Elvis Tuffour
Woodbridge,VA
Summary
Information Technology professional with eleven (11) years of experience developing and implementing information security solutions in fast-paced environments. In-depth knowledge of Security and Privacy Control Assessment, Risk Management Framework (RMF), security principles, concepts, policies, and regulations. Possesses a solid ability to identify risks in information systems and work collaboratively with system engineers and administrators to resolve security weaknesses—detail-oriented and deadline-driven with strong organizational and planning skills and the ability to interface with all personnel hierarchies.
Overview
12
12
years of professional experience
1
1
Certification
Work History
Cloud Security Engineer
Dine Development Corporation
07.2025 - Current
- Prepare and maintain comprehensive Risk Management Framework (RMF) documentation to obtain and sustain Authority to Operate (ATO) for DoDIN systems across NIPRNet and SIPRNet environments.
- Collaborate with cross-functional teams to enhance mainframe security posture and drive continuous improvement of enterprise cybersecurity programs.
- Ensure all assets within classified and unclassified environments are securely configured and hardened in accordance with the latest DoD Security Technical Implementation Guides (STIGs).
- Conduct vulnerability assessments using Nessus and ACAS (Tenable) to identify, analyze, and mitigate system vulnerabilities.
- Review and interpret vulnerability scan results, coordinate remediation activities with system administrators, and track closure of identified findings.
- Develop and maintain DoDIN network architecture diagrams and system inventories for both classified and unclassified systems to support accreditation and operational awareness.
- Create, update, and manage System Security Plans (SSPs) that document system configurations, control implementations, and security boundaries.
- Create and manage Plans of Action and Milestones (POA&Ms) within eMASS to track and resolve identified security weaknesses and ensure timely remediation.
Principal ISSO
Steampunk, Inc.
04.2023 - 04.2025
- Implement the RMF steps in accordance with NIST SP 800-37 and oversee Information System Continuous Monitoring (ISCM) activities per NIST SP 800-137 to maintain ongoing authorization and risk visibility.
- Ensure systems maintain an appropriate operational security posture consistent with organizational policies and mission requirements.
- Develop, review, and update POA&Ms within CSAM, tracking remediation efforts and validating closure of identified vulnerabilities.
- Ensure adherence to cybersecurity policies, verify implementation of required security and privacy controls, and coordinate with system owners to mitigate residual risks.
- Develop and maintain SSPs in alignment with NIST SP 800-18, documenting control implementations, system boundaries, and interconnections.
- Review and assess FedRAMP-authorized systems against the Customer Responsibility Matrix (CRM) to validate inherited and shared security controls.
- Conduct Security Impact Analyses (SIAs) as part of the change management process to evaluate and document potential impacts of proposed changes to system security and privacy posture.
- Lead and coordinate security and privacy control assessments following NIST and FISMA requirements to ensure control effectiveness and compliance.
- Develop, review, and maintain comprehensive security and privacy documentation across all RMF phases, including: Digital Identity Risk Assessment (DIRA), Section 508 Assessment, Risk Assessment Report (RAR), POA&M Report, FIPS-199 Categorization, Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), System of Records Notice (SORN).
Information Assurance Specialist
Resource Management Concepts
12.2021 - 03.2023
- Implement and manage RMF Assessment and Authorization (A&A) packages for Navy DoDIN systems, including both NIPRNet and SIPRNet environments.
- Ensure all assets within classified and unclassified networks comply with the latest DISA STIGs.
- Conduct vulnerability scan and assessment using tools such as Nessus and ACAS (Tenable).
- Review and interpret vulnerability scan reports by effectively identifying and prioritizing security risks.
- Create and maintain network architecture diagrams to support accreditation and operational visibility.
- Maintain accurate and up-to-date system inventories in accordance with DoD policy.
- Develop, update, and manage System Security Plans (SSPs).
- Maintain records of personnel cybersecurity training compliance and certification requirements to support audit readiness.
Information System Security Officer (ISSO)
Jacobs Technology Inc.
06.2019 - 11.2021
- Implement the NIST RMF in accordance with NIST SP 800-37, and conduct continuous monitoring activities following NIST SP 800-137.
- Ensure compliance with cybersecurity policies, verifying that required security and privacy controls are properly implemented and maintained across assigned systems.
- Develop, update, and manage SSPs using NIST SP 800-18 as a guide.
- Analyze and interpret vulnerability scan reports from Nessus, WebInspect, and DBProtect, coordinating with system administrators to remediate findings.
- Conduct Security Impact Analyses (SIAs) as part of the change management process, assessing potential impact on security and privacy.
- Lead and support security and privacy control assessments using NIST SP 800-53A as a guide to verify control implementation and effectiveness.
- Develop and maintain key security documentation throughout all RMF phases, including: Security Assessment Report (SAR), Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), FIPS-199 Categorization, Risk Assessment Report (RAR), E-Authentication.
- Perform risk analyses to identify appropriate security safeguards and countermeasures, ensuring effective risk mitigation and continuous compliance.
Cyber Security Analyst
SkyTech Consulting LLC.
06.2015 - 05.2019
- Perform System Security Categorizations in accordance with FIPS 199 and NIST SP 800-60, determining impact levels for Confidentiality, Integrity, and Availability (CIA).
- Conduct security and privacy control assessments using interviews, document reviews, and technical testing in alignment with NIST SP 800-53A.
- Review vulnerability scans from Nessus, DBProtect, Netsparker, and WebInspect, and coordinate remediation of findings to strengthen system security posture.
- Analyze and validate Assessment & Authorization (A&A) documentation, including SSPs, Contingency Plans, Incident Response Plans (IRP), and POA&Ms for accuracy and completeness.
- Lead kickoff and status meetings with system stakeholders to define assessment scope and expectations.
- Develop Security Assessment Reports (SARs) summarizing findings, risk levels, and actionable recommendations to support system authorization decisions.
- Ensure adherence to Configuration Management (CM) processes to prevent unauthorized changes.
- Provide written and verbal reports to stakeholders, communicating assessment outcomes, remediation priorities, and compliance recommendations.
SOC Analyst
Sanford Medical Center
06.2014 - 06.2015
- Perform incident triage and analysis, assessing accuracy, scope, urgency, and impact to guide timely and effective response actions.
- Conduct network monitoring and intrusion detection using CND tools to identify and mitigate threats, malware, and unauthorized activity.
- Collaborate with firewall, engineering, and system administration teams to analyze event data, assess risk, and coordinate remediation efforts.
- Lead and coordinate incident response activities, ensuring rapid containment, investigation, and recovery from cybersecurity events.
- Analyze security event data and threat intelligence to detect attack indicators and strengthen organizational defenses.
- Prepare detailed incident and executive reports, tracking trends and identifying opportunities for improved detection and prevention.
- Maintain and update Standard Operating Procedures (SOPs) and ensure quality assurance across all incident documentation and reporting.
Education
Master of Science -
North Dakota State University
Fargo, ND05.2017
Skills
- Active Directory, ServiceNow
- JIRA, Confluence, Azure DevOps, DevSecOps
- BMC Remedy, Rally, DIAMOND, VRAM
- IDS, IPS, Splunk, DOSP, Kiteworks, IPA
- Cloud: Google Cloud, Azure, AWS, Salesforce, etc
- Scan Tools: WebInspect, DBProtect, Netsparker, Veracode, Nessus, ACAS
- GRC Tools: eMASS, CSAM
- Federal Information Processing Standards (FIPS)
- NIST Special Publication 800 series, EndPoint Security
Security Clearance
- Top Secret
- Public Trust
Certification
- Certified Information Systems Security Professional (CISSP)
- Date of completion: 2023-01-26
- Certification #: 701479
- Certified Cloud Security Professional (CCSP)
- Date of completion: 2024-09-24
- Certification #: 701479
- Certified in Governance, Risk and Compliance (CGRC)
- Date of completion: 2019-04-10
- Certification #: 701479
- CompTIA Security+ CE
- Date of completion: 2019-12-21
- Certification #: COMP001021608753
- Certified Information Security Manager (CISM)
- Date of completion: 2021-07-30
- Certification #: CISM-2161622
- Certified Data Privacy Solution Engineer (CDPSE)
- Date of completion: 2021-04-26
- Certification #: CDPSE-2118077
Timeline
Cloud Security Engineer
Dine Development Corporation
07.2025 - Current
Principal ISSO
Steampunk, Inc.
04.2023 - 04.2025
Information Assurance Specialist
Resource Management Concepts
12.2021 - 03.2023
Information System Security Officer (ISSO)
Jacobs Technology Inc.
06.2019 - 11.2021
Cyber Security Analyst
SkyTech Consulting LLC.
06.2015 - 05.2019
SOC Analyst
Sanford Medical Center
06.2014 - 06.2015
Master of Science -
North Dakota State University