most effective, efficient, and economical manner possible. We also seek to deter, identify and address fraud, abuse, mismanagement, and waste of taxpayer funds invested in Homeland Security.
The OIG, specifically the Office of Innovation (OIN), Cybersecurity Risk Assessment (CRA) Division, conducts IT security assessments of DHS’ component information technology systems to ensure computer resources are implemented according to applicable policies, standards, and procedures. Which in turn ensure their availability, integrity, authentication, confidentiality, and non-repudiation. As IT evolves, so do the threats to data security, individual privacy, and the continued operation of the Federal Government’s IT assets
Qualifications
• Minimum of 10 years of experience in task areas assigned, and familiarity with IT security assessment standards and methodologies and;
• Preference of bachelor’s degree, or higher, in Cybersecurity, or a related field.
• Minimum of five (5) years serving in a Senior Subject Matter Expert role applying subject matter knowledge, directly related technical assessments, to perform assessment, analysis, and documentation of results. Additionally, a senior IT SME should have the ability to resolve problems, which necessitates an intimate knowledge of the related technical subject matter.
• Certifications in tasks topics is certifications preferred.
• Experience with advanced IT testing methodologies and the various IT technologies.
• Familiar with Federal policy requirements for information systems, including Office of Management and Budget (OMB) Circulars, National Institute of Standards and Technology Special Publications (NIST SP), Presidential Orders, Federal Information Processing Standards (FIPS), and the Risk Management Framework (RMF) process.
• Strong customer service skills and team building skills, and the ability to collaborate within a cross-functional team.
• Ability to research and resolve problems efficiently and accurately with knowledge and experience of IT assessments.
• Performs detail-oriented task independently.
• Excellent written and verbal communication skills.
• Experience providing project briefs to senior management and executives.
Experience with:
- Tenable Nessus SecurityCenter/Professional/Expert
- Trustwave DbProtect/AppDetectivePro
- Burp Suite Professional
- SpecterOps BloodHound
- Fortify Static Code Analyzer
Secret clearance is required
Location: The majority of work described in this SOW shall be done at DHS OIG HQ (395 ESt. SW), or at approved personnel telework locations. Additionally, technical assessments is conducted at DHS Components sites, mostly located near the Washington, D.C. area,
but also throughout the Continental United States.
Anticipated start date: 8/31/2023; duration: 5 yrs
Tasks:
Security Information and Event Management (SIEM) Subject Matter Expertise Security Information and Event Management, also known as audit trail or audit logs, is a security relevant chronological record, set of records, or destination and source of records that provide
documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. The Contractor shall provide expertise in audit and event logging methodologies, protocols, technologies to archive, organize, and alert to trends in logs, as well as understanding of the different types and sources of logs such as network, hardware, operating system, application, and event. The Contractor will also understand the different outcomes that can be derived from event monitoring and analysis, such as, user and asset behavior analysis, and incident response via Security, Orchestration, Automation, and Response (SOAR).
Expert knowledge and skills required for security information and event management include but not
limited to:
• Technologies used to generate, collect, secure, and analyze logs such as, but not limited to, Splunk, IBM Security QRadar SIEM, McAfee Enterprise Security Manager, and SolarWinds Security Event Manager.
• Federal government requirements and industry best practices for log retention.
• Cryptographic log integrity mechanisms such as Blockchain.
• Log retention and management and visibility technologies such as dashboards.
• Technologies used to read logs, transfer logs, and ingest into dashboards or other
analytical tools.
• Understanding of logging retention and use for third parties such as cloud service
providers.
Cloud Security, Configuration, and Expertise
The Contractor shall provide expertise and knowledge in cloud service models, administration, maintenance, configuration, and security, in order to assess the implementation for security weaknesses. The Contractor shall also be experts in current government cloud administration requirements, and best practices.
Expert knowledge and skills required for cloud security expertise include, but not limited to:
• Cloud service technologies such as Infrastructure-as-a-Service, Platform-as-a-Service, and
Software-as-a-Service, and their various services, capabilities, and security requirements.
• Authentication and authorization of users, and services, and applications to-and-from cloud
instances to on-premises assets.
• Government requirements, and best practices, such as CISA’s cloud Security Technical
Reference Architecture, and Authority to Operates requirements set forth by FedRAMP.
• Security weaknesses in configuration, administration, or documentation related to Cloud
administration.
• Understanding of Cloud Service Providers (CSP) security capabilities and internal reporting that
can be leverage for assessment activities.
Operating System & Application Expertise
The Contractor shall provide expertise and knowledge in the operation, administration,maintenance, configuration, and security of “non-Microsoft Windows” operating systems andapplications including Unix, Linux, Apple (MAC and iOS), Google Android, and associated variants; in order to assess the implementation for security weaknesses.
Expert knowledge and skills required for “Non-Microsoft Windows” expertise for Unix, Linux, Apple
(MAC and iOS), Google Android, and associated variants, but not limited to:
• Administration, configuration, maintenance, and security aspects of operating systems and
applications.
• Security assessment methodologies and methods of attacking the operating systems and
applications.
Network Security Subject Matter Expertise & Assessment Capabilities
The Contractor shall provide expertise in wired and wireless network communication protocols, topologies, security, implementation, devices, and attack methods and preventative controls. The Contractor shall provide deliverables relating to network-specific tasks which include an executive summary, findings and analysis, criteria, applicable best practices, and recommendations.
Expert knowledge and skills required for network security subject matter expertise and assessment include but not limited to:
• Knowledge of network security architecture concepts including principles, topology, protocols, components, and security. For example,
but not limited to, knowledge of Domain Name System (DNS) protections such as employing encrypted DNS and identify the use of
encryption mechanisms such as certificates.
• Knowledge of network to pologies and segmentation to secure applications and segments of the network; and technologies that can
facilitate the management, monitoring and security of connections; such as Z-Scaler.
• Knowledge of applicable assessment methodologies and software to inspect network security and compliance to applicable standards, best practices, administrative practices,and protocol and encryption use.
• Ability to perform network traffic analyses to identify unusual and unauthorized traffic.
• Expert understanding of implementation requirements of Public Key Infrastructure (PKI) and the implementation methods, security, and
assessment of applicable controls. For example, but not limited to, the Contractor shall be able to identify issues with PKI certificates that
secure network traffic.
• Knowledge of network-based parameters to identify users, assets, and resources.
• Knowledge of network-based data gathering capabilities such as asset enumeration.
• Knowledge on network trends that include remote users, bring your own device
(BYOD), and cloud-based assets that are not located within an enterprise-owned
network boundary.
• Understanding of network traffic logging mechanisms and identification of trends, and
anomalies.
Identity, Credential, and Access Management (ICAM) Expertise and Assessment Capabilities
The Contractor shall provide expertise in Identity, Credential, and Access Management (ICAM) frameworks and principles, implementation,
security, and administrative management technologies, such as Microsoft Active Directory (AD), in order to identify and assess for
potential weaknesses and vulnerabilities. The Contractor shall provide deliverables for ICAM and AD specific tasks to include, but not limited to, an executive summary, findings and analysis, criteria, applicable best practices, and recommendations.
Expert knowledge and skills required for ICAM and AD security subject matter expertise and assessment include but are not limited to:
• Knowledge of ICAM security architecture concepts including frameworks and principles, implementation, security, and administrative technologies, such as Microsoft Active Directory.
• Knowledge of identity and access security concepts such as use of multi-signal authentication layers for authorization such as from
devices and users.
• Expert understanding of NIST Special Publication 800-53 access controls implementation (e.g., account management, access enforcement, least privilege, separation of duties, etc.)
• Knowledge in determining appropriate user, group, and service account permissions and compliance to applicable policy and best practices.
• Knowledge of identity and access management centralization and integration concepts such as single sign-on and attacks on this type
of integration, such as Golden Ticket attacks; services and technologies to facilitate this type of access such as Okta; and expert understanding of areas of deployment such as enforcement of multi-factor authentication at the application layer, instead of the
network layer.
• Knowledge of phishing-resistant multi-factor authentication (MFA) technologies and solutions enforced at network and application security layers.
• Expert understanding ICAM attack frameworks such as MITRE ATT&CK attack paths and weaknesses such as (e.g., DCSync,
DCShadow, Kerberoasting, AS-REP Roasting, Brute Force, Password Spraying, etc.)
Penetration testing
The Contractor shall provide both internal and/or external security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, and/or network, according to security assessment scope and testing
requirements. Results of these penetration tests will assess the effectiveness of information security controls implemented and measure
how well systems, technologies, applications are protected when subject to cyber-attack. In general, the penetration test will help determine:
• The complexity of attacks required to exploit and compromise the technology assets, and;
• Whether the target defenses are effective in preventing cyber-attacks,
• Processes activated by the target to react to events. Deliverables for Penetration Testing include, but not limited to,
• Rules of Engagement (ROE) document containing the type and scope of testing, documented authorization by appropriate
Contractor, OIG, and DHS Component officials. Further, this deliverable document will outline specifics such as analysis of law
and legal considerations, hardware and software used to conduct the assessments, target assets selected for review, and client
contact details.
• Threat Modeling Architecture to identify, quantify, and address the security risks before starting the penetration testing activities, and
• Penetration Test Report that includes an executive summary, a contextualized walkthrough of technical risks, potential impact of
vulnerabilities found, proof of exploitation, and vulnerability remediation options. Post-Assessment after-action items which
document any discussion items needed with target about activities taken, assets or information modified, or other observations noted
during assessment.
These deliverables shall be indexed to sufficient and appropriate evidence
and reviewed by government officials for approval.
Expert level knowledge and skills required for Penetration Testing include,
but not limited to:
• Penetration testing tools
• Information gathering and reconnaissance
• Network, system, and web application enumeration
• System and application security threats and vulnerabilities,
• Social engineering and Open-Source Intelligence (OSINT) gathering techniques
• Significant experience conducting Red team assessments, and knowledge of phases
of ethical hacking
• Significant experience in attempting to exploit potential vulnerabilities and gain unauthorized access using various
techniques
• Escalate privileges to that of a super-user or domain administrator and pivot further into network
• Intrusion Detection and Prevention