Security Control Assessor (Ft. Belvoir, VA)

Position Location: Fort Belvoir, VA

The candidate will perform security controls assessments that are an integral part of the Assessments and Authorizations process. The candidate will perform A&A scanning, comprehensive assessment testing, penetration testing, documentation, reporting, and analysis requirements. This includes performing dedicated functions for all client missions involved with Assessments and Authorizations or compliance with applicable National Intelligence Community or Department of Defense information security guidance.

The IA professional will perform comprehensive security assessments of identified and applied security controls; provide summaries of initial assessments in Security Assessment Reports (SAR) addressing the technical evaluation and results of assessment, identify weaknesses or deficiencies, and recommend corrective actions for risk mitigation. They will perform and assess the degree to which a system is compliant with operating systems, network, and application security STIG reviews. The IA professional will perform host and network based security control assessments, determine residual security risks, prepare assessment test reports, prepare and assess test plans, and provide formal recommendations in support of authorization.

They will perform mobile device and mobile application security reviews and document results of such reviews. Provide testing support for evaluations and shall provide specific test plans and testing services tailored to security controls of the systems being tested. The tester will use client accepted tools and techniques, including but not limited to manual testing, web assessment software, vulnerability scanning, pen testing tools, and in house scripts as approved by the client. Test may be conducted either remotely or locally on the systems to ensure compliance and to identify security vulnerabilities, risks, threats, and gaps. The IA professional will assist with providing detailed test plans and conducting security testing of security controls specific to security boundaries, including Cross Domain Solutions (CDS). They will augment cyber penetration testing activities in the planning, execution, tracking, and reporting of Blue/Red Team Assessments consisting of identifying and exploiting vulnerabilities on client systems. In this role, they will coordinate and conduct Blue Team assessments to identify vulnerabilities and correct weaknesses in client networks. The Blue Team will work cooperatively with Key Components (KCs) to provide notification and make recommendations to mitigate those vulnerabilities and assist in corrective actions.


  • Must have current TS/SCI and able to pass polygraph with 60 days of hire
  • Working knowledge of NIST SP 800-53A, ICD 503, FISMA, DCID 6/3, relationships between IC and DoD policies for assessment and authorization
  • Skill in using network analysis tools to identify vulnerabilities
  • Skill in assessing the robustness of security systems and designs
  • Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
  • Skill in developing and apply security system access controls
  • Skill in assessments of industry IT operating system, software database, or hardware
  • Skill in systems engineering, requirements analysis, system development, software development, or
  • hardware development as applied to the information assurance or cyber security field
  • Ability to prepare the various types of security related documents
  • Ability to conduct vulnerability scans and recognize vulnerabilities in security systems
  • Ability to evaluate the trustworthiness of the supplier and/or product
  • Ability to evaluate the adequacy of security designs
  • Ability to establish effective working relationships internally and externally to the client organization
  • Must have 8570 (IAM or IAT level III cert)



  • Working knowledge of roles and procedures of red/blue team activities
  • Working knowledge of commercial or military software development methodologies, process, and
  • standards
  • Working knowledge of web services protocols, including Simple Object Access
  • Protocol (SOAP), Web Services Description Language (WSDL), and Universal
  • Description, Discovery and Integration (UDDI)
  • Working knowledge of structured content tools and languages, and content management systems
  • Experience using XACTA
  • Developed technical documentation and white papers
  • Knowledge of virtualization technologies and virtual machine development and maintenance
  • Knowledge of emerging security issues, risks, and vulnerabilities
  • Skill in identifying gaps in technical capabilities and in talking to others to convey information
  • effectively
  • Experience within the Intelligence Community
  • Certified 8570 IAM or IAT level 3, (CISSP, CISM, CASP, CISA or GSLC certification – CISSP preferred)


Typically requires a Master’s degree or equivalent and 10+ years related experience.