• Serve as the technical authority for CMASS IV security operations and authorization support • Lead ongoing authorization (OA/cATO), continuous monitoring execution, RMF artifact quality, and compliance alignment with DHS and USCIS security requirements • Designated Key Personnel due to its critical role in operational security execution and audit readiness • Lead continuous monitoring and OA/cATO execution across USCIS systems • Oversee development and maintenance of SSPs, SAPs, SARs, POA&Ms, and supporting evidence • Ensure control validation and security posture consistency across supported directorates • Coordinate with system owners, Authorizing Officials (AOs), ISSOs, and engineering teams • Ensure alignment with DHS 4300A, ISPP, and USCIS security policies • Support audits, assessments, and leadership briefings related to security posture

• Ability to autonomously prioritize and successfully deliver across a portfolio of projects. • Learn and keep up with current cyber threats, attack methodology, active campaigns, and detection techniques using a wide variety of capabilities and sources (GOTS, COTS, and Open Source). • Understand and utilize cyber threat intelligence sources. • Familiarity with key security events on common IT platforms. • Experience authoring security runbooks, policy, and best practice documentation. • Preferred experience in the areas of SecOps, Security Analytics, SIEM/SOAR, etc. • Proficiency in developing log ingestion and aggregation strategies. • Expertise developing security-focused content for one or more SIEM platforms (Splunk, CrowdStrike NG-SIEM, Elastic Security or Palo Alto XSIAM), including creation of complex threat detection logic and operational dashboards. • Understand and articulate complex technical information to both technical and non-technical audiences. • Demonstrated experience in the identification and assessment of the relevance and effectiveness of signatures and indicators of compromise based on intelligence. • Experience developing and providing regular and ad hoc briefs, documents, diagrams and other products.

• Provide trusted cybersecurity expertise, solutions and services that help organizations make better decisions and minimize risk. • Evaluate security posture and ecosystems. • Optimize resources and integrate best-fit solutions that mitigate risk.

• Understand that as the Tier 3 (highest level) engineer, you’re expected to handle potential incidents and act as the as a subject matter expert for all security-related tickets that come into the team's various queues (including triage, containment, and remediation when necessary). • Receive incident escalations from Tier 1 and 2 analysts, assisting with real-time advanced analysis, response, and reporting. • Mentor and assist in training Tier 1 and 2 analysts to aid in their skills development and analytical capabilities. • Proactively hunt for threats and enacting identification, containment, and eradication measures while supporting recovery efforts. • Serve as a point person for coordination with appropriate parties during a security incident – client, management, legal, security, operations, etc. • Create thorough reports and documentation of all incidents and procedures, presenting findings to team and leadership on a routine basis. • Incident Response: remote remediation when possible and working with onsite teams when necessary. • Detailed documentation of events and remediation steps taken. • Root Cause Analysis: initiation and follow-through to ensure quality forensic materials are captured, writing reports with details and timelines of events with recommendations to avoid future occurrences. • Assist in the general maintenance and improvement of procedures, processes and playbooks. • Conduct research regarding the latest methods, tools, and trends in digital forensics analysis. • Conduct analysis using logs, previous alerts, etc. to identify trends to identify and prevent potential incidents. • Follow standard operating procedures (SOPs) to ensure tickets are triaged appropriately and in a timely manner, according to SLAs. • Excel at documentation and detailed notetaking, including SOP writing, incident reporting, e-mail and instant messaging etiquette, and most importantly, documenting incident actions in tickets. • This role is responsible for completing incident reports and forensic reports, when appropriate, so competent writing skills are necessary. • Ability to know when to appropriately escalate a potential issue to peers and/or leadership. • Desire to learn new concepts and technologies to grow and take on more responsibility over time. • Ability to communicate risk, prioritize incident response actions, and keep a cool head under pressure. • Advanced experience with security tools like Splunk, CrowdStrike EDR, Carbon Black EDR, Proofpoint tools, Microsoft Defender components, Cyberhaven DLP, Axiom Cyber and open-source forensic tools, Cylance Protect, Office 365 tools, PowerShell, and various network tools, etc. • Understanding the various stages of incident response, the importance and critical factors of an investigation, and how to contain as soon as possible. • Have experience with the incident response lifecycle, the Lockheed Martin Cyber Kill Chain, the MITRE framework, and the forensic workflows as outlined by NIST. • Work with development teams to ensure they're using best practices and company processes in their daily activities. • Drive self-organization; help determine how the team functions in collaboration with your peers. • Build strong relationships with cross-functional team members between the three tiers of the CSOC. • Participate in off-hours on-call incident handler rotation, which is a requirement for this role, as incidents may be escalated outside of normal business hours by our 24/7/365 Tier 2 team. Tier 3 teammates rotate on-call responsibilities which requires each teammate to be formally on-call roughly one week a month.