Who is Craig Poma?
Who really likes to talk about themselves? It’s kind of weird, but I guess a necessary evil when trying to complete an “About Me” section. The next hurdle would be: Do I describe myself in some sort of narrative fashion or just hit you with a résumé style bullet list. I’ll narrate because if you want a résumé you can look at my LinkedIn profile.
My name is Craig Poma. I live in Virginia (Washington/DC Metro Area) with my wife and 3 sons. When I’m not spending time with my family, I enjoy mountain biking, running, fishing, home improvement activities, software development (I know…I do that at work too) and lately photography.
I also kind of maintain and outdated Blog conveniently located at https://blog.craigpoma.com. It is mostly computer related musings, but sometimes I talk about family stuff or other interests/activities.
Education, Certifications, and Related Classes
I have a BS from the University of Maryland – College Park in Computer Science (2001). I have a MS in Computer Systems Management with a focus on Data Assurance and Protection from the University of Maryland – University College (2006). From a certification standpoint, I am a registered/active CISSP, CEH, and Microsoft MCSA. In the past, I had an active CCNA, but I allowed that to expire because my job at Lockheed didn’t really “utilize” any networking certifications. I have taken tons of classes over the years to keep current with various technologies.
Certified Information System Security Professional (CISSP) – 2009 – Current
QRT Spot Award – 2018
Customer Director’s Team Award – 2017
MITRE Spark Award – 2017
Mission Software Modernization Team Award – 2016
MITRE Spark Award – 2016
Certified Ethical Hacker (CEH) – 2015 – Current
Customer Team of the Year, 12/2011
Lockheed Martin Spot Team Award, 12/2009
Lockheed Martin SRA Award, 12/2008
Lockheed Martin Spot Award, 12/2006
Lockheed Martin Spot Award, 09/2004
Lockheed Martin Prestige Award, 08/2001
Cisco CCNA, 2002
Microsoft MCSA, 2001
Penetration Testing 102 12/2017
Penetration Testing 101 12/2017
Cloud Security 5/2017
Cross Domain Solution Security Assessor Training Unified Cross Domain Services Management Office (UCDSMO) 5/2017
Cloudera Search 2/2017
Cloudera Data Analyst Training: Using Pig, Hive, and Impala with Hadoop 8/2016
Cloudera Administrator Training for Secure Configuration 7/2016
Introduction to Chef 9/2015
Intellectual Property Contributions
InSpec Security Compliance Profiles – 2016
The InSpec Security Compliance Profiles are a collection of security compliance profiles based on government standards to help MITRE and Sponsors have an automated way to assess and report on the compliance state of systems and applications using the open source InSpec library. More on InSpec can be found at: https://www.inspec.io/
Career / Experience
Career Path Narrative
VenAmerica Communications Inc. (May, 1998 – May, 2001)
In 1998, I started working for VenAmerica Communication, Inc. VenAmerica is a telecommunications consulting and installation firm. They provide services to newly constructed facilities, renovated facilities, or in existing facilities. They deal with critical infrastructure systems includes cable plant, telephone and paging, electrical and back-up power, mechanical, fire protection, A/V/CATV, and security, including CCTV. My main/primary job there was to manage the computer network for the office. When I first started there, the network was not very “formal”, as they had a small office staff footprint and many field employees. I, of course, pushed to formalize this, and management agreed. This was fortuitous, because as the dot-com boom approached, the office staff grew and formalization made it very easy to add office staff in a structured, secure manner. When I left in 2001 to go work for Lockheed, they had about 15 -20 workstation nodes (Windows XP), an Exchange 2000 Server, Web Server (Linux), Fileserver/Domain Controller (Windows Server 2000), and some network based printers (HP Plotters and Printers). All patching and virus definitions were centrally managed. The system was very well design and executed….. all by me :-). I also built them a pretty full featured web application, using the LAMP (Linux, Apache, MySQL, and Perl) approach, to manage service requests, timesheets, and hours management across contracts. (I built them a website too, but that has been replaced).
VenAmerica being a small business required staff to wear many hats. So, as you can imagine, me sitting around the office watching working machines all day would have been a waste of time and boring. So, I was inserted into “field duty”. I started from the bottom up, working as just a laborer…learning color codes, cable termination, fiber termination, electrical codes…etc. I progressed quickly on and learned about phone switches, voicemail systems,…etc. Eventually, I was field lead managing jobsites doing network build outs with my own “crew”.
VenAmerica was truly a great learning environment that has helped me in future endeavors. I would encourage folks pursuing IT based careers to learn some of this peripheral stuff… it really does come in handy.
Lockheed Martin IS&GS (May, 2001 – Nov. 2010)
After receiving my bachelor’s degree in Computer Science, I took a job working for Lockheed Martin as a Software Engineer working on a “tools team”. I can’t really talk too much about any of my Lockheed taskings, as they require a security clearance and wouldn’t be appropriate…or legal.
What I can say is: I built web-tools which used a common framework combining Oracle, Apache, and Perl. These tools provided an integrated web-enabled Systems Engineering and Integration (SE&I) environment written using a combination of COTS and custom applications, which made use of open source material and technologies. Core functions included user/group management, document repository, shared calendar, action items, and milestone tracking. Customized applications include RFC change management, requirement traceability, system level verification, risk management, test resource planning, operator readiness evaluation, and program status tracking. Along with building web-tools, I also had responsibilities deploying and maintaining Oracle 9i, 10g, and XE database deployments and Apache web servers.
The tool suite and tools were deployed to a number of Programs. Some Programs had very large user bases, so I was tasked with coming up with a load balancing solution for the collaborative system. A team member and I designed and deployed a cluster based solution using Oracle RAC, Apache Reverse Proxy, and some DNS manipulations.
In Aug. 2009, I was assigned to a new tasking. Same kind of job but the team was building a whole collaborative environment from the bottom up. In my previous tasking, the environment existed… it evolved during my tenure, but wasn’t a “from scratch” system. The key to this system was it must comply with NIST and DCID 6/3 PL3 security requirements. I had, since 2003, been building tools with these constraints, so I was pretty comfortable. I designed and built a framework called the Protected Online Managed Access Collaboration System (POMACSTM). This development effort was spawned to demonstrate a development environment that could be rapidly deployed, be agile, robust, scalable, and comply with PL3 requirements for multi-level security (MLS). This tool suite integrates a combination of COTS and custom applications, which make use of open source materials and Web 2.0 technologies. Core functions include things that most collaborative environments have like: user/group management, shared calendars, user created Workspaces, RSS Feed Integration, and a Content Management System. Additionally, we did integration with some external Mapping Appliances, integration with IP Geolocation Services/Google Maps, LDAP/PKI integration and added some other proprietary features. All of these features, however, operate in compliance with the PL3 and MLS requirements.
o POMACS was design and implemented using a modified LAMP stack.
o Engineered to adhere to NIST and DCID 6/3 PL3+ security requirements factored into the core and adheres to the security and integrity principles/requirements that will be required by Customer Environments.
And again…even though Lockheed was a large company… I got to wear multiple hats. So, I also had responsibilities for installation, administration, and patching of Oracle 10g database deployments for use with the web-based application deployments. I also did installation, administration, and patching of multiple Redhat Enterprise Linux deployments
The SI Organization Inc. (Nov, 2010 – July, 2014)
Systems Engineer Senior Staff Nov, 2010 – Feb, 2011
My first tasking at the SI was working on Border Intelligence Fusion Section (BIFS) Common Intelligence Picture (CIP) system. I provided Network Design and Infrastructure support in the development and installation of the Border Intelligence Fusion Section (BIFS) Common Intelligence Picture (CIP) system. The BIFS CIP follows a service-oriented architecture (SOA) model to accesses data from a number of systems for the purposes of providing both a real-time Common Information Picture and the ability to perform historical fusion analysis on geospatial data. In addition, the Object/Entity (OE) capability of the system allows end users to create data relevant to the CIP.
Systems Engineer Senior Staff Feb, 2011 – Apr, 2011
Then, I was matrixed to perform detailed software evaluation and code inspection of Customer system. The evaluation would be used to determine the “state of health”, identify any possible developer deficiencies or bad practices, and to determine compliance with Object Oriented Programming Best Practices. This evaluation used both automated code inspection tool, as well as, manual line by line inspection. Deliverable was a compendium of findings and a detailed plan to correct or improve current practices.
Systems Engineer Senior Staff Apr, 2011 – July, 2014
I was a Segment Lead, on an ICD 503 accredited system, providing support and direction on:
- Systems Engineering and Architecture Support
- Systems Integration
- System Analysis to document performance and optimization
- Requirement Verification
- Software Design Review
- Test Case Implementation, Verification, and Analysis
MITRE – Principal Computer Science Engineer – (July, 2014 – current)
NASP C2S Support July, 2014 – Jan, 2020
Technical Lead and Subject Matter Expert (SME) – Recognized as a SME on C2S related migration and deployment tasks. Requested multiple times to conduct briefs to large sponsor groups and SETA/Developer teams to facilitate easier transition to C2S. Continued evolution of the S2P architecture to include application of vulnerability/ compliance scanning tools, software assurance components, and introduction of container-based solutions. Enhanced the Chef Manage and Chef Compliance baselines to enable infrastructure as code initiatives. Technical lead for S2P; transitioned the MITRE-developed prototype to a contractor team and managed the technical aspects of follow-on effort; informed the Customer of significant issues on contractor team and overall project.
ANTNET Support Sept, 2016 – Sept, 2017
Technical Lead & SME – Designing and implementing the ANTNETv3 core infrastructure for continuous monitoring to comply with security implementation requirements. Designed and developed breadth of prototype ANTNET components, including hardening, federation, security controls, fault tolerance, account management, anomaly detection, user action monitoring, and metrics needed to receive Authority to Operate (ATO). Provided technical guidance to extended team members (MITRE, SETA, Customer)
Adjunct Assistant Professor of Computer Science – (Mar 2018 – Present)
Remote teaching of various Computer Science classes using the BrightSpace LMS to include:
– Building Secure Web Applications (SDEV 300)
– Secure Programming in the Cloud (SDEV 400)
– Relational Database Concepts and Applications (CMIS 320)
So, that’s me on one page or less…(well it is probably 3 pages).