My name is Gary Coulter, and I’m passionate about cloud security. I’m fascinated by the possibilities that the cloud offers, and I want to use my knowledge and talents to make the cloud more secure. I’m currently working in Governance, Risk, and Compliance (GRC) and want to transition into cloud security engineering. This blog will be a place for me to document that transition and demonstrate my knowledge of building secure environments in the cloud.<\/p>\n\n\n\n
Clearance<\/strong><\/p>\n\n\n\n Information available upon request.<\/p>\n\n\n\n Certifications<\/strong><\/p>\n\n\n\n Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Certified in Governance Risk and Compliance (CGRC), Security+<\/p>\n\n\n\n Skills<\/strong><\/p>\n\n\n\n Audit log reviews and security incident response, risk analysis, Assessment & Authorization, technical writing, customer service<\/p>\n\n\n\n Experience<\/strong><\/p>\n\n\n\n TDI, Washington, DC – Information System Security Officer<\/strong><\/p>\n\n\n\n May 2025 – Present<\/p>\n\n\n\n \u25cf Served as the primary IT security and compliance advisor for seven authorization boundaries for a federal customer. <\/p>\n\n\n\n \u25cf Analyzed Nessus vulnerability and Tripwire compliance scan reports and worked with system administrators and engineers to triage scan results and identify true positives in order to develop risk-based remediation plans. <\/p>\n\n\n\n \u25cf Documented risk acceptance requests for security controls that could not be implemented as required, and documented the implementation of compensating controls that would mitigate the risk from the proposed risk acceptance. <\/p>\n\n\n\n \u25cf Provided briefings to system owners, the Chief Information Security Officer, and Chief Information Officer on IT security risks present in my assigned authorization boundaries <\/p>\n\n\n\n \u25cf Used the Archer Governance, Risk and Compliance (GRC) tool to create system security and privacy plans (SSPPs) and plans of action and milestones (POA&Ms) for my assigned authorization boundaries.<\/p>\n\n\n\n Coalfire Federal, Arlington, VA – Security control assessor <\/strong><\/p>\n\n\n\n March 2023 – May 2025 <\/p>\n\n\n\n \u25cf Served as a contractor security control assessor at two federal agencies where I led security control assessments of complex systems with hundreds of controls from NIST SP 800-53 Rev. 4 and Rev. 5. <\/p>\n\n\n\n \u25cf Produced security assessment reports (SARs) using the CSAM and Xacta 360 GRC tools, executive summaries, risk assessments, and weekly assessment status updates to help agencies understand the risks from assessment findings.<\/p>\n\n\n\n \u25cf Mentored junior security control assessors on how to effectively perform security control assessments in accordance with customer requirements. <\/p>\n\n\n\n \u25cf Contributed to the efficient operation of the security control assessor team by making suggestions for process improvements, including ways that the team could more easily collaborate.<\/p>\n\n\n\n Coalfire Federal, Washington, DC – ISSO <\/strong><\/p>\n\n\n\n September 2020 – March 2023 <\/p>\n\n\n\n \u25cf Maintained the appropriate operational security posture for the agency financial system and a FedRAMP SaaS solution. <\/p>\n\n\n\n \u25cf Worked with system administrators, developers, and system owners to perform system security categorization, select appropriate security controls, and document the security posture of the system in system security plans using the CSAM GRC tool.<\/p>\n\n\n\n \u25cf Gathered artifacts to demonstrate that the system’s security controls were implemented as required and operating as intended.<\/p>\n\n\n\n \u25cf Reviewed the findings of security control assessments and worked with system administrators, developers, and system owners to develop POA&Ms to remediate assessment findings. <\/p>\n\n\n\n \u25cf Briefed the CISO, CIO, and DCIO on security control assessment findings to help them understand risk. <\/p>\n\n\n\n \u25cf Performed continuous monitoring of implementation of NIST SP 800-53 Rev. 4 security controls and reviewed Nessus vulnerability scans with system administrators, developers, and system owners to remediate vulnerabilities. <\/p>\n\n\n\n \u25cf Worked with system administrators, developers, and system owners to remediate vulnerabilities and close POA&Ms. <\/p>\n\n\n\n \u25cf Developed contingency plans and scenarios for tabletop tests of contingency plans. <\/p>\n\n\n\n \u25cf Gave a brown bag presentation to other ISSOs on effectively working with system personnel to brief them on vulnerabilities identified in Nessus scans and develop plans to remediate vulnerabilities. <\/p>\n\n\n\n \u25cf Researched vulnerabilities and worked with system personnel to document false positives and risk acceptance requests.<\/p>\n\n\n\n ManTech, Washington, DC \u2014 Sr. A&A Analyst <\/strong><\/p>\n\n\n\n March 2020 – September 2020 <\/p>\n\n\n\n \u25cf Served as the primary IT security and compliance advisor for five authorization boundaries for a federal customer. <\/p>\n\n\n\n \u25cf Analyzed Nessus vulnerability and Tripwire compliance scan reports and worked with system administrators and engineers to triage scan results and identify true positives in order to develop risk-based remediation plans. <\/p>\n\n\n\n \u25cf Documented risk acceptance requests for security controls that could not be implemented as required, and documented the implementation of compensating controls that would mitigate the risk from the proposed risk acceptance. <\/p>\n\n\n\n \u25cf Provided briefings to system owners, CISO, and CIO on IT security risks present in my assigned authorization boundaries <\/p>\n\n\n\n \u25cf Used Archer GRC to create SSPPs and POA&Ms for my assigned authorization boundaries.<\/p>\n\n\n\n Zermount, Washington, DC \u2014 ISSO<\/strong> <\/p>\n\n\n\n July 2017 – March 2020 <\/p>\n\n\n\n \u25cf Used Archer GRC to write SSPs, SARs, and POA&Ms for 14 systems, including applications hosted in cloud environments, internal Web applications, a video surveillance system, and a fi ngerprinting system containing PII. <\/p>\n\n\n\n \u25cf Used Splunk to review audit logs to identify potential security breaches.<\/p>\n\n\n\n \u25cf Ensured operating systems and databases were hardened in accordance with policy and CIS benchmarks. <\/p>\n\n\n\n \u25cf Performed continuous monitoring and self-assessments and reported security issues to CISO and AO. <\/p>\n\n\n\n \u25cf Performed security impact analyses for proposed changes and provided recommendations for approval\/disapproval. <\/p>\n\n\n\n \u25cf Wrote contingency plans, Incident Response Plans, and AARs. <\/p>\n\n\n\n \u25cf Facilitated Incident Response Plan and Contingency Plan tabletop exercises. <\/p>\n\n\n\n \u25cf Worked with stakeholders to promptly address security vulnerabilities. <\/p>\n\n\n\n \u25cf Reviewed FedRAMP packages and reported risks to senior management. <\/p>\n\n\n\n \u25cf Analyzed Qualys vulnerability and hardening scan reports to assess risk and report issues to system stakeholders and senior management.<\/p>\n","protected":false},"excerpt":{"rendered":" My name is Gary Coulter, and I’m passionate about cloud security. I’m fascinated by the possibilities that the cloud offers, and I want to use my knowledge and talents to make the cloud more secure. I’m currently working in Governance, Risk, and Compliance (GRC) and want to transition into cloud security engineering. This blog will<\/p>\n