DoW Cloud Information Systems Security Officer (ISSO)

About The Position

Requirements

• Active Top-secret clearance.
• Required security certification: CAP, CASP+ CE, CISM, CISSP (or Associate), GSLC, CCISO. (More standard for IAM II / ISSO-type role)
• Demonstrated experience supporting or leading DoD RMF for modern systems, including authorization package contributions and post-ATO sustainment activities.
• Strong working knowledge of NIST 800-53 and practical RMF execution (inheritance strategy, evidence planning, assessor/AO engagement support, and risk tradeoffs).
• Hands-on cloud security experience (AWS/Azure/GCP) including IAM, logging/monitoring, networking, encryption/KMS, and secure architecture patterns; GCP experience preferred.
• Experience with STIG implementation/validation in production environments.
• Strong writing and communication skills: able to produce assessor- and customer-ready deliverables with minimal oversight in a high-change environment.
• Demonstrated adoption of automation (scripts, repeatable workflows, and responsible AI-enabled methods) to reduce manual compliance effort and improve quality.
• Comfort operating in high-change environments with CCBs, shifting priorities, and competing stakeholder demands.

Nice To Haves

• Cloud certification (e.g., CCSP or cloud provider security/professional certs such as Google’s Professional Cloud DevOps Engineer, Professional Cloud Security Engineer, or Professional Cloud Network Engineer).

Responsibilities

• Own the RMF “engine room”: maintain day-to-day RMF execution across all phases (categorization, control selection, implementation, assessment, authorization, and continuous monitoring) for modern cloud-hosted systems.
• Apply DoD cloud security policies, NIST SP 800-53 controls, CNSS policies, and DoD-specific frameworks such as the Cloud Computing SRG and applicable AI-related guidance.
• Develop and maintain RMF artifacts including SSPs, SARs, POA&Ms, control implementation details, evidence mappings, and assessor-ready supporting documentation with strict traceability from control → implementation → evidence.
• Execute POA&M management with discipline: validate substantiation, track owners/dates, drive remediation follow-through, and ensure closure evidence is real and audit-ready (no “paper POA&Ms”).
• Support security change governance activities (CCB inputs, impact analyses, drift detection) and ensure artifacts/evidence stay aligned to reality after each approved change.
• Conduct security engineering analysis for cloud-native and containerized workloads hosted in Google Cloud Platform (GCP), including baseline validation for Kubernetes/Docker environments and control-implementation verification.
• Assist with threat modeling, vulnerability assessments, and risk analysis tailored to cloud environments and (as applicable) AI/ML and LLM components.
• Partner with system architects, developers, DevSecOps, and platform teams to integrate security throughout the SDLC and translate requirements into actionable implementation steps and measurable evidence outputs.
• Support SCAs and coordinate with third-party assessors by preparing artifacts, evidence packages, interview prep, and timely responses to RFIs including managing RFI intake, tracking, and closure.
• Monitor, track, and report security compliance posture through Continuous Monitoring (ConMon) processes and recurring metrics/dashboards including vulnerability and configuration compliance trends, control health, and evidence freshness.
• Optimize and automate compliance operations: develop repeatable workflows (scripts/automation; responsible AI-enabled methods where appropriate) to reduce manual evidence collection, improve quality, and shorten cycle time.