Richard Martinez

• Reduced risk of cyber attacks by conducting quarterly vulnerability assessments.
• Conducted security 2 audits to identify vulnerabilities and prepare for Authorization To Operate (ATO) submission..
• Performed monthly risk analyses to identify appropriate security countermeasures.
• Improved incident response times by developing and maintaining cybersecurity playbooks and Standard Operating Procedures for common attack scenarios.
• Optimized security monitoring processes by implementing automated tools for real-time threat detection, analysis and notification.
• Recommend improvements in security systems and procedures.
• Conducted regular security risk assessments, enabling proactive identification and mitigation of potential threats.
• Skilled at working independently and collaboratively in team environment.
• Excellent communication skills, both verbal and written.

• Manage organizational resources (time, money, personnel, etc.) to support security goals and policies. Primarily 3 direct reports, budgets and secure storage areas.
• Create and execute strategies to improve reliability and security of IT projects. Utilize hardening procedures on 30 stand alone systems.
• Define, implement, and maintain DoD classified security policies and procedures.
• Spearhead vulnerability audits, vulnerability remediation, forensic investigations, and mitigation procedures
• Manage diverse team of 2 Information System Security Officers (ISSO) and 1 System Administrator. Also advised 3 security Engineers and 2 analysts, and IT professionals
• Advise leadership ( Immediate Manager and Security Site Director on organization's cybersecurity status
• Assess, test, and select new security products and technologies as needed such as authentication devices, storage and logging devices and Intrusion detection firewalls.

• Provided security services to many areas within DoD while employed by Booz Allen Hamilton
• Assigned to provide Security Engineering support and Compliance direction for the Navy RDT&E environment of the Space and Naval Information Warfare Center Pacific (NIWC-PAC) PEO C4I Program
• Primarily provided Assessment and Accreditation support to Autonomous Vehicle Program Office (PMS-406) is working on developing afloat systems for various military missions
• Was instrumental in providing security engineering support for autonomous ship development, as well as ensuring that new and existing systems comply with DoD A&A certification
• Some systems required more stringent controls for National Security Systems (NSS) and Cross Domain Solutions
• Most current responsibilities included providing Cyber Security leadership to PMW 160 Piers Communication Systems
• Piers systems are used to allow Navy assets (ships) to connect to DoD networks while docked pier side at several locations globally
• Responsible to ensure that Piers systems remain compliant with active Authorization To Operate
• Insured that annual reviews are conducted as well as reviewing and tracking baseline lab systems for applying patches and updates in accordance with IAVA issued for relevant devices
• Engaged in developing and completing RMF accreditation packages for Piers systems
• Led IPT meetings as necessary to engage Piers production personnel as well as Piers Engineering to provide Cyber support
• Solicit engineering and management for help in completing A&A packages
• Integral in development lifecycle to ensure that final product is cyber hardened against malicious intent and compliant with all DoD directives, EXORDS and FRAGORDS
• Some activities include authoring and reviewing initial system requirements, security plans, test plans and relevant cyber security diagrams
• Responsible for creating documents and artifacts necessary for supporting accreditation, cyber controls and Piers procedures
• Must interface with partner developers to ensure that adherence to DoD RMF controls and Navy accreditation process while providing periodic status to Piers APM and overall PMW 160 PM
• Led the program to conduct an SDTE Project for a Piers demonstration with AT&T regarding 5G wireless capability
• Acquired Conditional Requests to provide Authorization to Operate while full RMF process is being completed
• Installed and Configured DISA HBSS for Relevant Classified systems, and directed team members in performing updates and configuration changes as necessary
• Provide Circuit Connection support for Piers systems approval by DISA for DoD connections
• Some projects can be described verbally on request

• Analyze Certification and Accreditation (C&A) documentation to support Navy Certification Authority in determining overall system risk for systems going through Navy DoD Information Assurance Certification and Accreditation Process (DIACAP)/ Risk Management Framework (RMF)
• Provide subject matter expertise regarding DIACAP/RMF documentation and certification evidence of programs, sites, and users
• Provide risk assessment critiques and evaluations relative to NIST 800-30
• Understand DoD 8500.2 IA controls and common vulnerabilities and exposures (CVE)
• Provide Test & Evaluation procedures in accordance with DISA guidelines and provide documentation to stakeholders and government entities using risk assessment reports
• Provide Security Engineering support and Compliance direction for Navy systems
• Specifically, NIWC-PAC PEO C4I PMW 150 Program
• Command and Control Program Office provides operational and tactical command and control capabilities by integrating real-time and near real-time representations of tactical situations while including targeting support, chemical-biological warnings and logistics support for Navy, Marine Corps, and joint coalition war fighters
• Responsibilities include: Lead IA personnel assigned to program teams including NIWC Systems Center Atlantic (NIWC-LANT) and NIWC-PAC in providing day to day cyber operations and Accreditation processes
• Perform risk analysis efforts, system testing using DISA STIGS and industry automated scanning tools with thorough working knowledge of Navy A&A and IA guidance documents, messages, and instructions
• Ensure all components of systems and applications are fully supported and configured according to DoD standards
• This included web servers such as IIS, Apache and iPlanet
• Open source software and database applications such as SQL, MySQL, Oracle, Jira and MongoDB
• Maintain and analyze Information Assurance Vulnerability Management Process (IAVM) and FISMA requirements
• Provide expertise in information security and IA, to include hands on experience using security tools, penetration testing, and current/emerging threats in vulnerability/exploit community
• Technically analyze system vulnerabilities, related vendor patches and workarounds, and overall effectiveness of technical mitigations that may be put in place to reduce attack surfaces, threat vectors, or related impact of any given vulnerability

• Assigned to provide Security Engineering support and Compliance direction for Navy systems
• Specifically Space and Naval Warfare Systems Command (SPAWAR) PEO C4I Program Management Warfare, Communications and GPS Navigation Program Office
• Provided security engineering support for various Navy projects as well as ensuring that new and existing systems comply with DoD A&A certification and stringent controls for National Security Systems (NSS)
• Some activities include authoring and reviewing initial system requirements, security plan, test planning and cyber security diagrams depicting Enclaves, Platforms, accreditation boundaries and encryption products
• Would often interface with partner developers such as Massachusetts Institute of Technology (MIT) Lincoln Labs and MITRE Corporation to ensure critical security controls and compliance is achieved before integration with Navy functional systems
• Some coordination and interfacing with National Security Agency is necessary to acquire endorsement of encryption products or as assets in gaining recommendations to implement encryption devices
• Some projects can be described verbally on request

Act as Information Assurance Engineer for various projects as needed to support Security Engineering process

• Various Business Areas, request engineers to meet LM Policy for project development
• IA Engineers from Corporate Information Security are assigned to projects and ensure all security aspects maintain security controls for protection of LM information assets
• This includes ensuring adequate security is in place at each milestone of the development lifecycle, including Scoping, Requirements creation, Design, Requirements Testing, Threat Modeling the system using MITRE ATT&CK as well as other tools, Security Attestation and O&M
• Another major responsibility includes being one of main corporate contacts for non-windows operating systems, including Red Hat Linux, Various UNIX vendors and MAC OSX
• This includes development of Security Blueprints, used for configuring various non-windows OS’s to provide secure environment baseline before use within LM or attachment to LMI
• Following are current projects / programs assignments while at Lockheed Martin
• Primary Information Assurance Engineer and Technical POC for LM Computer Incident Response Team Cyber Intelligence Forensic Analysis tool called Mandiant Intelligent Response (MIR)
• This included all aspects of acquiring and deploying Mandiant application for aggregating and analyzing data from different sources and providing security analysis report
• This included Controller and Console configuration as well as distributing agents across all LM Business Areas and entire LM Enterprise (150K Windows hosts)
• MIR is part of LM-CIRT strategy for detecting and eradicating zero day threats
• Provide information to LM-CIRT in detection and eradication of malware and APT intrusions across LM Enterprise utilizing Mandiant Application
• This includes development of indicators, scheduling of jobs, analysis of retrieved data and reporting to management
• MIR is component of LM-CIRT Security Operations Center (SOC) where it resided for real time situational awareness of incidents that needed to be tracked and documented
• Primary Information Assurance Engineer assigned to LM Assured Identity Program
• Assured Identity Program is huge undertaking including many subcomponents that together provides non-reputable credentials that prove that strictly identifies individuals
• Some subcomponents that I reviewed for security compliance include; non-employee database, smart card provisioning, Public Key Infrastructure, LM Directory Service, and Physical Access Integration
• Primary function within this realm is to ensure that each component is secure, so that entire programs will be secure
• Some activities include, Requirements Review, Design Review and approval, Interface connection design review and approval, component scans and vulnerability remediation, security design recommendations and ensuring LM and CertiPath policy compliance

• Was permanently hired by Lockheed Martin CO after working 4 months as contractor
• Responsibilities included to provide independent Security Risk Assessments (SRA) to wide variety of systems owned by various Lockheed Martin business units
• Manage each assessment as independent project and utilize Lockheed Martin (LM) SRA Methodology to efficiently and accurately determine security strength and vulnerabilities of LM systems
• Some tasks that have been assigned include: Assess risk levels of LM systems utilizing LM SRA methodology, including boundary definition, document data criticality, briefing LM SRA methodology to customers, analyzing security controls, reviewing vulnerability scan reports, determining vulnerabilities, calculating risk levels and generating final reports for submission and approval
• Reviewing draft security Policies and Standards to ensure well defined standards and will aid in fulfilling EIS SD&I/IIS mission
• Help to train and educate customers in regard to LM SRA methodology, corporate security policies and Corporate Information Protection Manual (CIPM)
• Provide suggestion for improvement of LM SRA process to help enhance or streamline tasks making each assessor more efficient
• Help to train new members of Assessment team in learning LM SRA methodology as well as corporate policies and security best practices

• Provide independent Security Risk Assessments (SRA) to a wide variety of systems owned by various Lockheed Martin business units
• Manage each assessment as an independent project and utilize the Lockheed Martin (LM) SRA Methodology to efficiently and accurately determine the security strength and vulnerabilities of LM systems

• Responsibilities remain same as when working for Alumni Consulting (See Below)
• Was hired permanent basis after working as a subcontractor for 6 months
• Besides those listed below, some of tasks that I have been assigned, include: Consulting for determination of logical boundaries for new major applications and General support systems for planning on how to proceed with C&A activities
• Validating documented vulnerabilities that have been correctly mitigated or completely fixed by system owners
• Conduct assistance visit to various State field offices and provide them with report on security weaknesses and suggestions for improvement
• Provide C&A training to affected personnel on C&A processes, federal laws, Technical, Operational and Managerial security controls
• Encrypted data and erected firewalls to protect confidential information.

• Provide consultation and skills to the Department of the Interior (DOI) Bureau of Land Management (BLM) in conducting Certification and Accreditation of General Services Systems as well as Major Applications to meet Federal Laws
• This includes helping the system owners to ensure that security controls are implemented and effective for data types that are stored, processed or transported within the BLM enterprise
• Some of these tasks include: Helping the system owners to complete a yearly self-assessment following NIST guidance (SP800-26) to determine areas that are deficient and address those deficiencies through the use of a Plan of Action and Milestones (POA&M)
• Also to aid the system owner in identifying data types, associated risks and countermeasures to insure the Confidentiality, Integrity and Availability of information
• In order to accomplish this, Risk assessments are performed to assess the strength and effectiveness of Management, Operational and Technical controls
• Vulnerability scanning is performed utilizing various automated tools such as Nessus, Saint, MBSA, Kismet and Johntheripper
• Some of the tasks that have been completed or that have been accomplished include: C&A tasks and documentation for the BLM Colorado state office, field offices, Denver Federal Center and several Major applications within the BLM Land and Resource Project Office
• Vulnerability scanning utilizing automated tools as it pertains to C&A activities or at the request of a GSS or Major Application owner or Information Technology Security Manager
• Validation of Technical findings, once vulnerability scans have been completed
• This is to minimize the number of false positives that are handed to the System owner
• Review of previous C&A documents and activities to determine if needed to be updated, or if any of C&A steps need to be re-conducted to bring them into compliance using NIST and DOI guidance
• Helping to define and implement more efficient processes to improve the accuracy and turnaround time as well as make the C&A experience easier for the system owners, and less expensive for the BLM

• Ensure that Raytheon Polar Services Infrastructure meets or exceeds security standards set by Raytheon Corporate as well as Standards defined by the Sponsor (National Science Foundation)
• The NSF is a government entity and must meet FISMA, HIPAA and FIPS directives on the storage and transport of information
• Primary duties include Information Assurance mechanisms such as Intrusion detection, Incident Response, vulnerability assessments, Patch Management, Security Consulting and forensics analysis
• While working at Raytheon, I established the following capabilities within RPSC: I initiated a project for establishing a Network based Intrusion Detection system for monitoring and defending against malicious activity within the RPSC network
• This will be a combination of 24X7 support of an outsourced vendor as well as an upgrade of existing Checkpoint Firewall software to include the Smart Defense module
• I initiated and deployed an automated log monitor tool for primary machines that are external facing to the public Internet
• This tool was an interim step for monitoring activity on our most vulnerable machines, until some commercial host based IDS could be purchased and deployed
• I initiated a project for establishing an incident response program for the RPSC and its remote stations
• This will include, Team Formation, Incident vs Event identification, Communication and Command procedures, Initial Triage, forensics and interfacing with appropriate NSF, Raytheon and Law Enforcement agencies
• Member of the Network Change Control Board, serving as advisor on security issues pertaining to changes made (change management) within the RPSC Network infrastructure
• Performed Certification and Accreditation activities for Major Applications within Raytheon Polar Services
• These were conducted using NIST and Raytheon guidance to help the application owner answer NIST SP800-26 self-assessment questions as well as to create a formal System Security Plan and perform Risk Assessment

• Provide Information Assurance expertise for ARMY Secure Electronic Transactions - Devices (SET-D) Program Management Office
• SET-D is primarily responsible for DoD Biometric and ARMY PKI acquisitions
• Provide Information assurance, biometric and PKI expertise to other MITRE organizations as needed and as time permits
• Ensure that architecture of various projects meets pertinent regulations and directives such as DITSCAP, DOD 5000.2, AR-25-2, DCIDS, using standard Systems Engineering processes (C4ISR, DODAF)
• Some projects that I have worked on for MITRE include: General Liaison to DOD for MITRE specific tasks, conducting presentations, gaining approval, briefing status, answering questions
• Biometrics on Common Access Cards (CAC), creating objectives for phase II of biometrics on CAC as part of project refinement section from initial phase
• Determining joint services requirements and incorporating suggestions into phase II program
• Conducting PKI OCSP testing with Valicert responder and MS Outlook client plug-in
• This is to gain information on Valicert specific performance for inclusion in overall Certificate Validation analysis report, detailing specific vendor information and determining best solutions for use in ARMY PKI programs
• Created proposal for Future Combat Systems (FCS) and Warfighter Information Network – Tactical (WIN-T) programs to architect possible solution for certificate validation in tactical environments
• CONOPS for Security portion of a Web Services standardization project directed by U.S Army Signal Corp