Information System Security Officer - (ISSO)
Envisioneering, Inc. is seeking an Information Systems Security Officer (ISSO) to support an active government contract. This position will be responsible for the following:
- Lead the RMF process for assigned programs, organizations, systems, or enclaves.
- Maintain and report system’s A&A status and events.
- Manage the SP for assigned systems throughout their lifecycle.
- Perform annual security reviews, annual testing of security controls, and annual testing of the contingency plan, in line with FISMA requirements.
- Manage POA&M entries and ensuring vulnerabilities are properly tracked, mitigated, and resolved.
- Assist with identification of the security control baseline set and any applicable overlays.
- Supervise the validation of security controls with the PM/ISO, SCA Liaison, PSO, and AO CSA.
- Assemble the Security Authorization Package and submit for adjudication.
- Register and maintain the system in eMASS.
- Assess the quality of security control implementation against all requirements in accordance with the approved SLCM strategy.
- Plan and perform cybersecurity testing to assess security controls and recording security control compliance status during sustainment.
- Report changes in the security posture of systems to the AO.
- Utilize the Collaboration Board in eMASS workflow for all formal coordination during the RMF process. Detailed findings will be posted in the Artifacts tab (if necessary).
- Assist the ISSMs in executing their duties and responsibilities.
- Ensure compliance with all USN, DON, and DoD cybersecurity policies.
- Ensure all users possess the requisite security clearances and awareness of their responsibilities for systems under their purview prior to being granted access.
- Ensure an incident response, business continuity, disaster recovery, as well as vulnerability and threat reporting plans and channels are in place and that team members are trained accordingly.
- Ensure relevant policy and procedural documentation is current and accessible to properly authorized individuals.
Assist the ISSE with the following responsibilities:
- Oversee the development and maintenance of a system’s cybersecurity solutions.
- Identify AO and SCA cognizance (i.e. FAO or NAO, and FSCA or SCA) of the system as well as any specific authorization requirements such as reciprocity, cross domain, and applicable overlays to support System Categorization.
- Identify mission criticality.
- Identify and tailor the security control baseline with applicable overlays.
- Assist with development, maintenance, and tracking of the SP.
- Lead the security control implementation and testing efforts.
- Perform vulnerability-level risk assessment on the POA&M/RISK Assessment Worksheet.
- Assist with any security testing required as part of A&A or annual reviews.
- Assist in the mitigation and closure of open vulnerabilities under the system’s change control process.
- Oversee cybersecurity testing to assess security controls and recording security control compliance status during the continuous monitoring phase of the lifecycle.
- Make data entries into the eMASS record and POA&M consistent with implementation results.
Assist the ISSM with the following responsibilities:
- Support necessary compliance activities (e.g., ensure system security configuration guidelines are followed, compliance monitoring occurs).
- Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance.
- Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk.
- Advise senior management (e.g., CIO) on risk levels and security posture.
- Advise appropriate senior leadership or Authorizing Official of changes affecting the organization’s cybersecurity posture.
- Collect and maintain data needed to meet system cybersecurity reporting.
- Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.
- Ensure security improvement actions are evaluated, validated, and implemented as required.
- Ensure that cybersecurity inspections, tests, and reviews are coordinated for the network environment.
- Ensure that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s).
- Evaluate and approve development efforts to ensure that baseline security safeguards are appropriately installed.
- Identify alternative information security strategies to address organizational security objectives.
- Identify information technology (IT) security program implications of new technologies or technology upgrades.
- Interpret patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise’s cybersecurity program.
- Manage the monitoring of information security data sources to maintain organizational situational awareness.
- Oversee the information security training and awareness program.
- Participate in an information security risk assessment during the Security Assessment and Authorization process.
- Participate in the development or modification of the computer environment cybersecurity program plans and requirements.
- Prepare, distribute, and maintain plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations.
- Provide system related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents.
- Recognize a possible security violation and take appropriate action to report the incident, as required.
- Recommend resource allocations required to securely operate and maintain an organization’s cybersecurity requirements.
- Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered.
- Track audit findings and recommendations to ensure appropriate mitigation actions are taken.
- Promote awareness of security issues among management and ensure sound security principles are reflected in the organization’s vision and goals.
- Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies.
- Identify security requirements specific to an information technology (IT) system in all phases of the System Life Cycle.
- Ensure plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization’s mission and goals.
- Participate in the acquisition process as necessary, following appropriate supply chain risk management practices.
- Ensure all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
- Forecast ongoing service demands and ensure security assumptions are reviewed as necessary.
- Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate.
- Acquire necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program.
- Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, and systems, and elements.
- Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.
- Ensure that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture.
- Establish overall enterprise information security architecture (EISA) with the organization’s overall security strategy.
- Evaluate cost benefit, economic, and risk analysis in decision making process.
- Interface with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information.
- Interpret and/or approve security requirements relative to the capabilities of new information technologies.
- Lead and align information technology (IT) security priorities with the security strategy.
- Lead and oversee information security budget, staffing, and contracting.
- Manage the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency.
- Manage threat or target analysis of cyber defense information and production of threat information within the enterprise.
- Monitor and evaluate the effectiveness of the enterprise’s cybersecurity safeguards to ensure they provide the intended level of protection.
- Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans.
- Provide leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities.
- Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters.
- Recommend policy and coordinate review and approval.
- Use federal and organization-specific published documents to manage operations of their computing environment system(s).
- Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
- Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
MINIMUM SKILLS / QUALIFICATIONS:
- Must have and maintain a DoD Top Secret Clearance.
- 15+ years of technical and managerial experience in system administration and information security/cybersecurity.
- CISSP, CISM, or other DOD 8570.01-M IAM Level 3 certification.
- Bachelor’s degree with a concentration in a related discipline (e.g., information security, cybersecurity, information technology).
- Self-motivated and the ability to multi-task and balance multiple goals and priorities.
- Must be familiar with DOD Risk Management Framework (RMF) policies, standards, procedures and have relevant experience with associated tools (e.g., eMASS, XACTA 360, Assured Compliance Assessment Solution (ACAS), Anchore, DISA Security Technical Implementation Guides (STIGs), SCAP Compliance Checker (SCC), STIG Viewer, eMASSter, Eval STIG).
EDUCATION:
- Bachelor’s degree with a concentration in a related discipline (e.g., information security, cybersecurity, information technology).
- CISSP, CISM, or other DOD 8570.01-M IAM Level 3 certification.
SALARY RANGE: $150,000.00 - $180,000.00
BENEFITS: Envisioneering, Inc. offers a stable work environment, a competitive salary, and a comprehensive benefits package including 401k, Medical/Dental/Vision, FSA, Short Term, Long Term, AD&D and Life insurance, (employer paid), voluntary life, Tuition Reimbursement, Paid Leave, Holidays and much more.
As a condition of employment: You must pass a drug and pre-employment drug screening. U.S. Citizenship Required. Candidate must follow all company and non-DOT Drug and Alcohol Testing. A Department of Defense (DoD) Top Secret security clearance is required at time of hire. Applicants selected will be subject to a U.S. Government security investigation and must meet eligibility requirements for access to classified information. Due to the nature of work performed within our facilities, U.S. citizenship is required. Please confirm in your cover letter or resume.
#J-18808-Ljbffr