Cyber Security Analyst Level II

Job Description

Job Description

Blackwatch International Corporation (Blackwatch) is a small business founded in 2010 and dedicated to supporting Federal business and national security objectives. Our headquarters are in McLean, VA, with satellite offices in Sacramento, CA.

Blackwatch invests in innovation and quality for our customers and staff, holding corporate-level ISO 9001:2015, ISO/IEC 27001:2013, and ISO/IEC 20000-1:2018 and CMMI Level 3 certifications. We are a leading provider of information technology (IT) infrastructure, cybersecurity, DevSecOps, data exploitation, and engineering services, specializing in large and complex projects. Blackwatch is dedicated to growth and offers a dynamic working environment with multiple opportunities for advancement.

Position Description: Possesses and applies a comprehensive knowledge across key tasks and high impact assignments. Plans and leads major technology assignments. Evaluates performance results and recommends major changes affecting short-term project growth and success. Functions as a technical expert across multiple project assignments. May supervise others.

Position Title: Cyber Security Analyst Level II

Position Location: On-site in Alexandria, VA; remote (if authorized)

Position Type: Regular

Years of experience: 5

Security Clearance: Public Trust

US Citizenship Required: Yes, must have Real ID

Summary

The scope of work for effort includes infrastructure Hosting (On-premise internal cloud only) – Compute support provides vital services in the provision and maintenance of those resources through a focus on the workflows and methodologies of how compute is created, maintained, and recaptured to deliver timely compute resources to customers, faster, and right sized while ensuring products stay secure and stable. Compute services provide engineering, and security and operations maintenances support for Server Operating Systems, as well as, requirements analysis and design, to ensure adherence to standards & policies for any USPTO Product or Component.

Objectives: Security OperationsInformation Assurance, RMF A&A, and documentation

• Combined scope: Provide NIST-based IA governance, full RMF A&A lifecycle support (Categorize → Authorize → Monitor), and produce/update required artifacts (SSP, PTA/PIA, CAW, FIPS-199, PIAs, Contingency Plans, and associated A&A artifacts where applicable).
• Rationale: RMF activities and IA documentation are tightly coupled—same knowledge, same deliverables.
• Acceptance criteria / metrics: SSP and associated artifacts updated within 30 calendar days of change; A&A artifacts produced for all major systems within 5 business days when requested.

Vulnerability & Configuration Management (KEV handling and scan tuning)

• Combined scope: Perform vulnerability/compliance scan analysis, false-positive validation, REGEX/signature tuning, root-cause analysis, prioritization (KEV-first), and feed findings into POA&Ms and remediation actions. Track vulnerability lifecycle to ensure vulnerability closure ≤180 days unless exception approved.
• Rationale: Scan analysis, signature tuning, and KEV remediation are one continuous remediation workflow.
• Acceptance criteria / metrics: Help ensure at least 50% of KEVs remediated by associated CISA deadlines; For non-KEVs help ensure vulnerabilities are closed within timeframes dictated in the Vulnerability Management Policies; false-positive suppression documented with expiry.

Baseline Management and Hardening

• Combined scope: Maintain and update security configuration baselines for OS/network/middleware/databases ; align with CIS/STIG/DISA; perform impact analysis and coordinate deployment of baseline changes with the OCISO Enterprise Scan Team. Time to notify OCISO Enterprise Scan Team should be within 15 calendar days of security configuration baseline release.
• Rationale: Baseline creation, STIG/CIS adoption, and coordination with scanning are the same change management activity.
• Acceptance criteria / metrics: Security Configuration Baselines should be at least 90% compliant to the associated DISA or CIS benchmark; time-to-deploy new benchmark ≤ 45 calendar days from approved release to OCISO scan policy change.

Identity, Privileged Access, and DHS CDM Initiatives

• Combined scope: Implement and support IdAM (e.g., Okta), Privileged Access Management (CAPAM or equivalent), and CDM program technical integration; produce integration runbooks and control evidence.
• Rationale: IdAM, PAM, and CDM are identity/credential posture functions that share controls and evidence requirements.
• Acceptance criteria / metrics: Integration runbook delivered; % of high‑risk privileged accounts under vaulting/policy; CDM dashboard metrics updated per schedule.

Cloud Security and Cloud A&A

• Combined scope: Support RMF/FedRAMP-tailored A&A for cloud systems, produce cloud responsibility/control matrices, collect cloud-native evidence, and maintain continuous monitoring for cloud environments.
• Rationale: Cloud A&A and cloud control mapping are a single domain of work and require different deliverables but the same ownership.
• Acceptance criteria / metrics: Cloud A&A packages

Security Operations, Tooling, and Automation

• Combined scope: Operate and integrate scanners and security tools (Tenable/DBProtect/HP WebInspect, CSAM repo), maintain detection rules and regex for signatures, provide scripting support (Linux/Windows/Python/PowerShell), and integrate network devices (Cisco/Juniper) and IPv6 assessments.
• Rationale: Tool operations, automation, tunings, and scripting are continuous SOC/scan support functions.
• Acceptance criteria / metrics: Tools and scans run per schedule; automation scripts stored in repo with versioning; mean time to validate scan findings. Assist Product Teams to integrate with Reference Pipeline.

POA&M Management, Remediation Coordination, and Knowledge Transfer

• Combined scope: Maintain POA&M lifecycle (intake→assign→remediate→verify→close), provide remediation planning and translation for technical leads, and deliver training and job aids for sustainment.
• Rationale: POA&M administration and knowledge transfer are part of remediation operations and change acceptance.
• Acceptance criteria / metrics: POA&M aging distribution; 60% POA&Ms closed on schedule; number of training sessions and job aids delivered.

Incident Response Support and Enterprise Operations Command Center (EOCC) Coordination

• Combined scope: Provide incident triage, forensic collection guidance, containment/eradication support, and follow-up lessons learned that feed POA&Ms and baselines.
• Rationale: Incident response is discrete but tightly linked to remediation and baseline updates.
• Acceptance criteria / metrics: Rally artifact coverage for security work; sprint predictability and throughput metrics; At least 90% data call submission timeliness.

Agile Delivery, Reporting, and Data Calls

• Combined scope: Provide Scrum Master services, create Rally artifacts for POA&M and remediation work, manage sprints/epics/stories, and support USPTO data calls with timely, quality submissions and SME coordination.
• Rationale: Agile management, reporting, and data-call delivery are governance and transparency functions supporting technical work.
• Acceptance criteria / metrics: Rally artifact coverage for security work; sprint predictability and throughput metrics; At least 90% data call submission timeliness.

Compliance & External Directives Impact Assessment

• Combined scope: Monitor and assess DHS/OMB memos, CISA BODs, and other directives; map to controls and operational actions; track and report compliance status and exceptions.
• Rationale: Agile management, reporting, and data-call delivery are governance and transparency functions supporting technical work.
• Acceptance criteria / metrics: New BOD/memo assessed within 15 calendar days; compliance register updated; exceptions documented and approved.

Responsibilities:

Lead a small team, focused on security services and solutions in support of the ten objectives listed above. The manager will take responsibility for:

• Developing the Project Management plans and other contract documents
• Directing the day-to-day efforts of technical personnel.
• Ensuring the quality of deliverables: cyber documentation, software, engineering and testing plans, or network installations.
• Monitors activities under the contract to ensure that all activities are executed in accordance with contract requirements and the COR’s direction.

Minimum Qualifications:

Possesses and applies expertise on multiple complex work assignments. Assignments may be broad in nature, requiring originality and innovation in determining how to accomplish tasks. Operates with appreciable latitude in developing methodology and presenting solutions to problems. Contributes to deliverables and performance metrics where applicable. Experience across the following is required:

• Support of Operations Security and Remediation Team’s role providing technical advice and National Institute of Standards and Technology (NIST) based information assurance governance guidance.
• Strong Knowledge of the NIST Risk Management Framework (RMF) to perform technical support for annual Assessment and Authorization (A&A) security assessments performed by Office of the Chief Information Security Officer (OCISO).
• Strong Understanding of all the NIST RMF Assessment and Authorization (A&A) documents and how to use the following but not limited to: Privacy threshold analysis (PTA), Privacy Impact Assessment (PIA), Control Assessment Worksheet (CAW), E-Auth, FIPS 199.
• Transfer of Knowledge on managing Plans of Actions and Milestones (POA&Ms) for weakness remediation.
• Strong Knowledge of the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) memo/Binding Operational Directives (BODs) impact assessment.
• Group to develop, update, and manage, cybersecurity documentation: System Security Plans, Privacy Assessments, Contingency Plans, Federal Information Processing Standard Publication 199 (FIPS-199) categorization changes Security Impact Assessments, etc.
• Perform Technical support for Department of Homeland Security (DHS) initiatives that require implementation (such as Continuous Diagnostics and Mitigation (CDM) using Okta and Certificate Management-Privileged Access Management (CA-PAM).
• Analyze vulnerability and compliance scans for false positive identification and evaluate in terms of operational system data in coordination with Product Team Leads.
• Track and establish cause of vulnerabilities that are precise but no more than 180 days.
• Review/Update/Create system security configuration baselines – revise as necessary as the Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG).
• benchmarks are updated and coordinate changes with associated OCISO Enterprise Scan Team’s compliance configurations upon three days of release.
• Support teams to define and prioritize actionable timely recommendations for addressing compliance and vulnerability issues for network, operating systems, middleware, databases, and application. With experience leading remediation of Known Exploitable Vulnerabilities (KEVs).
• Strong Understanding of the Federal Information Security Modernization Act (FISMA) systems, and National Institute of Standards and Technology (NIST) controls and support on how to implement them – potentially how to automate them whether through process, NIST OSCAL programming or other common scripting languages (e.g. Python).
• In depth knowledge with networking, operating system, and middleware builds (configuration baselines).
• In depth knowledge with CLOUD and Federal Information Security Management Act (FISMA) processes to include customer control metrics security tools and options.
• Provide support with the Regular Expression (REGEX) for understanding/editing scan signatures.
• Provide support, oversight, review, log data, network operation and security, and analysis for the following but not limited to: Scripting for Linux, Windows, Tenable, DBProtect, HP WebInspect, CSAM (the official cybersecurity repository), Juniper, CISCO, advance tools, IPv6.
• Cloud security: to manage Assessment and Authorization (A&A) work for those systems
• Use Rally to manage Epics, Features, and User Stories; provide Scrum Master services to create Rally artifacts and Agile documentation; translate Plan of Action and Milestones (POA&M) findings into clear, actionable guidance for technical leads and track remediation progress in Rally.
• Supporting USPTO Data Calls and ensuring timely and completed submission, collaborating with subject matter experts.
• Support incident response activities with Enterprise Operations Command Center.
• Support new tools as required.

Desired Qualifications (not required, but a huge plus):

• Experience with Rally and agile ceremonies.
• Python coding
• Experience using the Cybersecurity Asset Management (CSAM) system for customer base.