• I develop ATO packages for assigned systems and this include System Security Plan(SSP), Contingency Plan(CP), Incidence Response Plan(IRP), Information System Risk Assessment (ISRA), Contingency Tabletop Test, After Action Report (AAR), Policies and Procedures documentations, etc. • Prepare assigned system for independent assessment.• Supports new system all the way to their ATO and beyond, making sure the system continues to maintain its security posture with regards to confidentiality, integrity, availability and privacy. I ensure systems are FISMA/FEDRAMP compliant.• Aids project teams in compiling documentations for Security Compliance Audit/Control Adaptive Capability Testing (SCA/ACT), Security Impact Analysis (SIA), Authority to Operate (ATO) and support in recurring and ongoing security assessment requirements.• Supports, implement, maintains, and monitor security and privacy controls in compliance with Federal Risk and Authorization Management Program (FEDRAMP), National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), FISMA requirements and guidance.• I work as a DevSecOps engineer responsible for implementing cloud security during the SDLC phases for our cloud-based applications. • Performs security testing SAST and DAST.• Performs vulnerability/risk assessment analysis to support certification and accreditation.• Collaborates with customers, senior agency officials, ISSOs, AO, system owners and other stakeholders to develop, update and maintain policies and procedures also to implement security solutions.• Manages changes to the system, assess the security and privacy impact of those changes may cause and make recommendations.• Tracks and maintains the completion Plan of Action and Milestones (POA&M), Risk Acceptance Form (RAFs) for weaknesses identified in security tests and audits.• Completes a Security Impact Analysis (SIAs) as part of each sprint within an agile development organization.

• Independently develop a variety of C&A deliverables including System Security Plans, Information Security Risk Assessments, E-Authentication Risk Analysis, Privacy Risk Assessments, Annual Assessments, Contingency Plans, Incident Response Plans, and FIPS 199 Security Categorizations, etc.• Work with programs to ensure security functions are implemented throughout all phases of the SDLC for the program(s) that are under their care.• Familiarity and experience with security monitoring tools and interpretation of vulnerability and risk assessment output.• Provide Federal Information Security Management Act (FISMA) support and subject matter expertise.• Recommend system architecture solutions based on industry best practices.• Perform periodic internal audits, vulnerability assessments, and application code testing.• Work with developers to support secure coding practices, explain application-related security findings and how to reproduce them, and make sure information security risks are managed throughout the SDLC phases.• Use automated tools to perform static source code and dynamic security testing to identify vulnerabilities and attack vectors in web applications.• Complete a Security Impact Analysis as part of an agile development organization.• Support, implement, maintain, and monitor security and privacy controls to comply with FISMA, HIPAA, FedRAMP, and NIST RMF requirements and guidance.• Plan, document, implement, assess, maintain, and monitor security and privacy controls following requirements, policies, standards, processes, and procedures documented in the CMS BPSSM, ARS 3.1, TRA, and RMH.• Support audits, assessments, and penetration test-related documentation requests and vulnerability remediate efforts.• Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses identified in security tests and/or audits.• Maintain current knowledge of relevant security and privacy trends and technology

• Developed, updated, and reviewed A &A documentation to include System Security Plan (SSP), Information System Risk Assessment (ISRA), Tabletop test exercise, After Action Report (AAR), Incident Response Plan (IRP), Contingency Plan (CP), Plans of Action and Milestones (POA&Ms), ATO debrief slide and Risk Assessment Reports• Performed security testing using vulnerability scanning tools such as NESSUS, Burp Suite, and Veracode.• Scrutinized all mitigation for vulnerabilities, apply appropriate mitigation to systems and report compliance in the vulnerability management tool.• I supported new system all the way to their ATO and beyond, making sure they are continuing to maintain their security posture and they are FISMA compliant.• Implemented and enforced information systems security policies, standards, and methodologies• Evaluated security solutions to ensure they meet security requirements and document the implementation of security controls in the SSP using NIST 800-53 Rev 4 and NIST 800- 53 A as a guide.• Experienced in assisting with the implementation of an automated CI/CD DevSecOps pipeline.• Supported, implemented, maintained, and monitored security and privacy controls in compliance with FISMA, HIPAA, FedRAMP, and NIST RMF requirements and guidance. • Involved with developing, reviewing, and updating policies and procedures, audit, and compliance with but not limited to RMF, NIST and FISMA. • Worked with developers to refine security checkpoints in the SDLC and ensure information security risks are managed throughout all the phases of the SDLC.• Worked with system administrators to resolve POA&Ms, gather artifacts and create mitigation memos, and corrective action plans to assist in the closure of POA&M. • Utilized GRC tools such as CSAM to create, track, and update remediation on Plan of Actions and Milestones (POA&Ms) for findings identified through security controls assessments, security tests, vulnerability scans, and compliance.

• Tremendous knowledge in network security monitoring and incident response, and strong written, technical, and communications skills.• Implemented information system continuous monitoring program in addition to streamlining access configuration management programs to ensure compliance with organization policy and procedures.• Monitored and analyzed network traffic, Intrusion Detection Systems (IDS), security events and logs.• Worked with Security Operation Center Engineers to operate Intrusion detection and prevention systems (IDS/IPS) such as SNORT to analyze and detect Worms, Vulnerabilities exploits attempts. • Monitored events responded to incidents and reported findings. • Utilized Security Information and Event Management (SIEM), Intrusion Detection & Prevention (IDS / IPS), Data Leakage Prevention and malware analysis tools. • Used Splunk to search and analyze email logs to confirm malicious emails were not delivered or are quarantined and malicious attachments dropped.• Communicated with other security analyst to address security threats and incidents and developed follow-up action plans to resolve reportable issues.• Prioritized and differentiated between real intrusion attempts and false positive alerts.• Provide 24 x7 operational support for escalations on a rotating shift basis.