Responsible for continuous monitoring activities for 25+ systems to include monitoring dashboards for alerts of security threats, performing security documentation reviews, reviewing and developing mitigation for vulnerability assessment reports and POA&Ms, and proposing potential enhancements for systems security. Lead SEC A&A activities for 15 of my portfolio systems. Taken part in efforts to migrate on premise systems to the AWS environment. Experience with AWS security tools (e.g., CloudTrail, CloudWatch) Work with the AWS team and stakeholders to ensure application(s) are compliant with the Federal organization’s security guidelines and ensure application(s) meet FISMA requirements (moderate, high) and to complete application-level authorization to operate (ATO). Help the AWS cloud team stay compliant with required reviews in accordance with their SSP (i.e., access control list, configuration changes, approved change requests, etc. Work with the AWS team and organizational leadership to help influence and drive AWS LZ customer compliance in the form of data classification, regulatory obligations, and other security goals. High familiarity with using FedRAMP packages for the information system, specifically with creating the System Security Plan and CIS. Update security documentation annually and document any changes via Confluence and Sharepoint. Documenting and maintaining knowledge of all relevant NIST 800-53 controls for each IT system for which the ISSO is responsible. Performed risk assessments on relevant systems to protect against vulnerabilities. Attending monthly Cornerstone Town Hall meetings and presenting findings to various stakeholders. Assist in developing and executing the agency Certification & Accreditation Program using Archer on a day-to-day basis. Currently using NIST 800-53 rev 5.

Ensured releases for production deployment follow ISO 20000 and 27001 standards and organizational processes. Secured design, architecture, implementation, and secure development life-cycle (SDLC) practices, including security testing. Created security guidance and documentation and develop security tools and automation. Developed and delivered security training and outreach to internal development teams. Lead security projects (including security reviews, tool development, and creation of new security practices with end-to-end ownership. Maintained accreditation package and prepare/update artifacts in support of ongoing authorization, changes to the system, and other event-driven changes that required updates to the accreditation package. Provided guidance to product teams on control implementation and remediation of findings from technical testing and manual assessment. Maintained system documents, including SSP, processes, plans, ConOps, for 41 ATS portfolio applications using Jira. Worked cross-functionally to assess risk and help deliver countermeasures to protect organizational data and to solve or remediate security problems. Created a security program management and continuous monitoring plan for ATS. Created and implemented a security program management plan for ATS. Conducted self-assessments of separation of duties, need-to-know, and least privilege for ATS. Created ATS portfolio ISCP and related test plan. Prepared and presented the quarterly security review to senior ATS leadership and other stakeholders. Created an audit artifact repository to satisfy PBC, FISMA, and FISCAM requests. Conducted weekly POA&M status meetings to stay abreast of the various application’s postures. Developed requirements for ATS Security Requirements Traceability Matrix (SRTM) Assisted with the creation and development of external partner agreements. Aided ISSO in responding to security incidents which can derive from any number of internal and external sources.

Served as the primary certifier main liaison and driving force for all A&A efforts to include ensuring ISSOs complete a FIPS-199, CPs, SSPs, and 800-53As, and personally delivering RAs, SARs, SAPs, SIAs, and ATO Letters. Responsible for all phases of A&A to ensure compliance and provide guidance on IT Security requirements to assigned stakeholders. Assisted in developing and executing the agency Assessment & Accreditation Program using IACS XACTA on a day-to-day basis. Advised the Government on new standards and make recommendations on new IT Security technologies to improve efficiencies. Performed Risk Analysis; Created/revised Cyber security policies for Information Assurance using Risk Management Framework (RMF) amongst various divisions. Created a Security Accreditation Report (SAR); Created a Plan of Action and Milestones (POA&M) based on results of vulnerability scans; Revisited existing POA&Ms to determine appropriate milestones to remediate discovered vulnerability or finding. Advised new system development teams on Security Policies and Technical Standards; Identified risks within systems to strengthen posture. Revised SOPs in accordance to Risk Management Framework (RMF) guidelines. Developed Flowcharts for various steps inside Risk Management Framework (RMF).

Assisted with the development, analysis, revision, system documentation for General Support Systems and Major Applications including not limited to Privacy Threshold Assessments, Contingency Plans, Security Assessment Reports, Plan of Action and Milestones list, and System Security Plans • Advised component personnel of requirements to remediate discovered vulnerabilities based on NIST • Revisited existing POA&M’s to determine appropriate milestones to remediate discovered vulnerability or finding and aided in collecting artifacts which resulted in closing over 90% of opened POA&M’s • Attended Change Configuration Board (CCB) meeting as a stakeholder. • Researched information security policies based on risk-mitigating technical solutions in order to develop System Impact Assessments.

AWS CCP

AWS

2023 - 2025