Information System Security Officer (ISSO)

About The Position

Requirements

• 6+ years of experience and a BS in computer science, IT, or related technical discipline, MS and 4+ years of experience. Four years of additional experience is required in lieu of a Bachelors' degree for a total of 10 years of experience
• 4+ years of experience supporting DoD/IC or government systems
• Hands-on experience executing RMF tasks and maintaining authorization artifacts (SSP, POA&Ms, continuous monitoring evidence)
• Strong working knowledge of NIST SP 800-53 controls and how they map to technical implementations and procedures
• Experience with vulnerability and configuration compliance workflows
• Familiarity with Linux-based enterprise environments and common hardening concepts
• Ability to communicate risk clearly to both technical engineers and non-technical leadership
• Strong documentation discipline
• This position requires an active/current TS/SCI w/ Polygraph.

Nice To Haves

• Experience securing or assessing containerized workflows (e.g., container runtime hardening, image governance, supply chain considerations)
• Experience with eMASS (or comparable GRC tooling), security control inheritance models, and assessor engagement.
• Familiarity with vulnerability tooling and security monitoring concepts
• Active certifications such as: CISSP, CISM, CAP, GSLC, Security+, CCSP, etc.
• Experience with data protection requirements relevant to sensitive environments

Responsibilities

• Act as the ISSO supporting the system security lifecycle across development, operations, and modernization
• Execute and maintain RMF activities (e.g., control implementation oversight, evidence collection, assessment support, POA&M management, continuous monitoring)
• Maintain security authorization artifacts (e.g., SSP, control narratives, diagrams, inheritance/leverage controls, CM plan, incident handling plan, contingency artifacts, user/admin procedures)
• Operate continuous monitoring: vulnerability management, config compliance, patching coordination, scan result triage, risk acceptance, and remediation verification
• Review and approve security-relevant changes through configuration/change control and validate security configurations after major upgrades
• Support incident response and reporting: participate in investigations, coordinate containment actions, preserve evidence, and contribute to post-incident lessons learned
• Ensure least privilege/access governance: account management oversight, privileged access workflows, periodic access reviews, and audit compliance requirements
• Translate security requirements into implementation guidance that engineering teams can operationalize (clear, testable, and automatable where possible)