Karen Sonkwa

- Implemented Risk Management Framework (RMF) in accordance with NIST SP 800-37

- Implemented security measures, procedures, and recommendations to comply with NIST, FISMA and Organizational defined policies/guidelines and technical best practices.

- Participated in the development and maintenance of SSP and Contingency plans, IR plans, and other security documentation for assigned systems.

- Prepared System Security checklist, PTA, PIA, E-Authentication, ISAs as part of ATO process.

- Developed POA&Ms for identified vulnerabilities and ensured compliance through periodic reviews and updates.

- Worked with teams to update POAM milestones, manage and close POAMs.

- Developed a variety of Assessment and Authorization deliverables including SSP, SAR, Contingency Plan (CP) and POA&M for review and approval by Authorizing Official.

- Supported security control assessments to ensure all controls meet security requirements as stipulated in the SSP and NIST 800-53r4.

- Maintained inventory of all software and hardware devices, list of ports, protocols, and services.

- Worked with other ISSOs to ensure the team achieves its milestones and goals.

- Developed waivers and exceptions for information system vulnerabilities that could not be remediated within policy timelines.

- Documented security control implementation statements to ensure control implementations are in line with NIST requirements in NIST 800-53- rev 4 appendix F.

- Conducted security impact assessments for all changes before the changes are presented in the change board meeting.

- Reviewed logs for assigned systems weekly or as needed to track malicious activity and monitor privilege user activity.

- Reviewed and updated system documentation as part of continuous monitoring.

- Conducted yearly exercises to test CP and IR plans and to train users on CP and IR roles.

- Conducted quarterly internal audits on all accounts to ensure accounts created follow account management policies and that inactive accounts are identified and deactivated.

- Reviewed weekly vulnerability and compliance scans and worked with teams to prioritize, track, and remediate any findings.

Presented weekly status of ongoing projects to technical and non-technical audience.