Do you enjoy problem solving? Are you able to see the big picture and think critically to assess a situation? Are you passionate about aiding Government and Public Services (GPS) organizations in preparing for and overcoming the challenges they face? If so, Deloitte could be the place for you! Join our Strategic Risk team and help our clients identify, understand, and prepare for their largest mission risks. If you seek a role that offers you the opportunity to advise government organizations on complex issues, challenges you to think both analytically and strategically, and can develop personally and professionally, consider a career in Deloitte Risk & Financial Advisory's Strategic Risk practice.

Work You'll Do:

JCIP Technical Reviewers play a pivotal role in evaluating the cybersecurity posture of enterprise environments across the Intelligence Community (IC). They conduct comprehensive assessments through detailed analysis of vulnerability scans to ensure compliance with Intelligence Community Directives (ICDs), IC Technical Implementation Guides (TIGs), Security Technical Implementation Guides (STIGs), Security Requirement Guides (SRGs), and NIST 800-53 rev 5 security controls. Utilizing automated tools, including Tenable and Splunk, these professionals perform documentation reviews, employ checklists and guides to write report and develop a qualitative risk assessment on target organizations. Their assessments examine the mission owners' critical capabilities and mission impacts if secure operations lack security protections needed to defend their cyber infrastructure and mitigate high-risk vulnerabilities to the enterprise. Beyond inspection duties, Technical Reviewers contribute to maturing organizational processes, training initiatives, and program-wide support through cross-functional collaboration.

JCIP Reviewers are integral to conducting inspections of environments across the Intelligence Community (IC). They are responsible for:

• Interacting with leadership and site technical staff in advance of conducting inspections to facilitate scoping, data to support security controls assessment input, and execution of operational inspection plans.
• Responsible for interviewing organizational subject matter experts in conducting STIG, TIG, SRG, and IC policy checklists.
• Collect data in support of reviewing a comprehensive Threat Informed Critical Controls List (TICCL), provide written input on review of required security controls, potential vulnerability exploitation, and how MITRE ATT&CK© techniques are plausibly successful based on organizational weaknesses. Ensure inputs link back to security controls.
• Participating in the planning, execution, and reporting of security audits and network vulnerability assessments with minimal supervision
• Assisting in preparation of assessment deliverables -Security Risk Assessments input, compliance data, STIG data, etc.
• Communicating on impact of vulnerabilities verbally, through presentations and written deliverables.
• Plan, execute, and report on information technology, privacy, and operational reviews to identify mission, privacy, security, compliance, information technology, and regulatory risks
  Familiar with a variety of cybersecurity concepts, practices, and procedures. Relies on extensive experience and judgment to plan and accomplish goals.
• The ACAS Reviewer functions as the critical asset responsible for the collection of scan data for an inspection. Day-to-day responsibilities are to conduct ACAS reviews using the DISA ACAS Best Practice Guide (BPG) and IC CIO 2018-051 Vulnerability Management TIG checklists. This involves coordination with multiple organizations and the reviewer staff.

The ACAS reviewer is responsible for the following during an inspection:

• Working with system administrators to verify scan policies and run scans.
• Troubleshoot coverage challenges across multiple technologies (during a vulnerability assessment includes Windows Servers, network devices/routers/switches (across various vendors such as CISCO, Juniper, Palo Alto, and others) windows workstations, windows virtual environments, host base security (McAfee and others), and other technologies as the program matures and expands its technologies repertoire.)
• Obtaining system-specific scans from site personnel including vulnerability, audit, and port scans to be utilized for sampling during an inspection.
• Consolidating reports on an organization's enterprise. Reports from the scanning tool should include, at a minimum, technology-specific findings, most vulnerable systems, technical summaries of vulnerabilities, plug-in names, severities, and patch status.
• Validating correct scanning configurations
• Conducting interviews
• Conducting compliance scans (using SCAP with Nessus audit files)
• Completing and developing checklists.
• Conduct open port scans at each organization.
• Providing input to written reports on compliance and associated risks
• Coordination with the purple team and cyber threat emulation activities
• Advanced writing skills; experience in coordinating multiple viewpoints into a cohesive document.
• Attention to detail is an imperative skill for success.
• Experience with DISA STIGs and STIG Viewer tool.

The Team:

Deloitte's Government and Public Services (GPS) practice - our people, ideas, technology and outcomes-is designed for impact. Serving federal, state, & local government clients as well as public higher education institutions, our team of over 15,000+ professionals brings fresh perspective to help clients anticipate disruption, reimagine the possible, and fulfill their mission promise.

Our Strategic Risk practice is comprised of sharp analytical thinkers who are adept at complex problem solving and risk management. Our practitioners are committed to our clients' missions and bring diverse life experiences, skillsets, and creative approaches to work every day to help our clients achieve mission success. Our practitioners are also experienced in collaborating with teams from across our organization in order to bring the full breadth of Deloitte, its commercial and public sector experience, to best support our clients.

Qualifications:

Required:

• A minimum of a Bachelor's degree is required.

• At least five (5) years of experience in system administration, specifically with ACAS platforms such as Tenable, Nessus, and Qualys.
• A minimum of ten (10) years of experience in Cyber/Information Assurance, with a comprehensive understanding of cybersecurity disciplines including but not limited to the Risk Management Framework, DevSecOps, and cybersecurity engineering.

• Must be legally authorized to work in the United States without the need for employer sponsorship, now or at any time in the future.
• Active TS/SCI with Polygraph security clearance required.
• Ability to travel up to 5% on average, based on the work you do and the clients and industries/sectors you serve.
• Possess a DOD 8570 IAT III level certification such as: Security + CE CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH, CCSOP, CISM, GSLC, CCISO

#DS&J

#LI-MC4

Information for applicants with a need for accommodation: https://www2.deloitte.com/us/en/pages/careers/articles/join-deloitte-assistance-for-disabled-applicants.html

Recruiting tips

From developing a stand out resume to putting your best foot forward in the interview, we want you to feel prepared and confident as you explore opportunities at Deloitte. Check out recruiting tips from Deloitte recruiters.

Benefits

At Deloitte, we know that great people make a great organization. We value our people and offer employees a broad range of benefits. Learn more about what working at Deloitte can mean for you.

Our people and culture

Our diverse, equitable, and inclusive culture empowers our people to be who they are, contribute their unique perspectives, and make a difference individually and collectively. It enables us to leverage different ideas and perspectives, and bring more creativity and innovation to help solve our client most complex challenges. This makes Deloitte one of the most rewarding places to work. Learn more about our inclusive culture.

Our purpose

Deloitte's purpose is to make an impact that matters for our clients, our people, and in our communities. We are creating trust and confidence in a more equitable society. At Deloitte, purpose is synonymous with how we work every day. It defines who we are. We are focusing our collective efforts to advance sustainability, equity, and trust that come to life through our core commitments. Learn more about Deloitte's purpose, commitments, and impact.

Professional development

From entry-level employees to senior leaders, we believe there's always room to learn. We offer opportunities to build new skills, take on leadership opportunities and connect and grow through mentorship. From on-the-job learning experiences to formal development programs, our professionals have a variety of opportunities to continue to grow throughout their career.