- Work with developers to support secure coding practices, explain application-related security findings and how to reproduce them, and make sure information security risks are managed throughout all the phases of the SDLC.
- Use automated tools to perform static source code and dynamic security testing to identify vulnerabilities and attack vectors in web applications.
- Complete a Security Impact Analysis as part of each sprint within an agile development organization.
- Support, implement, maintain, and monitor security and privacy controls in compliance with FISMA, HIPAA, FedRAMP, and NIST RMF requirements and guidance.
- Plan, document, implement, assess, maintain, and monitor security and privacy controls in accordance with requirements, policies, standards, processes, and procedures documented in the CMS BPSSM, ARS 3.1, TRA, and RMH.
- Independently develop a variety of security authorization package-related deliverables including: System Security Plans, Information Security Risk Assessment, Privacy Impact Assessments, , Contingency Plans, Incident Response Plans, and other security and privacy plans, processes, and procedures.
- Support audits, assessments, and penetration test-related documentation requests and vulnerability remediate efforts.
- Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses identified in security tests and/or audits.
- Recommend system architecture solutions based on industry best practices and knowledge of Federal and organizational security guidelines.
- Performs periodic internal audits, vulnerability assessments, and Web Application security testing.
- Maintain current knowledge of relevant security and privacy trends and technology.
- Participate in special projects as required.
- Hands-on experience with implementing, documenting, maintaining, and monitoring CMS Acceptable Risk Safeguards control requirements.
- Experience in implementing and enforcing policies, procedures and guidelines in a complex environment.
- Experience assisting with the implementation of an automated CI/CD DevSecOps pipeline
- Experience driving ATOs including the privacy controls specified in NIST SP 800-53 rev 4 Appendix J.
- Experience in the development, implementation and operation of IT Security Strategy within a complex environment.
- Knowledge and experience with security best practices and relevant legislation.
- Experience with IT Security management, access policy and management, authentication and SSO, authorization, audit, secure communications and network protection, data protection and privacy, and security administration.
- Understanding of, and ability to communicate, security and risk implications to technical and non-technical audiences.
- Experience working as part of an agile scrum team, assisting with security-related tasks and deliverables associated with bi-weekly sprints.
- Experience using vulnerability scanner such as Nessus, OpenVAS, Retina or Nexpose.
- Experience running static analysis /static application security testing tools such as SonarQube, Fortify or Veracode.
- Experience running dynamic application security testing tools such as WebInspect, AppSpider, Acunetix, AppScan, Qualys, Burp Suite Pro or OWASP ZAP.
- Experience running component analysis tools such as Sonatype Nexus IQ, Synopsys Black Duck, OWASP Dependency-Check/Track.
- Experience with GRC tools, such as CSAM, CFACTS, TAF, or Xacta.
- Proficient in Microsoft Office (Word, Excel, PowerPoint, etc.) and Visio.
- Ability to leverage Microsoft Project for project planning.
- Must have lived in the United States at least 3 out of the last 5 years.
- Excellent interpersonal, verbal and written communication, and organizational skills - must be able to communicate fluently in English both verbally and in writing
- Facts and data oriented.
- Deadline and closure oriented.
- Strong persuasion, facilitation and influencing skills.
- Strong analytical, organizational and project management skills.
- Demonstrated ability to lead and work with cross functional teams including senior level individuals.
- Must be able to thrive in a fast-paced, rapidly evolving environment with varying priorities, based on a team building culture.
NewWave is committed to hiring and retaining a diverse workforce. We are proud to be an Equal Opportunity/Affirmative Action Employer, making decisions without regard to race, color, religion, creed, sex, sexual orientation, gender identity, marital status, national origin, age, veteran status, disability, or any other protected class. NewWave is a proud Veteran friendly employer.