Security Control Assessor

A3 Consulting is currently looking for a Mid-level Security Control Assessor that can conduct comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

This position is located in Lorton, VA.

Clearance Required: Secret

Duties and Responsibilities:

  • Plan, develop, and conduct security examinations, interviews and testing of management, operational, and technical controls. Analyze and assess results based on risk to client s information systems.
  • Participate in internal and external reviews, inspections, and audits to ensure compliance with federal laws and client s security policy.
  • Conduct risk assessments to identify and mitigate risk to IT systems, facilities, and critical assets.
  • Evaluate and assess network security configurations and recommend corrective actions to mitigate identified deficiencies.
  • Create Security Assessment Plans and Reports and deliver test results to system stakeholders. Provide expert security advice and recommendations to manage identified risks.

Required Qualifications:

  • Bachelor’s Degree
  • Basic-level understanding of basic computer and networking technologies: 
    • Windows operating systems
    • Microsoft Azure
    • Networking technologies (routing, switching, VLANs, subnets, firewalls)
    • Common networking protocols SSH, SMB, SMTP, FTP/SFTP, HTTP/HTTPS, DNS, etc.
    • Common enterprise technologies Active Directory, Group Policy, VMware vSphere
  • Moderate-level understanding of IT security principles, technologies, best practices, and NIST guidance
  • Logical Access Control
  • PKI and other encryption methods
  • DISA STIG Security configuration baselines
  • Auditing
  • Vulnerability discovery and management
  • NIST SP 800-53 rev. 4 control
  • Excellent communications skills. Ability to communicate with senior management and federal client staff both technical and non-technical in a clear and concise manner using proper spelling, punctuation and grammar.
  • Knowledge of federal IT security laws such as the Federal Information Security Management Act (FISMA), policies, regulations, requirements, Executive Orders and Presidential Decision Directives such as EO 13556, HSPD12, OMB Memos M-06-16, and M-07-16; NIST 800 series, the federal IT security and incident reporting hierarchy.
  • Knowledge and experience with the Risk Management Framework (RMF), Assessment and Authorization (A&A), SSP Development, and conducting audits of security controls developments; and project management theory and techniques.
  • Knowledge and experience protecting the confidentiality, integrity and available of sensitive and critical information systems
  • Ability to perform risk security controls assessments to identify and mitigate risk to IT systems, facilities and critical assets.
  • Knowledge and experience performing network security vulnerability assessments
  • Knowledge and experience with all areas of the System Development Lifecycle (SDLC) of IT systems.

The above statements are intended to describe the general nature and level of work being performed by individuals assigned to this position. They are not designed to be an exhaustive list of all duties, responsibilities, and skills required of personnel so classified.

A3 offers competitive pay, great benefits, and a team-based company culture. A3 is devoted to people development and providing the opportunity for high achievers to grow professionally. As an employee, you are surrounded by intelligent, driven colleagues and have the benefit of a company culture that is focused on bringing out the best in everyone.

If you are interested in this opportunity or others we have open, please email your resume to