JAMES L. MCDONALD, CISSP
E-MAIL : JLM@IA -ANALYTICS.COM
Current position President
Current Employer Information Assurance Analytics, Inc.
Education BA in International Studies – Rhodes College, 1979
MLS in Information Security – Eastern Michigan University, 1997
Professional certifications CISSP, 1999
Total years of experience 27
Citizenship United States
Security clearance SECRET, DIS
Summary of skills and qualifications: James L. McDonald is an information security professional with
27 years of professional experience using information and security to achieve organizational goals. A
retired naval intelligence officer, Mr. McDonald possesses a combination of business and technical skills
that enable him to provide security services tailored to support client business goals. Representative
technical skill areas include risk analysis and assessment, certification and accreditation (C&A), security
management design, security training, analysis of complex systems and operations, and security policy
development. He has a similar depth of experience in business-related skills, including staff and financial
management, and project/program execution. Mr. McDonald holds a Masters degree with a concentration
in Information Security, and has earned designation as a Certified Information Systems Security
Information Assurance Analytics, Inc. (September 07 to present)
KPMG LLP (May 00 to January 08)
PricewaterhouseCoopers LLP (January 98 to March 00)
Litton PRC (September 94 to January 98)
U.S. Navy (September 79 to November 94)
Federal government experience
Administrative Office of the United States Courts (AOUSC). Mr. McDonald served as the
engagement manager for a team of EDP auditors examining the security aspects of major financial and
financially relevant applications in support of the financial audit of AOUSC. Working in close
coordination with financial auditors, Mr. McDonald developed application security audit objectives and
programs for his team, and coordinated audit execution at the AOUSC Headquarters and at six federal
courts across the United States. He also collated his team’s findings, developed workpapers, and wrote a
comprehensive report for presentation to the audit partner and client representatives.
Defense Information Systems Agency (DISA). Mr. McDonald made recommendations to DISA JIEO
D6 to improve their competitive position by supporting their new Certification and Accreditation (C&A)
process in the face of vocal opposition from other DoD agencies, many of which were touting their own
C&A directives and processes. Mr. McDonald performed all other tasks associated with winning and
managing this task. Specifically, Mr. McDonald wrote the proposal that won this business, and provided
all other task management services after the award.
Department of Defense (DoD). Mr. McDonald performed a variety of tasks to support the Secretary of
Defense’s Business Management Modernization Program (BMMP). Mr. McDonald:
– Wrote technical White Papers and technology forecasts relating to Single Sign-On (SSO) and data
– Performed an assessment of information posted to the BMMP internal web portal, which provided a
location to store all project related documentation. As the body of information on the portal grew, the
likelihood that potentially classified information could be derived from an aggregation of unclassified
but sensitive information increased. Mr. McDonald reviewed portal information, developed
information valuation and sensitivity criteria, and applied those criteria to detect potentially classified
– Assisted the BMMP Enterprise Architecture (BEA) Requirements Management (BRM) Team in
developing a requirements management method, identifying new security, system, and technical
requirements, and in maintaining the BEA requirements baseline.
– Assisted the Information Assurance Team in developing a method for representing information
assurance and security requirements in the BEA.
– Developed and applied a formal Architecture Verification and Validation (V&V) process; this
process was adopted by the BEA Quality Control (QC) Team as the basis for their Architecture QC
– Assisted with “cleaning up” the BEA requirements baseline files; Mr. McDonald reviewed and
modified over 6000 lines of requirements while simultaneously performing other duties on the
– As a Requirements Team member, led the effort to develop DoD’s first comprehensive enterprise
architecture requirements management methodology guide. Additionally, the government accepted
Mr. McDonald’s revision to the requirements management methodology, giving it the first “Green”
(unconditional acceptance) grade in the Program’s previous ten months.
– Led an effort to address serious flaws in a key Information Assurance (IA) oriented deliverable
document, and deliver the document to government on a severely compressed timescale. Despite
these challenges, the document received high marks from the government’s Independent Validation
and Verification (IV&V) team, and was accepted by the government. In the wake of this effort, Mr.
McDonald was assigned as the contract IA Team leader. In this capacity he assisted the program’s
efforts to properly represent IA controls and attributes in the Architecture products that are to be
delivered to the government.
– Led an effort to develop and deliver an Architecture Development Methodology for the Federated
BEA. Mr. McDonald re-structured this troubled document, developing a new outline, gaining
government’s approval for the new organization, and coordinated the new documents development,
including his drafting of one of the documents key sections.
Mr. McDonald was requested by name to return to the project to support Enterprise Information
Environment Mission Area (EIEMA) Architecture development. He assisted the EIEMA Architecture
Team develop a strategic architecture concept to support the DoD Deputy Chief Information Officer
(CIO), and in support of EIEMA’s Secured Availability (SA) Priority, facilitated the deliberations of the
SA Workshop. In this capacity Mr. McDonald helped to develop an activity model that properly
illustrated the information assurance community’s priorities in support of the CIO’s net-centric goals. In
token of his work, he was requested to remain on the project by the Government client to assist with
development of the EIEMA Architecture’s Enterprise Transition Plan (ETP).
Department of Education (Ed). Mr. McDonald developed an innovative, detailed security plan for Ed’s
cornerstone financial management system, EDCAPS. This plan merges the guidance contained in the
new NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology
Systems, with that of CobiT (Control OBjectives for Information and related Technology). The final 80-
page security plan was accepted without reservation by the new EDCAPS security manager, who has used
the document as a serves as a roadmap for reinvigorating the EDCAPS system security program.
Department of Education (Ed). Leading a team of seven technical security engineers and auditors, Mr.
McDonald applied risk assessment methodology to examine risk to Ed’s cornerstone entity-wide financial
management system, EDCAPS. The purpose of this assessment was to assist the EDCAPS program
manager and security manager re-establish a comprehensive risk management program after a 2-year gap
in the security manager’s position. The study revealed serious, but easily fixable, weaknesses in
EDCAPS technical configuration, and demonstrated the need for improvements to EDCAPS security
management processes, reinforcing the utility of the EDCAPS Security Plan developed by Mr. McDonald
in a previous engagement.
Department of Labor (DOL). Mr. McDonald led a team of network penetration testers in a FISCAM-
based technical audit of DOL’s Employee Computer Network (ECN). Managing audit teams in
Washington and Philadelphia, Mr. McDonald and his team uncovered numerous high-impact findings,
and provided cost-effective, business-smart recommendations for mitigating the risk of exposed
Department of Navy (DON) Chief Information Officer (CIO). Mr. McDonald led a small team of
highly experienced managers and subcontractors to perform a study of DON CIO’s Initiatives for Full
Dimensional Protection program, which identified three initiative areas: Critical Infrastructure Protection
(CIP), information assurance (IA), and Privacy. The goal of this study was to examine current practices,
and make recommendations for how FDP oversight and management processes can be strengthened. The
client enthusiastically received Mr. McDonald’s work.
Federal Deposit Insurance Corporation (FDIC). Mr. McDonald played participated in a multi-year,
$1.8M task to assist the FDIC Department of Supervision (DOS) transform the process through which
they examine insured financial institutions to ensure that they meet minimum safety and soundness
requirements. Leading a task team of two technical specialists, Mr. McDonald worked with FDIC DOS
managers and field examiners, and FDIC information technology staff to develop the Electronic Banking
Technology Assistance Center (e-TAC), system that provides FDIC DOS staff the capability to rapidly
receive, assess, route, and answer questions from field examiners as they encounter new or unfamiliar
banking technologies. E-Tac was conceived, designed, and fielded in less than five weeks by leveraging
current FDIC e-mail capabilities.
Federal Election Commission (FEC). Mr. McDonald led an engagement to assist the Federal Election
Commission with developing a comprehensive information technology security policy and standards
architecture. Working closely with a small staff and senior FEC security and program managers, he
designed and developed a complete set of administrative, operational, physical and technical security
policies and standards, as well as an over-arching enterprise-wide policy to address all IT control areas
that are audited under the Federal Information Systems Audit and control Manual (FISCAM). Applying
an infocentric approach, Mr. McDonald’s policies were designed to provide clear guidance that will not
be made obsolete by on-going technical evolution at FEC. In addition, his facilitated the client with
determining how to assign responsibility and delegate authority for policy oversight, management,
execution and support in a manner consistent with the existing FEC management structure, minimizing
the need for organizational change.
Federal Emergency Management Agency (FEMA). Mr. McDonald applied an innovative risk
management methodology to provide a high-level risk assessment of FEMA’s complex information
system architecture. This program combined government risk assessment techniques with CobiT control
audit methods. In addition, Mr. McDonald and his team conducted extensive interviews with FEMA
system and business process stakeholders; by incorporated their input into the risk assessment process Mr.
McDonald avoided interest group conflicts and obtained advance buy-in on the assessment result. FEMA
OIG used the output of this analysis to better focus their audit resources on those systems that are most
critical to FEMA operations.
Federal Emergency Management Agency (FEMA). As an outgrowth of the systems risk assessment
project performed for FEMA Mr. McDonald was tasked with providing the FEMA OIG with
recommendations for improving security management. The initial assessment revealed that the security
staff had insufficient authority and independence to properly administer a security program. Mr.
McDonald was able to demonstrate to how this lack of authority led to many of the risk factors that were
being uncovered through the risk assessment project. His study moved executive FEMA management to
delegate additional authority to the FEMA information security officer and his staff, and to enhance their
independence by implementing a dotted line organizational relationship to a senior executive outside their
normal management chain.
House of Representatives. Mr. McDonald served as the leader of a team examining the security issues
surrounding the operational deployment of Procurement Desktop (PD), commercial software package
designed to electronically support the House purchasing process. In addition to performing work on the
task, Mr. McDonald provided management technical staff that examined threats to the PD application
using network penetration testing, a general controls review, and a review of the application itself. Mr.
McDonald’s final deliverable provided recommendations designed to bring PD into compliance with
House policy and industry best practices, advising that these countermeasures be implemented prior to PD
deployment to the House. The House Inspector General accepted these recommendations without
House of Representatives. Under House Inspector General tasking, Mr. McDonald headed a team of
technical security analysts to review the design of the House Clerk’s proposed legislative document
management system (DMS). After reviewing House rules, system requirements, plans and technical
specifications, and interviewing officials from the Office of the Clerk, Mr. McDonald determined that the
design was too immature to permit detailed analysis, and moreover that mechanisms to ensure a secure
implementation were not in place. Based on his recommendation, the House Inspector General moved to
recommend that DMS development be suspended.
Internal Revenue Service (IRS). Mr. McDonald was called in by an outside department to provide
security advisory services in support of a systems integration project at IRS. This system, designed to
support IRS’ agency-wide inventory management, represented a major upgrade and capabilities
expansion of the legacy system. Mr. McDonald identified several significant weaknesses in the system’s
security capabilities, reviewed IRS Security Office-developed security documents, and provided crucial
advice that helped IRS avoid pitfalls in the new system’s FIPS102-based certification test.
Japanese Maritime Self-Defense Force (JMSDF). Mr. McDonald supported the modification and
delivery of the Japanese OSIS Baseline Upgrade (JOBU) system. First, Mr. McDonald supported the
Program Manager by providing scheduling and coordination services to help ensure that dependencies
between the disparate components of this complex project were understood so potential roadblocks could
be avoided, and the aggressive delivery schedule adhered to. Later, based on his extensive operational
naval intelligence experience, Mr. McDonald provided on-site system and analytical support to JMSDF
watchstanders during the months following system stand-up.
Metropolitan Washington Airports Authority (MWAA). Mr. McDonald assisted with performing a
security assessment of MWAA’s Badging and Access Control System (BACS). Mr. McDonald’s role
was to assess physical and procedural controls over access to MWAA airport security badges, including
the methods and controls over confirmation of sponsorship, background investigations, authorization,
issuance, audit, loss, replacement, return, and deactivation or destruction. Mr. McDonald participated in
developing the final report, and assisted with briefing findings and conclusions to senior MWAA
management and stakeholders.
National Aeronautics and Space Administration (NASA) Office of the Inspector General (OIG).
Mr. McDonald led a team of risk analysts and network penetration testers to perform work for the NASA
OIG. The principal thrust of this engagement was to perform a risk assessment and develop security
plans to prepare the NASA OIG GSS for certification and accreditation (C&A) under NIST standards
(including Federal information Processing Standards (FIPS) 199 and 200, and NIST Special Publications
800-30, 800-53, 800-52a, and 800-60). Mr. McDonald’s team:
– Identified and documented the OIG’s General Support System (GSS),
– Determined the Security Category of the information processed, stored and transmitted by the GSS,
– Developed a controls test guide using the latest NIST risk assessment and controls testing guidance,
– Performed controls tests and assessed risk at NASA’s Washington DC Headquarters facilities and at
selected OIG field offices across the continental U.S.,
– Develop a NIST-compliant Security Plan for the GSS, and
– Developed a comprehensive Plan of Actions and Milestones (POA&M) for mitigating identified
weaknesses to drive residual GSS risk to LOW.
National Credit Union Administration (NCUA). Mr. McDonald led a small team to support the
NCUA CIO’s certification and accreditation (C&A) of the NCUA General Support System (GSS) using
National Institute for Standards and Technology (NIST) C&A and controls guidance (including Federal
information Processing Standards (FIPS) 199 and 200, and NIST Special Publications 800-37, 800-53,
800-52a, and 800-60). Mr. McDonald’s team:
– Documented the NCUA General Support System (GSS),
– Determined the Security Category of the information processed, stored and transmitted by the GSS,
– Developed a controls test guide using the latest NIST C&A and controls testing guidance,
– Performed network penetration tests and certification controls tests and at NCUA’s Alexandria, VA
– Developed and presented the final accreditation package to the NCUA GSS Designated Approval
Mr. McDonald subsequently returned to perform a second C&A engagement at NCUA, which was
awarded as a sole-sourced procurement.
Office of Student Finance Assistance (SFA). Mr. McDonald’s information security audit team
examined nine major applications at SFA to measure their compliance this requirements of Appendices I
and III to OMB Circular A-130. Mr. McDonald was able to overcome client concerns caused by the
departure of the original task manager early on in the task, and successfully brought the task budget back
under control. He went on to provide the SFA Champion for Information Privacy and Security an
innovative deliverable - a compact disk containing an electronic document with embedded hotlinks that
allowed the reader to quickly and easily navigate the large, complex report. Additional links provided
one-click access to the federal laws and regulations that were used as references in the report.
Pension Benefits Guaranty Corporation (PBGC). Within a team of technical security analysts Mr.
McDonald compared PBGC security policies, standards, and procedures against federal guidance and
industry best practices. Working in concert with other sub-task leaders, Mr. McDonald demonstrated to
PBGC management how structural and implementation weaknesses in their security policy architecture
resulted in many of the system flaws discovered by the technical assessment team. By illustrating the
linkage between security policy and technical security, Mr. McDonald helped PBGC to improve and
better manage their information assurance program.
Social Security Administration (SSA). The segregation of duties issue had been a contentious and
seemingly unsolvable problem at SSA for many years, including the first year of the incumbent auditor’s
FAM and FISCAM-based audit. Through use of his innovative approach and broadly-based
understanding of operational and risk management processes, Mr. McDonald led a five-person team to
successfully “turn the corner” on this issue, identifying and describing a path to resolution that had eluded
all who had come before. Mr. McDonald’s team mapped SSA operational processes, identified
vulnerabilities, and methodically examined threats. Tools/techniques used included interviews with
various communities of interest within SSA Headquarters and field activities, analysis of systems access
and privileges, assessment of the process through which privileges were assigned, data gathering from
fraud investigators, and use of computer aided audit tools (CAAT).
Social Security Administration (SSA). While examining segregation of duties as part of SSA’s annual
financial audit, Mr. McDonald recognized many of the client’s security problems were the result of
ineffective security management processes. In response, he developed and presented a comprehensive
analysis of SSA’s security management process, with recommendations for improvement. This in-depth
analytical White Paper identified existing, underutilized and missing risk mitigation controls, and
provided a comprehensive approach for improving SSA's risk management program.
Social Security Administration (SSA). Based on his previous experience with SSA, Mr. McDonald was
chosen to participate in a task to analyze and critique SSA’s approach to satisfying requirements under the
Government Information Security Reform Act (GISRA). The final report from this effort was presented
to senior SSA management; all substantial conclusions were accepted. When the team was selected to
repeat this work the following year; Mr. McDonald performed as the engagement manager for this work,
the results of which were enthusiastically accepted by the SSA client.
Space and Naval Warfare Systems Command (SPAWAR). Due to his familiarity with Naval and
Defense Department communications, Mr. McDonald was selected to manage development of an in-depth
cost and technical study of issues surrounding the transition of the U.S. Navy from traditional streamed
ASCII messaging to the DMS packet-switched paradigm. The purpose of the study was to examine
potential cost and technical pitfalls. When completed, the study revealed several “show-stopper” issues
and numerous other problems that would have an immediate operational impact for the Navy the
deliverable was distributed to and validated by the SPAWAR client. SPAWAR immediately brought
these issues were to the immediate attention of the Navy DMS PMO for priority action and resolution.
U.S. Coast Guard (Coast Guard). Mr. McDonald served as the engagement manager for a long-term
engagement to support and improve the U.S Coast Guard Information System Security Program (ISSP).
Mr. McDonald led a multi-disciplinary team of information security specialists to:
– Analyze weaknesses and opportunities for the ISSP,
– Define an ISSP improvement plan of action and milestones (POA&M),
– Develop a Coast Guard-wide Public Key Infrastructure (PKI) Implementation Plan,
– Overhaul the Coast Guard information systems security policy and standards architecture by
designing new NIST and COBIT-compliant security policies and standards, and designing a Coast
Guard-wide security management structure,
– Design a risk assessment methodology, and
– Develop a formal Coast Guard information security model.
U.S. Navy, Commissioned Officer, 1979 - 1994. Mr. McDonald served as a commissioned Naval
Intelligence officer for 15 years. His duties during that time included:
– Support to Naval Aviation power projection and strike warfare operations,
– Intelligence training to Fleet consumers,
– Strategic and theater Operational Intelligence (OPINTEL) support to audiences ranging from National
Command Authority down through individual ashore and deployed flag officer and commands, and
– Certification and accreditation (C&A) testing in the program management office of a complex,
multilevel secure (MLS) U.S. Navy intelligence information system.
U.S. Postal Service (USPS). Mr. McDonald worked with system developers at the Postal Headquarters
to define and publish the technical security requirements for the Information Based Indicia Program
(IBIP). This required him to apply his knowledge of cryptography with particular emphasis on the X.509
certificate standard associated with public-key infrastructure (PKI). IBIP planned to use the X.509
standard, but with modifications that would have an impact on design and development, as well as on
potential user acceptance. Further, the requirements had to be written with particular care not to provide
an unfair competitive advantage to any of the many vendors planning to participate in this market.
Finally, the requirements had to take into account Postal’s proposed IBIP business model, which included
a number of concepts that had security implications, e.g. electronic lock boxes, download of electronic
postage over wide area networks, etc.
Veteran’s Administration (VA). Mr. McDonald developed security requirements for a planned 20,000-
user single sign-on solution for HRLINK$, the VA’s entity-wide human resource system. In developing
these requirements, he examined current VA guidance regarding information security, pertinent Federal
laws and regulations, and industry standards and best practices. In addition to VA standards, Mr.
McDonald also examined Federal laws and regulations that may potentially bear on HRLINK$ security
requirements. Finally, Mr. McDonald considered other industry best practices for controlling IT
environments, primarily the Control Objectives for Information and Related Technology (CobiT), 2nd
Veteran’s Administration (VA). Expanding on an original task to develop security requirements for a
single sign-on solution for VA’s HRLINK$ system, Mr. McDonald was asked to perform a cost benefit
analysis on the controls that had been recommended in order to provide justification to the VA budget
process for getting additional funds. Mr. McDonald was also tasked with assisting the VA HRLINK$
manager with drafting a reply to GAO relating to their security-related critique of HRLINK$.
Private sector experience
Avendra. In support of the financial statement audit of Avendra LLC, Mr. McDonald provided
management oversight of an application control review of Avendra’s revenue recognition system,
Purchasing Usage Reporting System (PURS), which included a review of the overall information
technology (IT) control environment in which PURS operates.
Bon Secours Health Systems. Mr. McDonald led a team of three technical analysts to assess compliance
with draft government security standards related to Health Insurance Portability and Accountability Act
of 1996 (HIPAA). This review included an assessment of the client’s controls over dial-in access to
sensitive health care information servers, UNIX and VMS-based server security configurations, and
security policies, standards and procedures in federally-defined administrative, physical, and technical
security domains. The client subsequently asked for this process to be repeated at their remaining 17
CACI. Mr. McDonald was sought out to review over 200 pages of information and systems security
policies, standards, procedures and guidelines for this large systems integration and consulting company.
The purpose of this review was to assess the appropriateness and adequacy of CACI’s current information
security guidance. Mr. McDonald examined policy architecture, internal organization, and conformance
with generally accepted best practice; his analysis exposed numerous opportunities for improvement in all
areas; his conclusions and recommendations were accepted unconditionally by the client.
Carnival Cruise Line. Mr. McDonald led a team of four in a security assessment of Carnival Cruise
Line’s technical architecture and security management structure. Despite cost and organizational impact,
Carnival management accepted all conclusions relating to authority redistribution and security staff and
Centura Bank. As part of its ongoing financial audit, Centura Bank asked Mr. McDonald to conduct a
physical security review of seven separate facilities in and around its Rocky Mount, NC headquarters.
Appling his own physical audit work plan, Mr. McDonald examined many areas of concern that are not
addressed by Federal requirements for bank security and standard audit methodology, including network
physical security, perimeter and portal security, employee crime safety, guard and alarm operations,
environmental controls, and fire/disaster safety. The resulting audit report revealed several serious
weaknesses in Centura’s physical security posture, and provided specific, cost-effective recommendations
Centura Bank. Centura Bank, a major regional financial institution, asked Mr. McDonald to return
following his physical security audit review to provide advice on improving their security management
structure. Using his innovative equity interest-based model, Mr. McDonald trained
PricewaterhouseCoopers audit staff in how to use the model to tailor a solution for the client. This
included showing them how to assess the effectiveness of Centura’s current structure, and how to take
into account Centura’s unique corporate culture and security requirements to arrive at a viable path
Discovery Channel. Dial-in and internal physical security review uncovered several exposures that the
client moved rapidly to correct. Discovery later asked Mr. McDonald to return to advise executive
management on designing a security management structure to integrate security as a balanced factor in
the business process.
Discovery Channel. Following his physical and dial-invulnerability study, Discovery management asked
Mr. McDonald to return to provide advice on improving to Discovery’s security management. This
included providing advice on proper distribution of authority, as well as functional role and skill set
descriptions for key security personnel.
Georgetown University Hospital. Mr. McDonald was sought out to assist in this client’s annual audit.
Specific issues to address at an executive level included expected requirements for increased patient data
security, network security, and information and system security policy. His work uncovered several
regulatory shortfalls relating to patient data security that significantly increased the client’s liability
footprint. Mr. McDonald’s conclusions and recommendations were accepted unconditionally by the
company partner, and were presented to the client in the audit management letter.
Independent System Operator (ISO) New England. Mr. McDonald was sought out to review over 500
pages of security policies and procedures for this large northeastern U.S. power company. Mr.
McDonald’s insightful analysis exposed numerous weaknesses and inconsistencies in the client’s security
policy architecture; the discussion generated from his review led to further opportunities to expand
business with this client.
Noblis (Formerly Mitretek Technology System (MTS)). Mr. McDonald was asked to bring to bear his
certification and accreditation (C&A) experience to help re-direct a troubled C&A engagement. Within
two weeks, he was able to re-cast and re-direct several key NIST-based C&A deliverables, bring
coherence to the team’s processes, and credibly represent the team’s conclusions to the client. Noblis
subsequently asked the team to return to perform an interim re-assessment of Noblis’ progress on their
Plan of Action and Milestones (POA&M).
Noblis. Mr. McDonald was asked by the client to return as a member of the C&A team to perform and
interim assessment of Noblis’ progress towards implementation of their POA&M, and was subsequently
separated from the C&A team so that he could assist Noblis with addressing weaknesses in their IA
policy architecture, one of the key weaknesses identified in their POA&M. In this capacity he drafted a
complete set of NIST-compliant information assurance policies, closely coordinating with Noblis’
Director for Corporate information Management to ensure that draft policies were tailored to conform
with and support Noblis’ unique operational and management paradigm.
Oracle Corporation (Oracle). Mr. McDonald served as the principal Certification and Accreditation
(C&A) technical advisor to a Denver-based engagement team that supported the C&A of Oracle’s On-
Demand™ Federal Services Zone (FSZ). Mr. McDonald performed a number of C&A related services
on this long term engagement; Mr. McDonald :
– Developed discrete training programs for Oracle executives, middle managers and datacenter operator
audiences to familiarize each audience with the fundamentals of C&A processes and controls under
both Department of Defense (DoD) and Federal civil guidance.
– Performed a detailed gap analysis of Oracle’s current security policy architecture, comparing and
contrasting current Oracle guidance with DoD and National Institute for Standards and Technology
(NIST) controls guidance, including (but not limited to) DoD Instruction (DoDI) 8500.2, DoD
5200.1-R, NIST Special Publications (SP) 800-16, 800-36, 800-53, 800-60, 800-88.
– Developed an innovative approach to FSZ certification that combines DoD’s Interim Defense
Information Assurance Certification and Accreditation Process (DIACAP) Guidance with the C&A
process described in NIST SP 800-37. This work includes a controls assessment program that merges
DoD controls guidance for Mission Assurance Category (MAC) II/Sensitive with NIST controls
guidance for MODERATE impact information.
– Developed and delivered Federal C&A training to Oracle managers and executives to explain factors
in the Federal environment that govern and drive Federal agencies’ behaviors, explaining how C&A
is viewed as a key enabling process applicable across a wide range of high-profile Federal civil and
DoD initiatives. Feedback from training was highly favorable.
Pentagon Federal Credit Union (PFCU). As a member of a security team retained by PFCU to perform
a security evaluation of their wholly-owned subsidiary, Financial Technologies Incorporated (FTI), Mr.
McDonald reviewed security policies, plans, and procedures, and a conducted a high-level assessment of
PFCU’s and FTI’s operational, administrative, and physical security posture. Following data collection
and reduction, Mr. McDonald wrote a detailed analytic report identifying vulnerabilities and threats,
evaluating risk, and identifying resource allocation and risk mitigation measures.
Perdue Farms. Mr. McDonald designed a corporate-wide security training program for Perdue Farms, a
$6B food manufacturing and processing company. Training modules were developed to address a wide
range of technical, physical, administrative and operational security subjects. All courses were tailored to
the client’s unique business and management requirements, and were produced in three versions: one
each for Executive managers, line managers and privileged users, and end-users.
Systems Planning and Analysis, Inc (SPA). Mr. McDonald was asked to gain a rapid understanding of
systems security in support of SPA’s financial audit. Working within an extremely tight time budget, Mr.
McDonald provided a concise, on-point report describing SPA’s platform and network environments,
internal and external access controls, account and systems administration, estimates on IT reliability,
future plans and estimates, the company’s dependence on external computing, and personnel security
The Rouse Company. Mr. McDonald was sought out to develop a comprehensive security policy
architecture for this large commercial property management company. Working closely with the client
Mr. McDonald developed administrative, operational, physical and technical security policies, as well as
an over-arching enterprise-wide policy. Applying an infocentric approach, Mr. McDonald’s policies were
designed to provide clear guidance that will not be made obsolete by on-going technical evolution at
Rouse. In addition, his insightful delegation of responsibility distributed authority for oversight,
management, execution and support in a manner consistent with the existing Rouse management
structure, minimizing the need for organizational change.
Professional accomplishments, affiliations, and other
Affiliated with the International Information Systems Security Certification Consortium (ISC2).
Various military awards, 1979 – 1994
PRC Star Award, Litton PRC, 1998
Encore /Standing Ovation award, KPMG LLP, 2005
Encore/Applause award, KPMG LLP, 2005
Certificate of Achievement, KPMG LLP, 2006
Letter of Appreciation, Deputy Department of Defense Chief Information Officer, 2007