About Me – Gary Coulter

My name is Gary Coulter, and I’m passionate about cloud security. I’m fascinated by the possibilities that the cloud offers, and I want to use my knowledge and talents to make the cloud more secure. I’m currently working in Governance, Risk, and Compliance (GRC) and want to transition into cloud security engineering. This blog will be a place for me to document that transition and demonstrate my knowledge of building secure environments in the cloud.

Clearance

Information available upon request.

Certifications

Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Certified in Governance Risk and Compliance (CGRC), Security+

Skills

Audit log reviews and security incident response, risk analysis, Assessment & Authorization, technical writing, customer service

Experience

TDI, Washington, DC – Information System Security Officer

May 2025 – Present

● Served as the primary IT security and compliance advisor for seven authorization boundaries for a federal customer.

● Analyzed Nessus vulnerability and Tripwire compliance scan reports and worked with system administrators and engineers to triage scan results and identify true positives in order to develop risk-based remediation plans.

● Documented risk acceptance requests for security controls that could not be implemented as required, and documented the implementation of compensating controls that would mitigate the risk from the proposed risk acceptance.

● Provided briefings to system owners, the Chief Information Security Officer, and Chief Information Officer on IT security risks present in my assigned authorization boundaries

● Used the Archer Governance, Risk and Compliance (GRC) tool to create system security and privacy plans (SSPPs) and plans of action and milestones (POA&Ms) for my assigned authorization boundaries.

Coalfire Federal, Arlington, VA – Security control assessor

March 2023 – May 2025

● Served as a contractor security control assessor at two federal agencies where I led security control assessments of complex systems with hundreds of controls from NIST SP 800-53 Rev. 4 and Rev. 5.

● Produced security assessment reports (SARs) using the CSAM and Xacta 360 GRC tools, executive summaries, risk assessments, and weekly assessment status updates to help agencies understand the risks from assessment findings.

● Mentored junior security control assessors on how to effectively perform security control assessments in accordance with customer requirements.

● Contributed to the efficient operation of the security control assessor team by making suggestions for process improvements, including ways that the team could more easily collaborate.

Coalfire Federal, Washington, DC – ISSO

September 2020 – March 2023

● Maintained the appropriate operational security posture for the agency financial system and a FedRAMP SaaS solution.

● Worked with system administrators, developers, and system owners to perform system security categorization, select appropriate security controls, and document the security posture of the system in system security plans using the CSAM GRC tool.

● Gathered artifacts to demonstrate that the system’s security controls were implemented as required and operating as intended.

● Reviewed the findings of security control assessments and worked with system administrators, developers, and system owners to develop POA&Ms to remediate assessment findings.

● Briefed the CISO, CIO, and DCIO on security control assessment findings to help them understand risk.

● Performed continuous monitoring of implementation of NIST SP 800-53 Rev. 4 security controls and reviewed Nessus vulnerability scans with system administrators, developers, and system owners to remediate vulnerabilities.

● Worked with system administrators, developers, and system owners to remediate vulnerabilities and close POA&Ms.

● Developed contingency plans and scenarios for tabletop tests of contingency plans.

● Gave a brown bag presentation to other ISSOs on effectively working with system personnel to brief them on vulnerabilities identified in Nessus scans and develop plans to remediate vulnerabilities.

● Researched vulnerabilities and worked with system personnel to document false positives and risk acceptance requests.

ManTech, Washington, DC — Sr. A&A Analyst

March 2020 – September 2020

● Served as the primary IT security and compliance advisor for five authorization boundaries for a federal customer.

● Provided briefings to system owners, CISO, and CIO on IT security risks present in my assigned authorization boundaries

● Used Archer GRC to create SSPPs and POA&Ms for my assigned authorization boundaries.

Zermount, Washington, DC — ISSO

July 2017 – March 2020

● Used Archer GRC to write SSPs, SARs, and POA&Ms for 14 systems, including applications hosted in cloud environments, internal Web applications, a video surveillance system, and a fi ngerprinting system containing PII.

● Used Splunk to review audit logs to identify potential security breaches.

● Ensured operating systems and databases were hardened in accordance with policy and CIS benchmarks.

● Performed continuous monitoring and self-assessments and reported security issues to CISO and AO.

● Performed security impact analyses for proposed changes and provided recommendations for approval/disapproval.

● Wrote contingency plans, Incident Response Plans, and AARs.

● Facilitated Incident Response Plan and Contingency Plan tabletop exercises.

● Worked with stakeholders to promptly address security vulnerabilities.

● Reviewed FedRAMP packages and reported risks to senior management.

● Analyzed Qualys vulnerability and hardening scan reports to assess risk and report issues to system stakeholders and senior management.

Gary Coulter

Search

About This Site

Find Us