Stephen Mencik

1002 Red Harvest Road
Gambrills, MD 21054

410-672-5859 (home)
443-445-8857 (office)
steve@mencik.com

Summary

Mr. Mencik has more than 30 years of experience in INFOSEC system design, development, implementation and evaluation and is a Certified Information Systems Security Professional (CISSP) an Information Systems Security Architecture Professional (ISSAP), and an Information Systems Security Engineering Professional (ISSEP).

Employment Experience

CyberCore Technologies

Sr. Information Systems Security Engineer

01/2012 – Present. Mr. Mencik is providing ISSE consulting in support of the Certification and Accreditation of classified Government computer systems.

Raytheon

Sr. Principal Systems Engineer

02/2004 – 01/2012. Mr. Mencik was working a task on the National Security Agency (NSA) AXISS contract. Specifically he was the Security team lead for the Enterprise Data Center program. As such he provided consulting support for all aspects of the data center design. Previously he provided support to the Information Assurance organization of NSA on a classified program. Prior to that, he worked on the ATLAS contract. He researched available Multiple Single Level (MSL) solutions. After the research was completed, a report was written recommending the best tool(s) to use as the common desktop computer. Before that, he was the Security Architect for a large classified program. He developed the Identification and Authorization controls for the system built upon a service-oriented architecture. This work used the WS-Security standards, including SOAP and SAML, to provide a user’s security attributes to the services that mediated access to data. In addition to the security design work, he led a team of 5 other engineers that implemented all of the security features in the system.

Lockheed Martin (formerly ACS Defense, Inc.)
Senior Information Security (INFOSEC) Engineer

12/2001 – 02/2004. Provided computer and network security consulting services, primarily to the NSA This work included system architecture definition, systems engineering, security evaluation, risk management, and the development of security plans, policies and procedures. He also provided assistance with the NISCAP (NSA Information System Certification and Accreditation Program) process. He was the Principal Security Architect on a proposal for a large classified intelligence system.

He also supported the Information Assurance Focus Group (IAFG) of the NSA/CSS Enterprise Standards Program (NESP). He performed research into standards being developed and those recently issued by ANSI, OSI, or industry groups such as OASIS that are related to Information Assurance and brings them to the IAFG for consideration of posting to the NESP Registry of Approved Standards.

IIT Research Institute - Lanham, Maryland
Senior Science Advisor

03/1999 - 12/2001. Provided computer and network security consulting to a diverse customer base that included both U.S. Government and private industry. He provided system architecture definition, systems engineering, security evaluation, risk management, and developed security plans, policies and procedures. He also provided assistance in obtaining security certification and accreditation.

Was the technical lead for the Independent review of the FBI Carnivore (Internet wiretap tool.) He analyzed the system architecture of Carnivore for security problems, and recommended improvements. He also conducted extensive hands-on laboratory testing. In addition, he also wrote a major portion of the detailed report on the analysis and testing.

Performed an INFOSEC assessment of the US Census Bureau using the NSA-developed and Critical Infrastructure Assurance Office (CIAO) endorsed INFOSEC Assessment Methodology (IAM). Performed an INFOSEC Assessment of the National Institute on Aging (part of the National Institutes on Health). The INFOSEC assessments were requested by these organizations to comply with PDD-63 (Presidential Decision Directive dealing with Critical Infrastructure Protection).

Was lead security engineer for the Airborne Communications Node (ACN) program. He designed a system of MSL channels through the communications node, which allowed the device to operate with multiple levels of classified data, without all problems associated with multi-level security. 

Provided security consulting to the IRS for the Tele-Center Workforce Management System (TCWMS). This system will allow the IRS to more efficiently schedule the workforce, which operates the many call centers for taxpayer help, which are located around the country. Mr. Mencik coordinated the effort that resulted in a final security accreditation for TCWMS. 

National Security Agency (NSA) - Fort George G. Meade, Maryland
Senior Computer Scientist

09/1998 – 03/1999.  NSA INFOSEC Program Integration Manager (PIM) for the Defense Message System (DMS). As PIM, he coordinated the entire spectrum of NSA INFOSEC support to the DMS Program Management Office. This included managing all of the vendors building DMS products, along with DISA and other NSA offices building DMS security products, to ensure that communications between the vendors and other developers resulted in interoperable and secure products. 

09/1996 – 09/1998. NSA INFOSEC representative to the Office of the Manager for the National Communications System (OMNCS). Provided technical consulting to the President's National Security Telecommunications Advisory Committee (NSTAC) on a variety of issues. Led working group, which assessed the state of computer and network Intrusion Detection systems, and in conjunction with the President's Commission on Critical Infrastructure Protection (PCCIP), led a Risk Assessment of the Transportation Information Infrastructure. 

10/1995 – 09/1996. Lead evaluator for the Electronic Key Management System (EKMS). Discovered vulnerabilities and designed fixes for this system, which is used to distribute encryption, key material to United States forces worldwide. Documented all findings with technical reports. Also directed the work of more junior analysts working on this evaluation. 

03/1995 – 10/1995. Senior INFOSEC evaluator for the RADIANT MERCURY system. Performed a system design analysis, code analysis, and hands on security testing for this U.S. Navy fixed format message sanitizer and classification downgrader. Discovered several vulnerabilities, which would allow "root" access, and developed fixes for them. 

06/1994 – 03/1995. Technical Director for Security for the system architecture branch of the Multilevel Information System Security Initiative (MISSI). Analyzed the system for vulnerabilities and worked with system to develop secure solutions for multi-level secure systems. 

04/1992 – 06/1994. Senior evaluator for a division of more than 30 more junior analysts. Trained these analysts in computer system and network security evaluation. Applications evaluated included secure telephone conferencing systems, end-to-end network encryption systems, trusted guards and others.

04/1988 – 04/1992. Supervisor for a group of 6 junior analysts responsible for security evaluations and research. Provided technical direction to these analysts, managed travel and award budgets, wrote performance appraisals, developed training plans, and other managerial functions. Technical tasks guided included computer virus research, computer network attacks, NATO messaging systems, and key management. Also served as the U.S. representative to the NATO subgroup, which developed the NATO OSI Security Architecture (NOSA). 

Computer Sciences Corporation - Hanover, Maryland
Senior Computer Scientist

07/1983 – 04/1988. Designed and developed parts of the prototype EKMS for NSA. Specifically, designed the software for a custom circuit board, which performed translation of key material from bulk encrypted form to singly super-encrypted form. Programming was done in both C and 68020 assembler, and tested and debugged using an HP-64000 emulation system. Code developed included interrupt handlers, classified encryption algorithms, and interprocess communications protocols. All programming was done in accordance with DS-80 (NSA's INFOSEC Software Engineering Standards and Practices Manual). In addition, performed software quality assurance for other classified NSA applications.

System Administrator for 5 UNIX systems that were part of the CSC development laboratory. Provided account management, security services, and network communications setup (UUCP, remote host access, etc.), and audit log analysis. 

National Security Agency - Fort George G. Meade, Maryland 
Computer Systems Analyst

07/1981 – 06/1983. Charter member of the DoD (later National) Computer Security Center. Provided computer and network security evaluations for various DoD and other Government Agencies. Among the systems evaluated were the Defense Data Network, and the U.S. Treasury Automated Communications System. As part of these evaluations, modified some software path-flow analysis tools to work with the computer languages used. 

Professional Certification

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Architecture Professional (ISSAP)

Certified Information Systems Security Engineering Professional (ISSEP)

Other Experience

Served as an expert for the searchsecurity.com "Ask the Experts" Infrastructure & Network Security and Security Policies & Management categories for 3 years.

Has spoken at several conferences, including the Security Decisions 2003 conference held in October 2003.

Education

MS Computer Science 1984
Johns Hopkins University - Baltimore, Maryland

BSICS (Information and Computer Science) 1981
Georgia Institute of Technology - Atlanta, Georgia 

Security Clearance 

Top Secret with Extended Background Investigation and NSA polygraph.

Honors

Granted title of Senior Member in both the INFOSEC and Computer Science disciplines of the NSA Technical Track program. 

Received several cash awards and letters of appreciation while at NSA, CSC, and ACS Defense.

Elected to Phi Eta Sigma (National College Freshman Honor Society).