Supply Chain Risk Management Subject Matter Expert


The Supply Chain Risk Management (SCRM) Subject Matter Expert (SME) provides comprehensive support to the ARTF's Risk Mitigation Cell in support of its mission requirement to develop risk mitigation recommendations in support of DIA procurement and deployment decisions; develops risk mitigation plans for ICT systems based on risk assessments provided by the Rapid Assessment Cell; provides an assessment of the severity of supply chain risk effecting the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities; provides specific risk mitigation recommendations on how to correct weaknesses or deficiencies and address identified vulnerabilities; produces and present risk mitigation briefings. Support weekly collection of ARTF internal process metrics in accordance with ARTF operating procedures.


Requires knowledge of a full range of the concepts, principles, and practices of cybersecurity and information assurance as it relates to assessing weaknesses of systems and their vulnerability to supply chain exploitation. Ten (10) or more years of cumulative specialized experience in the information technology field. At least five (5) years' experience in the Information Assurance / Security Assessor role and have experience in the following:

  • A working knowledge and performing assessments i.e. ICD 503/RMF, MST (800-36, 800-53, 800-53A), DIACAP, and DCID 6/3.
  • Conducting comprehensive assessments of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls.
  • Providing assessments for the severity of weaknesses or deficiencies discovered in the information system and its environment of operation, and recommending corrective actions to address identified vulnerabilities.
  • Preparing the final security assessment reports articulating results & findings from the assessment; Developing Plan of Action and Milestones (POA&M) containing corrective actions.
  • Conducting assessments of IT security plans to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements.
  • Providing specific recommendations on how to correct weaknesses or deficiencies and address identified vulnerabilities.
  • Assessing the effectiveness of the security controls based on the documentation submitted in the Security Authorization Package and making a recommendation to the AO regarding whether or not to authorize the system. Testing the security controls documented in the Requirements Traceability Matrix (RTM) to ensure they have been implemented properly and are operating as intended.
  • Implementing a Continuous Monitoring strategy (per ICD 5016) appropriate for systems, leveraging existing tools, efforts, and incorporating new automation techniques.
  • Preparing a System Security Plan (SSP), Security Assessment Report (SAR); Developing Test plans, Executing and Assessing the Security Controls within the Test Plans.