We are looking for Information Technology Security TRA and C&A Analyst (Security Assessor) – Level 3 for Natural Resources Canada with a Security Clearance Level of Reliability:

1.The bidder MUST demonstrate that the proposed resource complies with a Level 3 Information Technology Security TRA and C&A Analyst (C.3) as defined by Annex A – Requirements for Services, of the TBIPS Supply Arrangement.

https://www.tpsgc-pwgsc.gc.ca/app-acq/sptb-tbps/cyberprotect- eng.html#c3

2. The bidder MUST demonstrate that the proposed resource has performed at least ten (10) Security Assessment and Authorizations in the last five (5) years (as of bid closing) evaluating the security controls of a system to ensure that it was properly configured to meet a security mandate, which culminated in a Plan of Action and Milestones (PoA&M) report and utilized one of the following security control frameworks:

• Government of Canada ITSG-33 Protected B, Medium Integrity, medium Availability or greater
• NIST SP 800-53
• Federal Risk and Authorization Management Program (FEDRAMP) Moderate or High Level
• ISO 27001, ISO 27017 and ISO 27018

3. The bidder MUST demonstrate that the proposed resource has at least six (6) years of experience in the last ten (10) years (as of bid closing) with technical documentation including all of the following:

• Assessing high level network diagrams for security concerns related to zoning
• Assessing build books for security concerns related to the configuration of physical or virtual servers
• Tracing security controls from Security Requirements through high level designs, build books and granular network diagrams to ensure that sufficient documentation exists to support the control
• Performing gap assessments on technical documentation and advising on how to remediate those gaps.

4. The bidder MUST demonstrate that the proposed resource has at least twelve (12) months experience in the last five (5) years (as of bid closing) performing Security Assessments and Authorizations for Enterprise-class IT solutions deployed in a cloud or hybrid-cloud environment comprised of all the following:

• Determining whether the evidence provided acceptably covers the controls in the control profile
• Ensuring that required controls are effectively implemented and operating as intended
• Assessing the risk of any controls that are not met or only partially met by the evidence provided
• Providing guidance and advice on what constitutes appropriate evidence
• Advising on risk mitigation strategies

*Enterprise-class refers to solutions or services that are designed to be robust and scalable across a large organization.