WMATA IT
Cyber Security IDIQ

Washington Metropolitan Area Transit Authority (WMATA) – IT Cyber Security (ITCS)

The Office of IT Cybersecurity (ITCS) is responsible for ensuring that cybersecurity risks are identified, understood, managed, and remediated to a level acceptable to WMATA. Over one million customers travel in the Metro system each day, relying on an increasingly automated transit infrastructure to take them safely to their destinations. Cybersecurity is not only a corporate concern for WMATA, it is a public safety concern. To protect the traveling public, as well as WMATA’s internal operations, ITCS engages in all functional areas of cybersecurity work: Operations, Governance, and Risk Management. Cybersecurity operational activities ensure that there are adequate tools and technology to identify, monitor, and handle cyber threats effectively. The cybersecurity governance program area is aligned with the WMATA General Manager’s strategy and high-level objectives and goals.

The cybersecurity risk management program identifies and mitigates threats through the application of the NIST (National Institute of Standards and Technology) Risk Management Framework. ITCS’ vision is to build and operate the leading cybersecurity program in transportation, holistically protecting its employees and customers. ITCS’ main mission is to advance WMATA’s mission through the collaborative development and adoption of enterprise-wide cybersecurity policies matched by prioritized risk management-based implementation of cybersecurity defenses that both enable outstanding customer operations while balancing risk, resource constraints and the need for innovation, and that are subject to clear and measurable performance goals for securing information resources and systems WMATA-wide.

The following program areas are supported under the three ITCS Directorates of Operations, Governance, and Risk Management:

  • Cybersecurity architecture
  • Cybersecurity audits and compliance
  • Cybersecurity finance
  • Cybersecurity policy governance
  • Cybersecurity score carding/metrics
  • Cybersecurity outreach, training, and awareness
  • Cybersecurity tools and technology operations
  • Cybersecurity forensics analysis
  • Cybersecurity red and blue teaming
  • Cybersecurity incident management
  • Cybersecurity threat intelligence analysis
  • Cybersecurity vulnerability management
  • Cybersecurity controls assessments
  • Cybersecurity controls development
  • Cybersecurity risk management
  • Cybersecurity system authorization and accreditation
  • Applying the cybersecurity framework
  • Application security analysis
  • Understanding of Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) security requirements
  • Understanding security controls for systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, PCI, and HIPAA