Job Information
The MITRE Corporation Intermediate Cyber Risk Manager in Bedford, Massachusetts
Why choose between doing meaningful work and having a fulfilling life? At MITRE, you can have both. That's because MITRE people are committed to tackling our nation's toughest challenges—and we're committed to the long-term well-being of our employees. MITRE is different from most technology companies. We are a not-for-profit corporation chartered to work for the public interest, with no commercial conflicts to influence what we do. The R&D centers we operate for the government create lasting impact in fields as diverse as cybersecurity, healthcare, aviation, defense, and enterprise transformation. We're making a difference every day—working for a safer, healthier, and more secure nation and world. Our workplace reflects our values. We offer competitive benefits, exceptional professional development opportunities, and a culture of innovation that embraces diversity, inclusion, flexibility, collaboration, and career growth. If this sounds like the choice you want to make, then choose MITRE—and make a difference with us.
Department Summary:
The Information Systems Security (ISS) Department (A211) within the Global Security Services Division (A210) manages various aspects of information systems security as it relates to controlled unclassified and classified information systems within the confines of MITRE across multiple operating locations. The department provides information assurance support for a system or enclave's information security program through security authorization activities in compliance with The Risk Management Framework (RMF). The department maintains an operational security posture to ensure information systems, security policies, standards, and procedures are established and followed. The department performs vulnerability/risk assessment analysis to support Assessment & Authorization (A&A). Provides configuration management (CM) for information system security software, hardware, and firmware. Manages changes to system and assesses the security impact of those changes. Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, A&A packages, and Security Controls Traceability Matrix (SCTM).
Roles & Responsibilities:
The Intermediate Cyber Risk Manager provides support for a system or enclave's information assurance program through security authorization activities in compliance with Risk Management Framework (RMF). Maintains operational security posture to ensure information systems (IS) security policies, standards, and procedures are established and followed. Performs auditing, vulnerability/risk assessment analysis to support Assessment & Authorization (A&A). Provides configuration management (CM) for information system security software, hardware, and firmware. Manages changes to system and assesses the security impact of those changes. Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, A&A packages, and Security Controls Traceability Matrix (SCTM).
Responsibilities include:
Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
Perform cyber defense trend analysis and reporting.
Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
Assess adequate access controls based on principles of least privilege and need-to-know.
Work with stakeholders to resolve computer security incidents and vulnerability compliance.
Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
Assure successful implementation and functionality of security requirements and appropriate IT policies and procedures that are consistent with the organization's mission and goals.
Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
Basic Qualifications:
Typically requires a Bachelor’s degree and a minimum of 2 years of related experience; or an advanced degree with relevant experience who can immediately contribute at this job step; or equivalent combination of related education and work experience.
Active Secret clearance
In accordance with DoD 8570.01M, the selected individual must meet the requirements of an IAM Level I as a condition of employment.
This position requires a minimum of 4 days a week on-site.
Preferred Qualifications:
Active Top Secret clearance
Experience with RMF, CNSSI 1253, NIST SP 800-53, and NISPOM. Experience with Security Technical Implementation Guides (STIGs) and Security Content Automation Protocol (SCAP) Compliance Checker (SCC). Knowledge of Information Assurance Vulnerability Alerts (IAVAs).
This requisition requires the candidate to have a minimum of the following clearance(s):
Secret
This requisition requires the hired candidate to have or obtain, within one year from the date of hire, the following clearance(s):
Top Secret
Work Location Type:
Onsite
MITRE is proud to be an equal opportunity employer. MITRE recruits, employs, trains, compensates, and promotes regardless of age; ancestry; color; family medical or genetic information; gender identity and expression; marital, military, or veteran status; national and ethnic origin; physical or mental disability; political affiliation; pregnancy; race; religion; sex; sexual orientation; and any other protected characteristics. For further information please visit the Equal Employment Opportunity Commission website EEO is the Law Poster (https://www.eeoc.gov/sites/default/files/2022-10/22-088_EEOC_KnowYourRights_10_20.pdf) and Pay Transparency (https://www.dol.gov/sites/dolgov/files/OFCCP/pdf/pay-transp_%20English_formattedESQA508c.pdf) .
MITRE intends to maintain a website that is fully accessible to all individuals. If you are unable to search or apply for jobs and would like to request a reasonable accommodation for any part of MITRE’s employment process, please email recruitinghelp@mitre.org .
Copyright © 2024, The MITRE Corporation. All rights reserved. MITRE is a registered trademark of The MITRE Corporation. Material on this site may be copied and distributed with permission only.
Benefits information may be found here (https://careers.mitre.org/us/en/benefits)
The MITRE Corporation
- The MITRE Corporation Jobs