Cybersecurity Management Support Subject Matter Expert (SME)

Work starting June 1, 2023

Kingfisher is seeking a Cybersecurity Management Support Subject Matter Expert (Cybersecurity SME) with specialized experience in penetration testing to support a government agency onsite.

The Cybersecurity SME will support the development of departmental policy, processes, testing methods, and scenarios for targeting government agency systems through external and internal penetration tests, including design, implementation, and operation of the penetration testing environment. The system and associated methods demonstrate and record artifacts, including indicating lateral movement potential to other systems through exploitation.

The Cybersecurity SME provides penetration testing services following the schedule and compliant with standards and requirements for penetration testing to support the government agency’s reportable systems and other identified environments or assets.

Duties to include:

• Assist CIOs, CISOs, and Program Managers to assess, develop, implement, and maintain enterprise information/cybersecurity programs.
• Assist customers to interpret policies and standards related to information and cybersecurity.
• Develop strategies for implementing all aspects of Cybersecurity programs, as well as Privacy.
• Devise solutions to speed adoption of standards, policy, and procedures, as well as measure performance and compliance.
• Develop policy, procedures, and best practices.
• Prepare presentations, papers, and other materials to support the CIO, CISO, and program managers to communicate policy, requirements, practices, and solutions to business and system owners.
• Support program security program office ranging from analysis, planning, and budget.
• Manage project requirements, resources, and deliverables.
• Prepare and provide management and project reports.
• Provide support for annual penetration testing schedule for a minimum of 10 (ten) penetration testing assessments per year.

• Develop penetration testing scopes, including Black Box penetration testing, gray box, etc.
• Develop rules of engagement for penetration testing
• Develop and implement methods for whitelisting devices s.
• Recommend suite of penetration testing tools for this program.
• Develop and document exercises to simulate attempts by adversaries to compromise organizational systems in accordance with the government agencies’ applicable rules of engagement
• Develop rules of engagement for penetration tests to include but not limited to:
  • Assumptions and requirements
  • Communications and status meetings
  • Data and Event handling
  • Scenarios
  • Schedule
  • Risks

Additional duties and scope include:

• External penetration testing.
• Catalog network, wireless, and infrastructure vulnerabilities and report potential impacts to the IT network and attached systems.
• Conduct internal penetration tests.
• Perform Gap Analysis-Network Security.
• Assemble data compiled from External penetration Test results, Internal penetration Tests results, and best practices to identify security gaps on the agency’s IT network.
• Catalog security gaps identifying any critical, moderate, and low vulnerabilities, the age of the vulnerabilities, mitigating factors, and risk core exploitation of the vulnerabilities identified by Cybersecurity SME.
• Conduct Social Engineering/Spear Phishing.
• Craft phishing emails with a malicious payload will be sent to some of the addresses on the provided list of users.
• Perform Web Application Testing.
• Apply standard web app testing techniques to identify potential vulnerabilities or weaknesses in the existing web application implementation.
• Report penetration testing findings and establish requirements for documenting and reporting of all findings.

• Ensure suite of tools complies with Standard Operating Procedure and ensure the automated tools are configured and updated (both the application and lists/plug-ins) within five days prior to conducting each assessment.
• Conduct penetration testing/assessment in accordance with the schedule, using approved approaches (manual and automated methods) to assess the state of the components (operating systems, web applications, databases, etc.) and the likelihood of impacting adjacent components and interconnected asset(s); in accordance with ROE scope.
• Ensure rules of engagement detail assessment scope with clarity, specifying scope exclusion(s) if necessary, controls being assessed, methods of performing assessment including sampling and determine if statements, notional schedule, assessment staff members, inventory of targeted system endpoints/components and software, processes.
• Review existing information system core documentation, including an information system security plan, business impact analysis, and network diagrams.
• Develop penetration testing report and briefing in accordance with the scope and schedule defined in the rules of engagement.
• Provide a qualitative risk assessment summary for weakness discovered compliant with NIST SP 800-30 Guide for Conducting Risk Assessments Appendix E Threat Events.
• Support new initiatives, efforts, information system(s), and application(s) needs as an integral part to support the mission.
• Conduct dynamic web application security testing, both manual testing and utilizing application security tools to discover exploitable vulnerabilities.

Minimum Requirements (85-90%)

• Expert knowledge of penetration testing with a focus on Web Application Testing, Red Teaming, Computer Network Attack, and/or Computer Network Exploitation.
• Ability to provide ongoing assessments including planning, design, and implementation of penetration testing tools in an enterprise network environment.
• Expertise in domain structures, network protocols, and security best practices.
• Understanding of IT governance and management in the federal sector.
• Understanding of information assurance, cybersecurity, privacy policies disciplines, methods including but not limited to NIST Risk Management Framework (RMF), NIST Cybersecurity Framework (CSF).
• Understand the Federal Government’s deployment of Information Security Continuous Monitoring (ISCM), the Continuous Diagnostics and Mitigation (CDM) Program, organizational phases, and technologies.
• Understanding of information assurance, cybersecurity, privacy policies disciplines, methods i.e. Cybersecurity and Risk Management Framework(s), Federal compliance standards such as National Institute of Standards and Technology (NIST) 800-53, FIPS, FedRAMP.
• Understanding of Identity, Credential, and Access Management (ICAM) implementation.
• Ability to work with customers to assess needs, provide assistance, resolve problems, satisfy expectations; knows products and services.
• Understanding of the principles, methods, or tools for developing, scheduling, coordinating, and managing projects and resources, including monitoring work, and performance.
• Understanding of the principles, methods, and tools of quality assurance and quality control used to ensure a product fulfills functional requirements and standards.
• Proficient in Microsoft Office products: Word, Excel, PowerPoint, Visio, Teams, Power BI, Project, and SharePoint.
• Understand domain structures, network protocols, user authentication, digital signatures, firewall, and security best practices.
• Ability to administer cybersecurity systems and provide technical recommendations to maintain and improve mission functionality.
• Ability to plan, execute, and develop report for application, network (internal or external) vulnerability analysis, and provides technical recommendations to maintain and improve mission functionality.
• Understanding of network devices security devices such as network firewall, data loss prevention, network intrusion detection systems, intrusion prevention systems, Operating Systems, and systems services (Windows Server, Linux/ Unix and Active Directory).
• Other duties as assigned.

Additional Requirements (10-15%):

• Provide project oversight, coordination, and management for each work task and evolution as required.
• Develop and maintain a project plan and schedules to support activities; project plan status reports shall follow a review schedule to track project progress, finances, risk and issues, status and resolutions.
• Provide Weekly Status Reports documenting activities of the previous.
• Provide technical analysis, coordinate assessment activities, and perform technical writing to ensure documentation complies with privacy and Section 508 requirements.
• Perform CP testing with the Team’s assistance.
• Conduct security assessments, including gathering information for analysis, preparing
  documents, and providing recommendations concerning security.
• Proficiency with NIST Special Publications.
• Other duties as assigned.

Basic requirements:

• Proficiency in verbal and written communications.
• Proficiency in interpersonal skills.
• Proficiency in handling multiple tasks concurrently.
• Proficiency in project and time management.
• Familiarity with GRC tool
• Ability to adjust to changing priorities.

Work Location:

• Washington DC

Citizenship:

• U.S. citizenship is required

Required Certification (one only):

• Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA)

Highly Desired Certification (one only):

• Offensive-Security Certified Professional (OSCP); Offensive-Security Certified Expert (OSCE); GIAC Penetration Tester certification (GPEN), GIAC Security Essentials (GSEC), GIAC Web Application Penetration Tester (GWAPT)

Clearance:

• Minimum, a U.S. Government Public Trust High-Risk Security Clearance

Education and Years of Experience:

• Master’s degree in computer science, MIS, engineering, accounting information systems, or a related discipline or equivalent and 12 years of general experience

With employee health and safety as our top priority, Kingfisher is addressing the increased risk, and uncertainty COVID-19 variants pose in the workplace. Effective December 8, 2021, we require all newly hired employees in the United States to be fully vaccinated before their start date. Kingfisher will review and approve or disapprove medical and religious exemptions after the extension and acceptance of an offer of employment.

Kingfisher Systems, Inc. is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, among other things, or status as a qualified individual with a disability