(652) Senior Security Control Assessor

Company Summary

Arlo Solutions (Arlo) is an information technology consulting services company that specializes in delivering technology solutions. Our reputation reflects the high quality of the talented Arlo Solutions team and the consultants working in partnership with our customers. Our mission is to understand and meet the needs of both our customers and consultants by delivering quality, value-added solutions. Our solutions are designed and managed to not only reduce costs, but to improve business processes, accelerate response time, improve services to end-users, and give our customers a competitive edge, now and into the future. 

Position Overview

The Department of Defense’s (DoW) Office of the Undersecretary of War for Acquisition and Sustainment (OUSW (A&S) is at the forefront of supporting the DoW with the adoption of innovative technologies such as data, analytics, and artificial intelligence to help accelerate predictions, forecasts, and interpretations for both strategic and tactical decisions across the enterprise. These ground-breaking endeavors bring new challenges to the assessment of DoW IT systems that previously did not exist.  

The Security Control Assessor (SCA) plays a pivotal role in comprehensively understanding the cybersecurity posture of a given capability within OUSW (A&S). SCAs must go beyond a mere compliance focus on controls to articulate the inherent risks of systems. Success in this position requires expertise in statutory guidance such as the NIST 800 series, DoW 8500.01, DoW 8140.03, ISO 27001, COBIT, DoW RMF, and Operation Vulcan Logic (OVL), along with current cybersecurity best practices.

The Senior SCA provides authoritative risk determinations and recommendations critical for the Authorizing Official (AO) to grant an Authority to Operate (ATO). Their assessments integrate technical rigor with regulatory compliance, ensuring a robust security posture and informing strategic decision-making.

Work Location: Full time On-site (Mark Center, DMV)

Clearance: Top Secret with SCI eligibility

Job Responsibilities

• Provide the AO with an independent risk assessment of assigned systems and authorization.
• Advise Program Managers on AO determination utilizing OVL documentation.
• Provide senior advisory support to OUSW (A&S) AO regarding authorizations of OUSW (A&S) capabilities.
• Utilize expert knowledge and experience regarding risk management strategies in support of a major DoW program.
• Provide support regarding agile authorization and OVL processes.
• Provide independent risk analysis and recommendation.
• Collaborate between the AO and the program as well as Program leadership.
• Identify the security baseline based on the mission and security impacts to the system.
• Determine assessment criteria, develop, review, and create a plan to assess the security requirements.
• Assess the security requirements in accordance with the assessment procedures defined in the Security Assessment Plan (SAP).
• Prepare the Security Assessment Report (SAR).
• Monitor POA&M actions based on findings and reassess remediated risk(s) as appropriate.
• Develop the Risk Recommendation and AO Determination Brief.
• Develop a system-level continuous monitoring strategy.
• Author and present briefs regarding status of authorizations to AO and other senior Government officials.
• Provide security architecture and engineering-informed assessment support, validating system design, authorization boundaries, data flows, trust zones, and external interfaces (ISAs).
• Perform threat-informed risk analysis, including attack surface evaluation, adversary actions, and mission impact assessment to support AO risk decisions.
• Validate that security controls are properly implemented within system architecture and engineering design, not solely documented for compliance.
• Assess implementation of Zero Trust principles, identity and access management (ICAM), and encryption solutions in alignment with DoW cybersecurity requirements.
• Evaluate DevSecOps pipelines and CI/CD environments, including control gate validation, automated testing (SAST/DAST), and software supply chain risk considerations.
• Assess cloud-based architectures (IaaS, PaaS, SaaS) for compliance with shared responsibility models, data protection requirements, and boundary enforcement.
• Validate effectiveness of Continuous Monitoring (ConMon) implementations, including telemetry integration (SIEM, endpoint tools), vulnerability management, and control effectiveness tracking.
• Perform assessment of Security Impact Analyses (SIA) for system changes, technology refresh, and new capability integration to determine impact on authorization posture.
• Ensure assessment results clearly distinguish between:
• Control implementation effectiveness
• Systemic design or architecture weaknesses
• Provide actionable, engineering-informed recommendations to improve system security posture and reduce mission risk.
• Perform other duties as assigned or required.

Success Factors

• Have a strong background in information security systems management (ISSM), risk management, and governance, risk and compliance (GRC).
• Demonstrated ability to perform engineering-informed assessments, bridging cybersecurity compliance with system design and architecture validation.
• Strong client focus and commitment to continuous improvement, ability to proactively network and establish relationships.
• Manage multiple priorities in a high-paced and fast-changing environment.
• Experience supporting and assessing risks within a CI/CD DevSecOps environment, including data mesh, orchestration, control gate validation, and pipeline security.
• Expansive knowledge integrating IaaS, PaaS, and SaaS offerings into government cloud environments, including compute, storage, networking, cross-domain solutions, and secure data transfer.
• Experience assessing STIGs, Cloud Compliance Guides, shared responsibility models, and system mission owner responsibilities within Government Cloud environments.
• Strong understanding of system security architecture, including authorization boundaries, trust zones, and data flow analysis.
• Expert understanding of NIST 800 series guidelines, DoW 8500.01, DoW 8140.03, ISO 27001, COBIT, DoW RMF, OVL, and current cybersecurity best practices.
• Ability to translate technical findings into clear, defensible risk narratives for AO decision-making.
• Excellent communication/presentation skills briefing senior military and government civilian leadership.
• Experienced with writing policies, guides, and procedures.
• Experience hands-on with eMASS, Xacta, and/or other GRC tools.
• Experience with Federal and FedRAMP A&A Processes.
• Experienced and comfortable advising at the Senior Executive Service (SES) level of customers.

Education and Minimum Qualification

• Must have an active Top-Secret Clearance SCI eligible.
• Bachelor’s degree in computer science/information technology, or other related degree fields (master’s degree is preferred or at least 10 years of related experience)
• At least 10+ years of cybersecurity experience including a senior technical or management role, Project or Program Management experience a plus.
• At least one IAT/IAM or equivalent security certifications ex. CISSP, CCSP, CISM, CISA, or CASP

AAP Statement

We are proud to be an Affirmative Action and Equal Opportunity Employer and as such, we evaluate qualified candidates in full consideration without regard to race, color, religion, sex, sexual orientation, gender identity, marital status, national origin, age, disability status, protected veteran status, and any other protected status.