Senior Secret Cleared SA&A Consultant to complete ATO’s and TRA’s for a migration of custom applications and software to the cloud.

Our Valued Public Sector Client is a Senior Secret Cleared SA&A Consultant to complete ATO’s and TRA’s for a migration of custom applications and software to the cloud.

Project Description:

To support an urgent requirement of migrating enterprise applications into the Cloud. The scope will focus on ensuring that the applications met Treasury Board Secretariat (TBS) and ITSG-33 requirements, enabling secure migration, operation, and monitoring of the applications within Microsoft Azure.

Must Haves:

• CISSP
• SA&A (ITSG-33) ATO, SRTM, POA&M and SAR with GoC (6 years in the past 8)
• Security risk management (6 years in the past 8)
• Threat and risk assessments with GoC (3+ examples)
• Cloud security environment assessments (2+ examples)
• Degree or Diploma

Responsibilities:

• Lead and document Security Assessment & Authorization (SA&A) for Fortress.
• Map, assess, and implement security controls across Overarching, Protect, Detect, Respond, and Recover Functions as defined in Security Orders.
• Advise on strategies to support Continuous Authorization to Operate (CATO) for Fortress.
• Develop reusable processes, templates, and automated evidence-gathering methods for control validation.
• Conduct SA&A, Threat Risk Assessments (TRA), Security Impact Assessments (SIA), and Privacy Impact Assessments (PIA).
• Capture and document control evidence in line with ITSG-33, DIM Secur, and Security Orders (e.g., access control, audit, configuration management, incident response).
• Develop Plan of Action & Milestones (POAM) to address deficiencies.
• Risk and Vulnerability Management
• Conduct risk modeling (actor profiles, scenario analysis) to inform mitigations.
• Produce comparative analysis of CJCR controls against ITSG-33, NIST, and ISO 27002 standards.
• Ensure compliance with TBS Policy on Government Security, Privacy Act, Access to Information Act, and other applicable policies.
• Develop and review Interconnection Security Agreements (ISAs).
• Assist with evidence capture of developer security testing and secure SDLC integration (static/dynamic code analysis, CI/CD security).
• Develop plan for Continuous Monitoring strategy, including automated evidence capture.
• Lead tabletop exercises and test contingency/incident response procedures.
• Provide training and awareness sessions on SA&A evidence capture and security controls.
• Deliver reusable templates for risk assessments, security control documentation, and ATO submissions.