Cyber Defense Operations Lead

Please note that this position is contingent upon contract award. This position may be located in Quantico, VA, Hanover, MD or Huntsville, AL. 

The Contractor shall provide CDO support that includes Administer Data at Rest solution, analysis reports, forensics investigations, and trend reports. Analysis reports are conducted daily, covering the Security Information and Event Manager (SIEM), end security, network access control, and vulnerability scanners, threat hunt operations. Analysis reports are produced daily covering activities that are used to depict current network security and any anomalous activity. Any anomalous activity is investigated by the Contractor and provided to the Government to vet at least one to five a day. Forensic investigations are required throughout the year.

Additional support shall include:

• Produce monthly cyber trends analysis report.
• Wireless scans, analysis, and reporting are required quarterly.
• Coordinates and tracks data spills.
• Analyze impact of cyber warning intelligence and AS&W.
• Develop tailored countermeasures to address identified threats and prevent or mitigate potential cyber event impacts to DCSA.
• Update and maintain the SOPs for Security Operations Center (SOC) functions annually.
• Develop and maintain a dashboard(s) or tracking technology to track the Action Officer, status, and compliance of orders and directives including, but not limited to, Tasking Orders (TASKORDs), Fragmentary Orders (FRAGOs), and Operation Orders (OPORDs) to display on the EC3 SOC video wall. This dashboard or tracking technology will have feeds into the integrated dashboard.
• Develop, maintain, and leverage system default dashboard (s) to provide real-time status of CDO monitoring tools and executive-level views for daily and weekly briefs on the EC3 SOC video wall. This dashboard or tracking technology shall have feeds into the integrated dashboard.
• Develop, maintain, and provide a daily morning brief and an end-of-day brief to provide current cyber security posture, issuance of directives, cyber events, and compliance status.
• Develop, maintain, and provide a weekly brief that captures all of the cyber events with metrics and trends.
• Provide trend analysis and reports on CDO activity such as higher echelon Directives, log/monitoring reports from SIEM alerts, incident status, trouble ticket status, and firewall and web proxy metrics (CDRL A00013).
• Document and track incidents (currently via SharePoint and OneNote) in accordance with the reporting procedure and archive historical CDO data.
• Submit and track all service tickets submitted on behalf of CDO internally and to external organizations.
• Obtain and maintain accounts from external DOD agencies on NIPRNET, SIPRNET, and JWICS in order to receive reports from multiple sources to incorporate CDO briefs and distribute to stakeholders.
• Maintain situational awareness on cyber incidents and activity with the appropriate DOD partners (e.g., CSSP, USCYBERCOM, NSA, etc.) via various tools and reporting mechanisms (e.g., NTOC, CENTAUR, CMRS, JIMS, Acropolis) on all enclaves (NIPRNET, SIPRNET, and JWICS).
• Review and determine if external reports, orders, and directives are applicable to DCSA enclaves and execute response actions as required.
• Track and coordinate all tasks, cyber events, external assessments, tickets, and all other applicable actions with the agency’s Cyber Security Service Provider.
• Research, identify, and verify new Advanced Persistent Threat Tactics, Techniques, and Procedures (TTP) from commercial and Government sources and provide recommendations in order to strengthen the overall DCSA cyber security posture.
• Develop, update, and manage the existing DCSA CDO collaborative SharePoint site and coordinate operations, maintain libraries, briefs, and training.
• Provide existing weekly, monthly, and ad-hoc reports as required.
• Provide weekly status reports on all relevant events affecting DCSA networks.
• Configure and administer the SIEM (Splunk); provide advanced expertise to maximize the capabilities of the SIEM through monitoring the health of SIEM connections, data feeds and storage capacities for audit purpose.
• Provide detection methods and relevant log analysis for abnormalities, attacker pattern, and behaviors.
• Furnish methods of collection, logging, filtering, and tuning of baselining data.
• Design and configure data alerting and summarization within SIEM and implement meaningful dashboards and reports.
• Collect and keep audit data to support technical analysis relating to misuse, penetration, or other incidents involving IT under DCSA purview.
• Document the technical details of suspected network incidents to support incident response and reporting requirements.
• Provide Impact Reports on all incidents, followed by an After Action Report (CDRLs A00018 and A00019).
• Analyze impact of firewall configurations. Analyze data logs to include but not limited to servers, end point security, firewalls, web proxy, and infrastructure devices.
• Identify violations of internet access by reviewing web content filtering logs in accordance with DCSA policy, DoD policy, and CDO SOPs.
• Develop and maintain SOPs for cyber analysis.
• Perform trend analysis of cyber events to identify potential problem areas.
• Make recommendations for systemic, policy or procedural changes in order to mitigate specific risks.
• Support cyber reporting on all cyber events.
• Analyze ESS data to determine potential threats.
• Analyze ESS data to determine unauthorized systems.
• Analyze ESS to determine infected systems.
• Analyze ESS data to identify systems that with unauthorized software and hardware.
• Analyze ESS data to determine unauthorized system changes.
• Develop and maintain SOP for ESS Continuous Monitoring.
• Develop and maintain forensic SOPs for conducting forensic investigations in accordance with DoD and DCSA directives and legal requirements.
• Conduct computer forensic analysis with current software, tools, and systems in accordance with applicable DoD directives and CJCM 6510.
• Acquire and preserve a forensic image of data from system hard disk drives, and volatile memory to include but not limited to documents, images, email, webmail, Internet artifacts, web history and cache,
  HTML page reconstruction, chat sessions, compressed files, backup files, encrypted files, RAIDs, system files, executables, scripts, on workstations, laptops, servers, VDIs, external mass storage, and smartphones and tablets.
• Create a forensic exact binary duplicate of the original system or media utilizing EnCase Forensic (or similar) tool.
• Daily, review or user activity discovered by CDO network monitoring tools.
• Develop lists of indicators and triggers of insider threat activity.
• Develop and maintain SOPs and guides outlining the thresholds for referrals to DCSA Insider Threat Working Group.
• Analyze user activity data from CDO tools to determine which indicators or triggers can be applied.
• Determine thresholds for user activity that would require referral to DCSA Insider Threat Working Group.
• Analyze user activity data from CDO tools to determine if thresholds for user activity have been met that would require further investigation.
• Create SOPs and guides for intrusion assessments.
• Perform trend analysis intrusion assessment and report results to identify potential problem areas.
• Make recommendations for systemic, policy or procedural changes in order to mitigate vulnerabilities found.
• Execute Intrusion Assessment Plan as required.
• Execute Threat Hunting activities.
• Collaborate with Counter Intelligence organization to compile cyber Threat Intelligence

• Bachelor's degree from an accredited university/college
• Must have and maintain an active DoD Top Secret/SCI level clearance
• Minimum 7 years of experience in a similar role
• Required to meet DoDM 8140/DoDM 8570.01-M IAT Level III requirements prior to onboarding
• CSSP-Manager is preferred
• Forensics - additional certification: EnCase Certified Examiner (Preferred); shall have minimum the Forescout administrator certification at time of award

PCI Federal Services (PCIFS) and its subsidiaries is an equal-opportunity employer. PCIFS does not discriminate on the basis of age, sex, race, national origin, religion, marital status, sexual orientation or identity, Veterans or Disability status.

Preference may be extended to qualified Native American Indian candidates

in accordance with applicable federal law.