Cloud Security:

• Be a resource for consultation for system owners, developers, and other stake holders in secure cloud solutions.
• Maintain and update PHMSA AWS Services Playbook as needed.
• Review all cloud related tickets in the Change Control Board process.
• Collaborate with development teams to validate solution architecture within PHMSA cloud environment.
• Ensure all cloud products / services are meeting configuration and vulnerability management compliance.
• Review and approve change requests for cloud-based workloads.
• Identify and communicate opportunities for improving PHMSA’s security posture within cloud environments.
• Review PHMSA’s cloud environment configurations to establish/support a secure posture.
• Provide guidance on security controls implementation for development teams based upon NIST control families.

• Responsible for defining and implementing the build, deployment, and monitoring standards for PHMSA.
• Monitor and support all installed systems and infrastructure.
• Contribute to the design of information and operational support systems.
• Coordinate with DOT Shared Services, PHMSA stake holders and the ISSM to identify tools and capabilities.
• Work with stake holders to design solution(s) that address on-prem and cloud workloads.
• Work with software developers and software engineers to ensure that development follows established processes and works as intended.
• Oversee PHMSA’s security, backup, and redundancy strategies.
• Manage, maintain and update DevSecOps solutions in accordance with SDLC.

IT Security Governance & Policy/Change Management:

• Facilitate meeting/agenda – Weekly Change Control Board (CCB)
• Validation/closure – post implementation
• Document meeting minutes
• Review current processes, suggest improves and efficiencies

• Provide response/supporting artifacts at the modal/program level to validate the implementation of controls per NIST/DOT requirements as needed.

• Create, review, manage and maintain program documentation
• Manage and maintain documents, policies, procedures, and SOPs for the modal cybersecurity program.
• Review cybersecurity program documents, policies, and procedures to ensure they adequately developed and in keeping with current best practices, federal law, regulations, and federal/departmental policy.
• Create a review system for ensuring all documents for the cybersecurity program are reviewed at least annually and/or as needed.

• 
  Must have a minimum of eight (8) years' experience.
• Proficiency in implementation and management of cybersecurity related projects for the Federal government. Must have experience with security principles in relation to information technology risk management, vulnerability management, privacy assessments, and contingency planning.
• Expertise in applying standards and guidance from National Institute of Standard Special Publications (NIST SP), Federal Information Processing Standards (FIPS), Federal Information Security Management Act (FISMA), Clinger-Cohen, Patriot Act, Office of Management and Budget (OMB) A-130, the DOT Departmental Information Resources Management Manual (DIRMM), and related computer security guidance through ongoing examination and analysis of cybersecurity projects.
• Expertise in creating, reviewing, and analyzing system ATO documentation.
• Knowledge in formation and implementation of DOT cybersecurity policies to ensure confidentiality, integrity, and availability of DOT information systems.
• Proficiency with enterprise cybersecurity tools, such as: BigFix, Elastic Search, Splunk, ForeScout CounterACT, SailPoint, CyberARK, and Tenable Security Center.
• Expertise in maintaining infrastructure in a cloud environment.
• Expertise in detecting, mitigating, and troubleshooting security threats to network infrastructure, verifying vulnerability mitigation, and managing security assessments.
• Expertise in developing in AWS cloud.
• Expertise in assessing current and emerging technologies, platforms, and applications to help ensure greater security and efficiencies.
• Expertise with cloud orchestration tools and continuous delivery processes to deploy and manage cloud infrastructure for customers to consume.
• Must be familiar with CDM capabilities (Network asset management, Identity and Access Management, Network Security Management, Data Protection Management), the tools that support them and how they are deployed within an enterprise.
• Must have at least one Cybersecurity-related certification, for example: Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), GIAC Cloud Security Automation (GCSA), Certified Authorization Professional (CAP), GSDC Certified DevSecOps Engineer Certification or Global Information Assurance Certification (GIAC) Systems and Network Auditor (GSNA).
• Proficiency in applying standards and guidance from National Institute of Standard Special Publications (NIST SP), Federal Information Processing Standards (FIPS), Privacy Act, Federal Information Security Management Act (FISMA), Clinger-Cohen, Patriot Act, Office of Management and Budget (OMB) A-130 and related privacy guidance through ongoing examination and analysis of Privacy Threshold Analysis (PTAs), Privacy Impact Assessments (PIAs), and Systems of Records Notices (SORNs).