Senior Cyber Risk Manager

Job description

Why choose between doing meaningful work and having a fulfilling life?

At MITRE, you can have both.

That's because MITRE people are committed to tackling our nation's toughest challenges—and we're committed to the long-term well-being of our employees.

MITRE is different from most technology companies.

We are a not-for-profit corporation chartered to work for the public interest, with no commercial conflicts to influence what we do.

The R&D centers we operate for the government create lasting impact in fields as diverse as cybersecurity, healthcare, aviation, defense, and enterprise transformation.

We're making a difference every day—working for a safer, healthier, and more secure nation and world.

Our workplace reflects our values.

We offer competitive benefits, exceptional professional development opportunities for career growth, and a culture of innovation that embraces adaptability, collaboration, technical excellence, and people in partnership.

If this sounds like the choice you want to make, then choose MITRE - and make a difference with us.

Department Summary:

The Information Systems Security (ISS) Department (R) within the Global Security Services Division (R) manages various aspects of information systems security as it relates to controlled unclassified and classified information systems within the confines of MITRE across multiple operating locations.

The department provides information assurance support for a system or enclave's information security program through security authorization activities in compliance with The Risk Management Framework (RMF).

The department maintains an operational security posture to ensure information systems, security policies, standards, and procedures are established and followed.

The department performs vulnerability/risk assessment analysis to support Assessment & Authorization (A&A).

Provides configuration management (CM) for information system security software, hardware, and firmware.

Manages changes to system and assesses the security impact of those changes.

Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, A&A packages, and Security Controls Traceability Matrix (SCTM).

Roles & Responsibilities:

The Senior Cyber Risk Manager provides support for a system or enclave's information assurance program through security authorization activities in compliance with Risk Management Framework (RMF).

Maintains operational security posture to ensure information systems (IS) security policies, standards, and procedures are established and followed.

Performs auditing, vulnerability/risk assessment analysis to support Assessment & Authorization (A&A).

Provides configuration management (CM) for information system security software, hardware, and firmware.

Manages changes to system and assesses the security impact of those changes.

Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, A&A packages, and Security Controls Traceability Matrix (SCTM).

Responsibilities include:

• Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
• Ensure that cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
• Document and escalate incidents (including events history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
• Perform cyber defense trend analysis and reporting.
• Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
• Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
• Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
• Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
• Assess adequate access controls based on principles of least privilege and need-to-know.
• Work with stakeholders to resolve computer security incidents and vulnerability compliance.
• Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
• Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
• Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
• Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
• Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
• Perform risk analysis threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
• Provide input to the Risk Management Framework process activities and related documentation system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
• Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
• Assure successful implementation and functionality of security requirements and appropriate IT policies and procedures that are consistent with the organization's mission and goals.
• Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
• Support necessary compliance activities ensure that system security configuration guidelines are followed, compliance monitoring occurs).

Basic Qualifications:

• Bachelor’s Degree and 5 years related experience or equivalent combination of related education and work experience within a Cyber/Security role.
• Active Secret clearance
• Per the Government’s eligibility requirements, you must be a Citizen to be considered for a security clearance.
• In accordance with DoD 0 (0), the selected individual must meet the requirements of an IAM Level I as a condition of employment.
• This position has an on-site requirement of 5 days a week on-site.

Preferred Qualifications:

• Active Top Secret clearance
• IAM Level II or higher
• Experience with RMF, CNSSI 3, NIST SP -, and NISPOM.
  
  Experience with Security Technical Implementation Guides (STIGs) and Security Content Automation Protocol (SCAP) Compliance Checker (SCC).
  
  Knowledge of Information Assurance Vulnerability Alerts (IAVAs).

This requisition requires the candidate to have a minimum of the following clearance(s):

This requisition requires the hired candidate to have or obtain, within one year from the date of hire, the following clearance(s):

Salary compensation range and midpoint:

Work Location Type:

It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment.

An employer who violates this law shall be subject to criminal penalties and civil liability.

Commitment to Non-Discrimination

All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, local or international law.

MITRE intends to maintain a website that is fully accessible to all individuals.

If you are unable to search or apply for jobs and would like to request a reasonable accommodation for any part of MITRE’s employment process, please email
This service is for individuals requiring reasonable accommodation requests.

Please note that vendor solicitations will not receive a reply.

Benefits information may be found here.