Information System Security Officer

Information System Security Officer

MILITARY FRIENDLY & PREFERRED - HOH SPONSOR

The Information Systems Security Officer (ISSO) is responsible for supporting the full lifecycle of security assessment and authorization (A&A) activities for information systems. The ISSO ensures that assigned systems comply with federal cybersecurity standards and maintain their Authority to Operate (ATO) through continuous monitoring and documentation.

The ISSO will be responsible for developing and providing risk assessments, Security Control Assessments (SCA), A&A documentation and various reports, based on NIST guidelines and client's policies, procedures and request. The ISSO will be responsible for providing security recommendations on any system changes or new technologies, analysis on vulnerability scans, conducting continuous monitoring activities, and provide mitigation recommendations for any risks or threats.

RESPONSIBILITIES:

• Lead and conduct Pre-Security Assessment and Authorization (A&A) activities, including stakeholder identification, change request submissions, appointment memorandums, and IT Security Kickoff meetings.


• Supports the ISBO in day-to-day IT security activities.


• Assists the ISBO with reviews of the security posture of the system and report any findings to the ISBO, CISO, and the AO.


• Conduct Information System Categorization by identifying information types, completing FIPS-199 assessments, and facilitating Business Impact Analyses (BIA), Privacy Threshold Analyses (PTA), and Privacy Impact Assessments (PIA).


• Develop and maintain system security documentation, including:
  
  
  
  • System Administration Plan (SAM)
  
  
  • Configuration Management Plan (CMP)
  
  
  • IT Contingency Plan (ITCP)
  
  
  • Information Security Continuous Monitoring (ISCM) Plan
  
  
  • Incident Response Plan (IRP)
  
  
  • Security Assessment Report (SAR)
  
  
  • System Security Plan (SSP)
  
  
  
  


• Coordinate initial and annual ITCP testing in collaboration with the OCIO Business Continuity and Disaster Recovery (BCDR) Office.


• Develop and manage inter-agency agreements and documentation such as MOUs, MOAs, ISAs, IT Security Waivers, and Risk Acceptance Memorandums.


• Document and maintain Security Control Implementation details, ensuring updates are made according to required frequency.


• Coordinate vulnerability and compliance scans, Security Control Assessments (SCA), and track remediation efforts with the IT Security Test Team.


• Manage and update Plan of Action and Milestones (POA&M) entries, submitting remediated findings for closure.


• Prepare and present SAR to Authorizing Officials to obtain or renew ATO.


• Perform Information Security Continuous Monitoring (ISCM) activities to ensure ongoing compliance and security posture of systems.


• Develop and update project schedule, including A&A / SCA task and milestones, task dependencies, and personnel resources.


• Conduct A&A activities and tasks and obtain ATO in line with NIST and client guidance and directives.


• Determining the baseline IT Security requirements for IT Systems, identifying system boundaries, determining information categories, assisting with FIPS-199.


• Ensure that IT Systems are operated, used, maintained, and disposed of in accordance with internal security policies and practices.


• Enforce security policies and safeguards on all personnel having access to the IT System for which the ISSO has responsibility.


• Ensure users and system support personnel have the required authorization and need-to-know; have been indoctrinated; and are familiar with internal security practices before access to the IT System.


• Implement security controls based on IT System FIPS categorization.


• Document security control implementation in the system's Security Plan using the client's GRC tool.


• Document system's risk assessment per client directives and requirements.


• Review and monitoring system security and audit logs.


• Develop and maintain Plan of Actions and Milestones (POA&Ms) for IT systems.


• Update A&A documentation and artifacts on a regular basis (e.g. annually, after approved change).

QUALIFICATIONS:

• A minimum of five (5) years of demonstrated experience in the Information Security or IT field.


• Demonstrates a proficiency with developing, maintaining and managing SA&A packages.


• Experience with developing and managing POA&M's.


• Strong problem solving and analysis skills, self-motivated, and able to work and communicate in a team environment.


• Strong understanding of federal cybersecurity frameworks (e.g., NIST RMF, FIPS-199, FISMA).


• Experience in developing and maintaining security documentation and plans.


• Possess experience conducting CPT's.


• Experience conducting audit log reviews.


• Technical experience with conducting vulnerability management, compliance scanning, and providing mitigation techniques.


• Excellent communication and coordination skills with technical and non-technical stakeholders.


• Ability to manage multiple systems and projects simultaneously in a dynamic environment.


• Excellent communication (written and verbal) skills.

CERTIFICATION:

• A minimum of at least one (1) certification that meet DOD 8570 IAT Level II (e.g., Security+, GSEC, CASP) requirements or any equivalent or more advanced.

CLEARANCE:

• Client Suitability and Public Trust

LOCATION and HOURS:

• Location: Primary location is at Zermount HQ (Arlington, VA) and the Client Site (Washington, D.C.). Remote work is authorized.
  
  
  
  • Onsite work at the primary location., may be occasionally required.
  
  
  
  


• Hours of Operation (Business Hours): 8:00 am ET - 5:30 pm ET