About This Site

This may be a good place to introduce yourself and your site or include some credits.

Find Us

Address
123 Main Street
New York, NY 10001

Hours
Monday–Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM

My name is Gary Coulter, and I’m passionate about cloud security. I’m fascinated by the possibilities the cloud offers, and want to use my knowledge and talents to make the cloud more secure. I currently work in Governance, Risk, and Compliance (GRC) and want to use my 10+ years of experience to transition into a cloud security analyst role, with the goal of eventually becoming a cloud security engineer. This blog will be a place for me to document that transition and demonstrate my knowledge of building secure environments in the cloud.

Clearance

Information available upon request.

Certifications

Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Certified in Governance Risk and Compliance (CGRC), Security+

Skills

Audit log reviews and security incident response, risk analysis, assessment and authorization, technical writing, customer service

Experience

TDI, Washington, DC – Information System Security Officer (ISSO)

May 2025 – Present

● Served as the primary IT security and compliance advisor for six authorization boundaries for a federal customer.

● Analyzed Nessus vulnerability and Tripwire compliance scan reports and worked with system administrators and engineers to triage scan results and identify true positives in order to develop risk-based remediation plans.

● Documented risk acceptance requests for security controls that could not be implemented as required, and documented the implementation of compensating controls that would mitigate the risk from non-compliance.

● Provided briefings to system owners, the Chief Information Security Officer (CISO), and Chief Information Officer (CIO) on IT security risks present in my assigned authorization boundaries.

● Used the Archer Governance, Risk and Compliance (GRC) tool to create system security and privacy plans (SSPPs) and plans of action and milestones (POA&Ms) for my assigned authorization boundaries.

Coalfire Federal, Arlington, VA – Security control assessor

March 2023 – May 2025

● Served as a contractor security control assessor at two federal agencies where I led security control assessments of complex systems with hundreds of controls from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revisions 4 and 5.

● Produced security assessment reports (SARs) using the CSAM and Xacta 360 GRC tools, executive summaries, risk assessments, and weekly assessment status updates to help agencies understand the risks from assessment findings.

● Mentored junior security control assessors on how to effectively perform security control assessments in accordance with customer requirements.

● Contributed to the efficient operation of the security control assessor team by making suggestions for process improvements, including ways that the team could more easily collaborate.

Coalfire Federal, Washington, DC – ISSO

September 2020 – March 2023

● Maintained the appropriate operational security posture for the agency financial system and a FedRAMP SaaS solution.

● Worked with system administrators, developers, and system owners to perform system security categorization, select appropriate security controls, and document the security posture of the system in system security plans using the CSAM GRC tool.

● Gathered artifacts to demonstrate that the system’s security controls were implemented as required and operating as intended.

● Reviewed the findings of security control assessments and worked with system administrators, developers, and system owners to develop POA&Ms to remediate assessment findings.

● Briefed the CISO, CIO, and DCIO on security control assessment findings to help them understand risk.

● Performed continuous monitoring of implementation of NIST SP 800-53 Rev. 4 security controls and reviewed Nessus vulnerability scans with system administrators, developers, and system owners to remediate vulnerabilities.

● Worked with system administrators, developers, and system owners to remediate vulnerabilities and close POA&Ms.

● Developed contingency plans and scenarios for tabletop tests of contingency plans.

● Gave a brown bag presentation to other ISSOs on effectively working with system personnel to brief them on vulnerabilities identified in Nessus scans and develop plans to remediate vulnerabilities.

● Researched vulnerabilities and worked with system personnel to document false positives and risk acceptance requests.

ManTech, Washington, DC — Senior Assessment and Authorization Analyst

March 2020 – September 2020

● Served as the primary IT security and compliance advisor for five authorization boundaries for a federal customer.

● Analyzed Nessus vulnerability and Tripwire compliance scan reports and worked with system administrators and engineers to triage scan results and identify true positives in order to develop risk-based remediation plans.

● Documented risk acceptance requests for security controls that could not be implemented as required, and documented the implementation of compensating controls that would mitigate the risk from the proposed risk acceptance.

● Provided briefings to system owners, CISO, and CIO on IT security risks present in my assigned authorization boundaries

● Used Archer GRC to create SSPPs and POA&Ms for my assigned authorization boundaries.

Zermount, Washington, DC — ISSO

July 2017 – March 2020

● Used Archer GRC to write SSPs, SARs, and POA&Ms for 14 systems, including applications hosted in cloud environments, internal Web applications, a video surveillance system, and a fi ngerprinting system containing PII.

● Used Splunk to review audit logs to identify potential security breaches.

● Ensured operating systems and databases were hardened in accordance with policy and CIS benchmarks.

● Performed continuous monitoring and self-assessments and reported security issues to CISO and AO.

● Performed security impact analyses for proposed changes and provided recommendations for approval/disapproval.

● Wrote contingency plans, Incident Response Plans, and AARs.

● Facilitated Incident Response Plan and Contingency Plan tabletop exercises.

● Worked with stakeholders to promptly address security vulnerabilities.

● Reviewed FedRAMP packages and reported risks to senior management.

● Analyzed Qualys vulnerability and hardening scan reports to assess risk and report issues to system stakeholders and senior management.

Zermount, Washington, DC — IT Security Advisor

March 2016 – July 2017

  • Performed security control assessments using NIST SP 800-53A Rev. 4
    assessment procedures
  • Used Archer GRC to create security assessment reports (SARs) and
    security assessment plans (SAPs)
  • Provided briefings for authorizing officials, system owners, information
    technology security program managers and information system security
    officers (ISSOs) on security control assessment findings and remediation
    recommendations
  • Sealing Technologies, Columbia, MD — Information
    Assurance Analyst
    December 2014 – March 2016
  • Provided information assurance and technical writing support for two
    systems under development for the U.S. Air Force’s Theater Deployable
    Communications (TDC) program
  • Performed emissions security countermeasures reviews to identify
    actions that could be taken to prevent malicious individuals from
    intercepting compromising emanations from systems
  • Helped write a System Security Plan that identified information assurance
    controls used to adequately protect systems from security threats
  • Assisted with the creation of a POA&M and risk/threat analysis for open
    ports and running services
  • Wrote an Air Force Technical Order that included instructions for how
    airmen should set up a system in accordance with applicable information
    assurance controls and security technical implementation guides (STIGs)
  • Developed backup and restore procedures to help
    ensure continued availability of a system
  • Developed a training program for Air Force trainers that included
    material on how to set up and operate a system in accordance with IA
    controls and STIGs
  • Recognized by management for going above and beyond the call of duty
    in support of the company’s mission