Robert Lester Email and Phone Number

Supports all tasks within the Risk Management Framework (RMF) 2.0 requirements and objectives directly supporting the USDA OCIO ISC FISMA and Audit endeavors. Reviews new and existing audit methods, procedures, techniques, and approaches to ensure proper security criteria, guidance, and methodology is applied to USDA cybersecurity audits. Responsible for implementation of standardized audit/FISMA processes as defined by the Audit/FISMA Implementation Guide. Coordinate and publish a standardized audit process that enhances organization communications around audits to positively impact FISMA and FITIRA scores. Responsible for implementing FISMA Audit strategy across USDA, conducting internal mock audits with OCIO and agency, and recommending updates for USDA policies and procedures to align with RMF 2.0.

• Supported department on filling high priority work including monitoring and issues validation activities.• Provided oversight and guidance with ongoing audits on Information Security Strategy and Oversight, Cyber Threat Management, Data Loss Prevention, Information Security Risk Identification & Assessment (ISRA), IAM Solutions Management, and IAM Privileged Access Management.

• Responsible for selecting contract personnel to provide ongoing support to Carefirst/Trusted Health Plan (THP) with information systems security compliance and operations support, as well as with strategic support to the Chief Information Officer (CIO). • Organized contractor personnel and sub-contractors to perform SOW and complete contract deliverables including Security Health Support, Vulnerability Scanning and Assessments, Penetration Testing and Recommendations, Cloud Migration and System Support. • Consulted on the development of security and privacy policies and procedures and other governance related processes in accordance to NIST 800 and federal privacy regulations including the Privacy Act and HIPAA. • Helped establish capabilities within Carefirst/THP to deliver next generation health information systems and security architecture that serves as the foundation for Carefirst/THP business operations and strategic growth.

• Responsible for selecting contract personnel to provide ongoing support for Crowley information security project including system security plans, risk assessments, controls assessments, Business Impact Analysis (BIA), Business Continuity Plans (BCP).• Organize and manage contractor personnel to perform SOW and complete project deliverables.• Develop plans for system security, risk and control assessments. • Provide support on security access controls, processes, procedures, policies, and compliance reporting. • Perform security assessments for readiness for NIST 800-171 compliance, provide audit support, and prepare and present assessments reports. • Coordinate reviews with stakeholders.

• Collaborated in an Agile team environment to evaluate and enhance identity and access management solutions, ensuring robust protection against unauthorized access, use, or disclosure in line with privacy risk mitigation objectives.• Leveraged and implemented privacy-enhancing technologies to securely analyze and mine customer data without compromising sensitive information reducing privacy risks. • Ensured project design aligned with the National Strategy for Trusted Identities in Cyberspace (NSTIC) guiding principles.• Implemented privacy protocols and best practices including drafting customer’s informational and disclosure communications related to the identity and access management solution, significantly improving stakeholder engagement and project transparency.

• Analyzed enterprise audit findings and POAMs for NIST control mapping and recommended closure evidence determinations using the NIST 800-37 Risk Management Framework and FISCAM.• Established the enterprise continuous monitoring program.• Managed control design and provided process review assistance for IT Access Control, Configuration Management, and Cybersecurity Management, related POAM remediation efforts.

• Created system security plans to include content and development of control implementation description responses for the SOL Evidence Management System. • Mapped of NIST security controls via the SP800-53 series to systems under FISMA or FedRAMP requirements.• Created the FIPS-199 content for the categorization of systems under FISMA and FedRAMP requirements.• Created the evidence and artifact repositories for system security plans tracking to applicable security controls.• Worked directly with federal clients to analyze the drafting, review, and implementation of privacy policies and procedures.• Conducted a FedRAMP readiness study to provide the Agency with an assessment of their capabilities to achieve FedRAMP accreditation. This includes performing a current state FedRAMP readiness review of the Agency on-premises cloud capabilities and providing the Agency with a roadmap to become FedRAMP accredited.• Reviewed existing DOL/SOL security documentation, performing interviews of key personnel, and reviewing technical control implementations of the existing Cloud environments.• Collaborated with the 3PAO to prepare application materials demonstrating that the organization met both technical competence in security assessment of cloud systems and management requirements for organizations performing inspections• Developed NIST / FISMA / FedRAMP SA&A documentation for systems and networks undergoing certification and validate the quality of deliverables produced by the team• Assessed risks, identified mitigation requirements and developed accreditation recommendations; responsible for tracking SA&A requirements for assigned systems within the agency and validate that tasks are on schedule, and ensure the delivery of quality documentation• Assisted in the creation of SA&A packages with the responsibility for gathering information from system owners, applying data to the appropriate templates, and attending meetings in support of the effort

• Developed and updated the information systems security documentation templates (e.g. System Boundary development, System Security Plan (SSP), Contingency Plan, Contingency Plan Test, Business Impact Analysis, FIPS-199, eAuthentication, Privacy Threshold Analysis, etc.) based on changing NIST and federal guidance.• Trained and assisted System Owners, ISSOs and other Stakeholders in understanding documentation requirements. Review completed templates to ensure completeness and accuracy.• Collaborated with security engineers and architects to ensure all controls are met through the design and build process• Developed NIST / FISMA SA&A documentation for the SOL Matter Management System and validated the quality of deliverables produced by the team.• Assessed risks, identified mitigation requirements and developed accreditation recommendations; responsible for tracking SA&A requirements for the SOL MMS and validated that tasks were on schedule, and ensured the delivery of quality documentation.• Assisted in the creation of the SA&A package with the responsibility for gathering information from the ISSO and system owner staffs, applying data to the appropriate templates, and attending meetings in support of the effort• Recommended, support and maintain a security document management solution for a Security Assessment and Authorization program to include FIPS 199, Privacy Impact Analysis, System Security Plans, Security Assessment Plan, Security Assessment Report, Contingency Plan Table Top Test Report, Plan of Action and Milestones (POA&M) management, Risk Assessment and Waiver management documentation and other supporting documents as required for system accreditation's.• Oversaw the coordination of IT Business Continuity and Disaster Recovery planning to ensure the SOL MMS could respond to a disaster so that critical business functions can be resumed within a defined time frame and data loss is minimized

• Worked directly with the CNCS CISO and General Counsel to analyze the drafting, review, and implementation of privacy policies and procedures.• Advised on best practices regarding privacy, security, and confidentiality trust principles.• Conducted privacy program gap and maturity assessments and identify areas for remediation• Administered and maintained the CNCS inventory of Personally Identifiable Information (PII).• Provided guidance and support on CNCS System Certification and Accreditation projects.• Educated federal personnel and system owners on the impact of existing and emerging privacy frameworks (Privacy Act, FISMA) legislation, and trends.

• Trained, monitored and supported agency in updating control narratives.• Reviewed updated control narratives and concluded on control design.• Developed NFRs based on results of design assessment.• Reviewed & evaluated results of C&A and SSA testing of A-123 key controls.• Developed IT and cybersecurity audit plans and programs.• Performed testing of remediation activities completed by component agencies.• Created Prepared by Client (PBC) List & Submit.• Reported findings and determined further actions.• Performed research and analysis of DOL systems, cybersecurity posture, capital IT programs, IT contract compliance, and security programs, including personnel structure, architecture, policies and procedures, incident handling, awareness training, disaster recovery and business continuity.• Conducted IT and cyber security assessments, sample testing, and investigations of complex information technology including evaluating whether security vulnerabilities are properly identified and mitigated, telecommunications and other technical services contracts, their procurement, management, and oversight.• Prepared and examined technical assessment findings and providing general assistance to the audit staff in the development of final reports.• Performing audit procedures and tests necessary to meet audit objectives in compliance with Generally Accepted Government Auditing Standards including Information Technology and Security standards; preparing audit work papers, memos, letters and drafting audit report findings and recommendations.

• Reported directly to the Chief Information Security Officer as contract project manager.• Developed and maintained project schedule for the Department of Labor compliance and oversight, and cybersecurity program management functions. • Responsible for selecting contract personnel.• Responsible for organizing contractor personnel (7) to perform SOW and complete contract deliverables. • Established the agency Risk Management and Compliance Program.• Oversaw the development and maintenance of the Department of Labor Computer Security Handbook.• Oversaw the entity wide NIST 800-53 control implementation via CSAM for all DOL federated agencies.• Responsible for establishing the evaluation criteria for the review of agency FISMA compliance and ATO packaging.• Assisted in responding to requests for information from OMB A-123, FISMA, GAO, and external auditors. Follow Agency procedures to gather and track information

• Overall program management office for ICT-21 (Standup and implementation two new data centers, including transition of 300+ applications).• Developed and maintained integrated project schedule for FDA and three IT contractors. • Developed project management planning documents.• Established and maintain project eRoom and project management databases. • Established and oversaw ICT21 processes for action items, risk and issue management, and dashboard reporting.• Analyzed and developed strategic plans, contingency plans, and/or mitigation strategies to address schedule risks and impacts.• Managed the project support team.• Tasked with providing effective and clear communications through both Leadership level presentations and technical communications (verbal and written).• Ensured that project deliverables were met within schedule, budget and quality goals, while working with the Project Sponsors to establish overall project objectives and key metrics that were required to meet project goals.• Provided ongoing project management oversight for assigned security project while ensuring that the impacted teams clearly understood the desired security goals and benefits.• Coordinated and ensured the appropriate resolution of project issues and managed the cross-functional processes for assigned projects; Risk assessment and development of risk mitigation plans in conjunction with their supervisor for assigned projects.

• Performed A-123 assessments of Major Applications and General Support Systems (i.e. HHS NET, Payment Management System (PMS), Unified Financial Management System, and DPM local area network).• Established the DPM Role Based Access Control process for the PMS.• Designed management, operational, and technical control processes and lead led staff to remediate SAS-70, A-123, and FMFIA audit findings. • Lead the documentation of the DPM LAN management processes. Developed a change management process for the PSC Systems Accounting Branch to remediate audit findings.

• Facilitated the FCSO Cybersecurity and Privacy program and assured necessary safeguards were in place and working.• Coordinated system security and privacy activities throughout the organization.• Ensured that cybersecurity requirements were considered during budget development and execution.• Reviewed compliance of all components with the CMS/Federal privacy and cybersecurity regulations and reported vulnerabilities to management.• Established an incident response capability, investigated systems security breaches, and reported significant problems to FCSO management, and CMS.• Ensured that technical and operational cybersecurity controls were incorporated into new IT systems by participating in all business planning groups and reviewing all new systems/installations and major changes.• Ensured that cybersecurity and privacy requirements were included in RFPs and subcontracts involving the handling, processing, and analyzing of Medicare data.• Maintained systems security documentation in the Systems Security Profile for review by CMS and external auditors.• Developed comprehensive cybersecurity policies, procedures, and standards that provided accountability and direction for all operational and support units.• Performed threat vulnerability-based risk assessments.• Ensured that an operational Information Technology Systems Contingency plan was in place and tested • Documented and managed FCSO’s cybersecurity and privacy Corrective Action Plans.• Represented cybersecurity program in contract bid proposals and oral presentations.• Managed staff and a one million dollar budget within 1% of target

• Performed comprehensive cybersecurity vulnerability assessments for various clients in the energy, insurance and financial services industries.• Participated in the development and trial of PWC’s HIPAA security assessment methodology.• Produced policies, standards and procedures regarding authentication, authorization, and data security.• Executed a technical controls assessment of imaging system (NT environment) and EDI systems (AIX) – Blue Cross Blue Shield of FL • Re-developed Cybersecurity System Access Authorization policies and procedures – PJM Interconnection• Performed a technical controls assessment of NT systems – Centura Bank• Performed a technical controls assessment of NT, Novell, Cisco, and AIX systems – Protective Life Insurance• Developed and implemented information assurance/security standards and procedures• Interacted effectively with co-workers and clients at all levels, as to foster and maintain strong working relationships.• Coordinated, developed, and evaluated security programs for an organization; recommends information assurance/security solutions to support customers’ requirements• Actively participated in client discussions and meetings

• Coordinated the overall development and implementation of the agency Cybersecurity Program • Researched, developed, wrote & maintained agency cybersecurity policies and standards (for access control, encryption, workstation security, and network security)• Supported the expansion, continuous improvement & implementation of a global agency wide cybersecurity awareness & training program• Worked with senior management to ensure that cybersecurity policies & training initiatives reflect business priorities• Produced audit reports and risk assessments to ensure compliance with standards and procedures• Evaluated cybersecurity incident reports, and recommend more efficient access methods• Functioned as approval authority and liaison for 130 statewide health units, divisions, and offices

• Managed 350+ client database• Processed insurance and securities applications• Setup sales appointments• Managed client relations and supported clients with account information and access to funds