Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Careers At CISA
  3. Security Control Assessor
Share:

Careers

  • Benefits & Perks
  • HireVue Applicant Reasonable Accommodations Process
  • Hiring
  • Resume & Application Tips
  • Students & Recent Graduates
  • Veteran and Military Spouses

Security Control Assessor

CISA Security Control Assessor

This role conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

Personnel performing this work role may unofficially or alternatively be called:

  • Information Assurance (IA) Compliance Analyst
  • Information Assurance (IA) Auditor
  • Certifying Agent/Authority
  • System Certifier
  • Controls Validator
  • IT Auditor
  • Assessor

Skill Community: Cybersecurity
Category: Securely Provision
Specialty Area: Risk Management
Work Role Code: 612

Core Tasks

  • Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072)
  • Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level. (T0079)
  • Draft statements of preliminary or residual security risks for system operation. (T0083)
  • Maintain information systems assurance and accreditation materials. (T0141)
  • Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements. (T0150)
  • Assess the effectiveness of security controls. (T0309)
  • Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. (T0177)
  • Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. (T0178)
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181)
  • Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks. (T0184)
  • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. (T0244)

Core Competencies

  • Information Assurance
  • Information Systems/Network Security
  • Information Technology Assessment
  • Legal, Government, and Jurisprudence
  • Risk Management
  • Systems Testing and Evaluation
  • Vulnerability Assessment

Core Knowledge

  • Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. (K0054)
  • Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
  • Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. (K0038)
  • Knowledge of the Security Assessment and Authorization process. (K0037)
  • Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). (K0049)
  • Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). (K0179)
  • Skill in discerning the protection needs (i.e., security controls) of information systems and networks. (S0034)
  • Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. (S0027)
  • Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. (K0267)
  • Knowledge of Risk Management Framework (RMF) requirements. (K0048)
  • Knowledge of organization's evaluation and validation requirements. (K0028)
  • Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. (K0013)
  • Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. (K0040)
  • Knowledge of penetration testing principles, tools, and techniques. (K0342)
  • Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). (K0070)

How To Apply

Join the Mission! CISA is always searching for talented and highly motivated professionals to continue our mission of securing the nation's critical infrastructure. CISA is more than a great place to work; our workforce tackles the risks and threats that matter most to the nation, our families and communities.

Please visit USAJOBS and/or the DHS Cybersecurity Service to view job announcements and apply to positions. Be sure to tailor your resume to the specific job announcement, attach relevant documents and complete all required assessments.

When applying for this cyber role, please review the information above and update your resume to align your experience with the listed competencies. Your resume must also show demonstrated IT-related experience in:

  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

To receive email notifications when new CISA positions are announced, set up a "saved search" on USAJOBs with keyword "Cybersecurity and Infrastructure Security Agency."

Individuals eligible for special hiring authorities may also be considered during CISA's one-stop hiring events or by emailing Veterans@cisa.dhs.gov or Careers@cisa.dhs.gov.

APPLY NOW

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback