Information System Security Officer (ISSO)

Job Title: Information System Security Officer (ISSO)

Job Duration: Full-Time

Location: Washington, DC (on-site)

Citizenship Required: US Citizenship

Clearance: Public Trust required (Confidential or higher preferred)

Responsibilities:

·       Monitor security controls: Continuously monitor where NIST 800-137 is used as a guide and test a portion of the applicable security controls annually. Periodic vulnerability scanning and security impact analysis of changes also required.

·       Information System and Environment Changes: Determine and document the security impact of proposed or actual changes to the information system and its environment of operation.

·       Ongoing Security Control Assessment: Assess a selected subset of security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy.

·       Ongoing remediation actions: Conduct selected remediation actions based on the results of ongoing monitoring activities.

·       Create deliverables and documentation as necessary, including but not limited to, Impact Assessment Reports, Residual Risk Statements, Risk Acceptance Recommendation Reports, and Security Status Reporting. 

·       Validate security controls and documents in the Risk Management Framework (RMF) XACTA package, to include: the SSP, SAR, PIA, Categorization Form, Implementation Plan, Network Topology, HW/SW Listing, and Plan of Actions and Milestones (POA&Ms).

·       Direct Accreditation and Recertification activities for multiple XACTA ATO records networks and assist Service Owners with managing schedule to completion (ATO).

·       Maintain up-to-date statuses on all assigned systems and communicate status to the government leads.

·       Maintain complete records of communications, submit written status reports as required, perform peer-review as directed, and attend weekly meetings.

·       Correspond with government customer and system administrators to communicate any unacceptable risks identified and correct deficient RMF POA&M to meet standards.

·       Coordinate with the Security Control Assessor (SCA) to perform analysis of the overall risk level the system poses to enterprise networks and data.

·       Create and maintain cybersecurity policies and standards.

·       Ensure that cybersecurity plans, controls, processes, standards, policies, and procedures are aligned with cybersecurity standards.

·       Conduct and maintain vulnerability scanning on networks, systems, and applications utilizing ACAS.

·       Produce actionable, risk-based reports on security assessment results.

·       Manage, train, and mentor more junior team members.

·       Assist with vulnerability remediation when necessary.

·       Develop and maintain security plans and security testing plans.

·       Be responsible and accountable for all task and reporting deadlines.

·       Continuously improve risk models, metrics, reports, processes, and activities.

·       Manage the security of information systems assets and the protection of systems from intentional or inadvertent access or destruction.

·       Manage the security of information system assets and the protection of systems from intentional or inadvertent access or destruction.

·       Interface with client to understand their security needs and oversee the development and implementation of procedures to accommodate them.

·       Ensure that the user community understands and adheres to necessary procedures to maintain security.

·       Maintain current knowledge of relevant technology as assigned.

·       Provide guidance in the creation and maintenance of Standard Operating Procedures and other similar documentation.

Qualifications:

·       Bachelor’s degree in Computer Science, Information Security, Cybersecurity, or a related technical discipline, or equivalent combination of education, technical training, or work experience.

·       A combination of CompTIA Security and at least one of the following additional certifications: CISSP, CISM, CAP, CISA, or CCSP.

·       Minimum 5 years of experience in information security, including roles such as Security Analyst, IT Administrator, or similar.

·       Strong background in security frameworks an standards such as NIST, FISMA, and ISO 27001.