About Oxley Enterprises®, Inc.

Oxley Enterprises,® Inc. is an economic disadvantaged woman-owned, service disabled veteran-owned, small disadvantaged business consulting company helping organizations improve performance, enhance productivity, and increase overall organizational effectiveness through strategic planning, performance management, quality management, process management, project management, human capital development, transformational workshops, IT Benchmarking, and information technology integration.

Oxley provides dynamic, mission-aligned strategies and solutions to help organizations across the spectrum of business and government address these challenges today and thrive tomorrow. Oxley professionals apply a diverse knowledge of process and technical consultation experience to support organizations in identifying business and program needs, and maximizing return on investment. Oxley is dedicated to providing each and every client with a full range of management consulting services and continuous learning and improvement opportunities to help them expand both their capacities and capabilities. Oxley has experience within government organizations specifically geared toward improving the performance, quality, timeliness and efficiency of processes, programs and strategies.


Position summary:

The Information Assurance Specialist/Advisor Risk Manager is responsible for supporting the NGA Enterprise Support to Management and Resources for Technical Services (ESMARTS) program. Understand and apply ICD 503, NIST Special Publication 800-53, and CNSSI 1253. Perform and provide the risk tradeoff analysis to implement the policies, processes, models, assessments, and standards needed to recommend risk acceptance authorization for complex systems and mission enablement. Document recommendations for authorization that shall consist of detailed rationale for acceptance. Document rejections back to information system owners (ISOs) with detailed and constructive recommendations for correction, along with references to appropriate government regulations and explanations for why and desired specific outcome(s) of the corrections. In interfacing with programs on feedback, Speak with the ISO to ensure clear understanding of changes needed. Provide technical guidance to ensure the safeguarding NGA’s information systems with focus on risk analysis, and Federal and Agency policy compliance by conducting security risk assessments for each assigned Information System in relationship to the Agency/Enterprise Risk Assessment and by providing authorization recommendations for information systems including: Operational Authorization to Test (OATT), Authorization to Proceed (ATP), and Authorization to Operate (ATO). Provide direct technical support to the NGA Delegated Authorizing Official (DAO) to ensure that security considerations and risk tradeoffs are integrated throughout the engineering development and operations lifecycle of the system and that residual risk remains at an acceptable level for operation.

Minimum/General Experience: Minimum of 10 years’ experience in cybersecurity, information assurance, IT security risk management or related field; candidate must have experience with application of security controls to information systems

Minimum Education: Master’s degree or equivalent experience in Computer Science, Computer Engineering, Electrical Engineering, or Management Information Systems with emphasis in Information Technology/Information Assurance

Security: Active Top Secret/SCI clearance and the ability to pass a polygraph within 60 days of hire


Duties and Responsibilities:

      • Propose categorization of information systems, with input from ISSEs and working in partnership with Information Systems Owners (ISOs).
      • Determine appropriate level of security controls by working in concert with Program Managers (PM) and by identifying and prioritizing risks based on mission goals and types of information processed by the system. Assist in determination of impacts in support of risk prioritization.
      • Provide guidance to program managers for securing their information systems and to understand and promote applicability of Enterprise Security Services in accordance with ICD 503, CNSSI 1253, and NIST SP 800-39, 800-137, 800-53 and 800-37.
      • Review Plan of Actions and Milestones (POA&Ms) to ensure programs are making progress in mitigating risk to systems; work with programs to ensure POA&Ms are updated every 90 days at a minimum, and more frequently for high risk systems or action items. Advise the NGA Program Manager (PM) of any issues/delays in the POA&Ms.
      • Ensure risk mitigation strategies, recommendations, and applicable security controls are documented indicating cost effectiveness and reasonability for the mission goals; risk mitigation is determined in context of mission and cost.
      • Assist in the development and oversight of security policy implementation in accordance with current Federal, Community, and Agency Policies.
        Assist in monitoring the implementation of security policies and documenting to the government when policies and appropriate security controls are not being implemented including information as to the reason for non-compliance and decision recommendations.
      • Assist in controlling and managing the Agency central repository for all authorization documentation. Currently, NGA uses the XACTA software.
      • Maintain and update the A&A standards tool (Uncle) for consistently applied authorization decisions.
      • Maintain and update A&A tools used for categorization, control selection, or authorization decisions.
        Oversee security testing and review evaluations to ensure evaluations are completed detailing results of testing including documenting any issues resulting in failed testing, and are written clearly and concisely to be understood by OCIO leadership, security control assessors, program managers, and system administrators.
      • Monitor the assessment and authorization activities and solutions to guarantee these actions are collaborated with the necessary offices and agencies.
      • Provide senior level analysis, reports, and metrics to OCIO leadership concerning overall agency system authorization status.
      • Assist with developing and documenting risk assessment context and input including identification of threats, applicable vulnerabilities, and likelihood of occurrence. The risk assessment will include identification of the risk to the agency mission. The risk assessment will be done using NIST SP 800-30 and NGA policy.
      • Assist with developing risk mitigation strategies, solutions, and recommendations through conducting and/or participating in holistic information security testing assessments.
      • Assist with reviewing, maintaining, and ensuring all A&A documentation, including NGA’s security plans, are complete, of high quality, and ready for authorization.
      • Monitor security testing for compliance with ICD 503 and other applicable references.
      • Evaluate data and network layer diagrams of assigned systems for compliance with security standards
      • Monitor the assessment and authorization activities and solutions to guarantee these actions are collaborated with the necessary offices and agencies.
      • Validate that programs have considered and integrated current valid enterprise security solutions, common controls, and other enterprise security services as applicable to realize efficiencies.
      • Assist with developing, documenting, and assessing measures and metrics as they pertain to information security assessments and risk acceptance.
      • Maintain a record of all supplemental system authorization documentation.
      • Coordinate with Intelligence Community and DoD partners and staff to respond to authorization issues concerning NGA systems at external or remote locations.
      • Provide guidance and recommendations concerning all aspects of the Intelligence Community, DoD, and NGA Assessment and Authorization process, the functions of sub-processes, and the impact of changes when required.
      • Coordinate and evaluate activities that require Information Assurance activities such as program coordination and problem resolution; ensure impacts are managed for appropriate resources.
      • Active participation in system development, commencing at the inception of new mission need, new system and/or acquisition to ensure appropriate security issues are addressed and risk is mitigated at the start of program design.
      • Participate in program discovery and/or system registration processes.
      • Coordinate with internal and external Offices of Primary Responsibility (OPR) concerning technical support for system security, risk mitigation, evaluating threats and vulnerabilities to ensure compliance with Agency, DoD and IC directives and policies.
      • Assist in preparing appropriate documentation to outline agreements with DoD/IC agencies and required documents concerning requested services, including, but not limited to, Interagency Service Agreements and Memoranda of Understanding.
      • Participate in IA discussions/meetings between the Agency and IC/DoD entities in order to provide recommendations and assessments to the NGA DAO/AO.
      • Provide NGA IA positions at meetings/discussions with the Agency and IC/DoD entities and coordinate the NGA position for community resolution.
      • Provide evaluation and mitigation recommendation(s) concerning threats and vulnerabilities to determine if additional safeguards are required.
      • Provide guidance, insight and comments to OPRs concerning IC, DoD, and NGA policies
      • Collaborate on task activities and solutions throughout the NGA enterprise, with other government and industry organizations
      • Assist the process owner in revising and maintaining the A&A process
      • Provide recommendations for process improvements.
      • Collect and report on measures and metrics, as required.


Essential Job Qualifications (skills, knowledge, experience)

        • Active Top Secret/SCI clearance
        • U.S. Citizenship
        • Master’s degree or equivalent experience in Computer Science, Computer Engineering, Electrical Engineering, or Management Information Systems with emphasis in Information Technology/Information Assurance
        • CISSP, CISM, CASP, CISA or GSLC certification (CISSP preferred)

Please submit resume, cover letter, and salary requirements to careers@oxleyenterprises.com.

Visit our website at www.oxleyenterprises.com to learn more about our organization.

Oxley Enterprises®, Inc. is an equal opportunity employer.