessments: Conduct annual assessments of all FISMA-reportable systems in accordance with OIG policy. This consists of evaluating one-third of the controls in the current NIST SP 800-53 revision until the OIG achieves certification for ongoing authorization.

• Documentation & Reporting: Develop and deliver Security Assessment Plans (SAP), Security Assessment Reports (SAR), Risk Exposure Tables, POA&M reports, and other supporting documentation for all assessments.

• Authorization Support: Review systems for initial and recurring authorizations. Manage the development of SARs and oversee POA&Ms for all findings within an online dashboard utility.

• Cloud Integration & Risk: At the request of the COR, provide recommendations for the integration of cloud services into the OIG environment. Perform risk assessments for proposed CSPs, demonstrating familiarity with Zero Trust Architecture, TIC (Einstein), MTIPS, and OMB/DHS CDM requirements.

• Cloud Security Tools: Incorporate Cloud Access Security Broker (CASB) tools where appropriate to support cloud compliance activities.

• Continuous Monitoring (ConMon): Support continuous monitoring of CSP activities, including POA&M management and reporting. Analyze and provide recommendations based on monthly ConMon reports provided by CSPs.

• Ongoing Authorization: Upon transition to ongoing authorization, support the assessment and evaluation of security and privacy controls as prescribed by current departmental and regulatory guidance.

• Process Documentation: Develop and maintain Standard Operating Procedures (SOP) for assessments, testing, and compliance within an access-controlled portal on the HHS/OIG intranet.

Educational Qualifications and Special Requirements

• Education: Bachelor’s degree in engineering, Computer Science, or Information Technology.

• Experience: Minimum of 8 years of relevant experience in cybersecurity or IT audit.

• Security Clearance: All contractor and subcontractor personnel occupying Public Trust, Automated Data Processing (ADP), or sensitive positions must undergo a suitability determination and security clearance.

• Periodic Review: Contractor employees are subject to periodic reviews of suitability as deemed appropriate by HHS/OIG officials.