Cybersecurity / ISSO SME (Remote)

About The Position

Requirements

• Active DoD 8570 IAM Level II or III certification required; acceptable certifications include CISSP, CAP, CISM, GSLC, or CCISO.
• DoD 8570 IAT Level II baseline certification (e.g., Security+ CE, CCNA Security, CySA+) required.
• 5+ years of experience in DoD cybersecurity, with demonstrated expertise implementing the Risk Management Framework (RMF) and managing ATOs in eMASS.
• Deep knowledge of NIST SP 800-53/800-37, DISA STIGs, FISMA, FISMA, DoDI 8510.01, and JFHQ-DODIN vulnerability remediation timelines.
• Hands-on experience with cybersecurity tools including ACAS (Nessus), Fortify SCC, OpenSCAP, Splunk, SAST/DAST scanning tools, and Cloud Guard.
• Experience operating in OCI, AWS, or equivalent cloud environments within a DoD authorization boundary.
• Ability to work within a multi-organization access architecture (e.g., DMDC, DISA JSP, CSP) and coordinate cross-boundary incident response and compliance activities.
• Strong written and verbal communication skills; ability to brief senior Government stakeholders and produce high-quality compliance documentation.
• Must be able to obtain and maintain a Public Trust clearance.

Responsibilities

• Serve as the Information System Security Officer (ISSO) for a DoD enterprise infrastructure operating on Oracle Cloud Infrastructure (OCI), ensuring systems maintain valid ATOs and ATCs.
• Lead and execute all RMF lifecycle activities, including SSP development and maintenance, Security Assessment Reports (SARs), Plan of Action and Milestones (POA&Ms), and control assessments within eMASS.
• Conduct continuous monitoring of cybersecurity controls aligned with NIST SP 800-53, DISA STIGs, FISMA, and DoDI 8510.01, maintaining systems in a constant state of compliance.
• Oversee weekly STIG and vulnerability reporting, IAVM compliance coordination, and vulnerability remediation prioritization in adherence to JFHQ-DODIN timelines (Critical ≤7 days, High ≤21 days).
• Manage and update POA&Ms within 10 business days of changes; submit monthly POA&M reports to stakeholders and integrate remediation tasks into Agile development workflows.
• Direct and mentor the Junior Cybersecurity Analyst, delegating and reviewing vulnerability reporting, compliance documentation, and audit support activities.
• Coordinate directly with the DMDC Authorizing Official (AO), ISSM, NIWC, and CSSP providers to support audits, CORA assessments, DoD IG reviews, and penetration testing activities.
• Develop and maintain Privacy Impact Assessments (PIAs) and System of Record Notices (SORNs) in accordance with DoD privacy requirements.
• Integrate cybersecurity scanning tools (ACAS/Nessus, Fortify SCC, OpenSCAP, Fortify, SonarQube) into CI/CD pipelines, enforcing shift-left security practices within the DevSecOps framework.
• Maintain eMASS documentation including control implementation evidence, STIG checklists, and scan results mapped to applicable security controls.

Benefits

• flexible time off for vacation and personal time
• medical
• dental
• vision
• life insurance
• group voluntary benefits
• individual voluntary benefits
• short-term disability
• flexible spending accounts
• parental leave benefits
• Short-Term and Long-Term Disability at no cost
• company-covered Life Insurance
• access to group legal services
• identity theft protection through LifeKeys services
• 401(k) plan with company contribution and matching