Information System Security Officer (ISSO)

About The Position

Requirements

• U.S. Citizen with an Active DoD Top Secret security clearance.
• Ability to work in a hybrid, on-site/remote capacity in Fairfax, VA (~3 days in office).
• Bachelor's degree in Computer Science; Information Systems Management; or similar Science, Technology, Engineering and Mathematics (STEM) discipline.
• Minimum DoD 8140 IAT Level II certification (e.g., Security+, SSCP, CCNA-Security, etc.), active.
• 7+ years of experience: Leading technical teams Providing leadership, guidance, and oversight of Security concepts Performing security risk assessments and security architecture reviews Involved with architecture, software design, networking, virtualization, and cloud-based technologies / infrastructure
• Demonstrative expert knowledge, understanding, and hands-on experience with: DoD Information Technology best practices DoD cybersecurity best practices DODD 8500.1, DODI 8500.2, and other information assurance (IA) guidance Windows Domain and Linux systems architectures Security / validation testing tools to include vulnerability scanners (Nessus), DISA STIGs, and DISA checklists
• Strong problem-solving and decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate solution.
• Highly developed interpersonal and oral/written communication skills, with the ability to effectively and professionally interact with a diverse set of stakeholders (from peers to end-users to executive management).

Responsibilities

• Design and develop secure network architectures, customer information security (IS) requirements, operational concepts, and security authorization plans and procedures for assigned programs in compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-53, the NIST Risk Management Framework SP 800-37 and CNSS Instructions - Committee on National Security Systems and Intelligence Community Directive (ICD)-503
• Apply technical expertise and have full knowledge of related disciplines by implementing technical solutions across various platforms.
• Facilitate the Accreditation and Authorization (A&A) process (formerly C&A) to include package preparation for the Authorizing Official (AO) for Authority to Operate (ATO) consideration Provide input to the Risk Management Framework (RMF) process activities and related documentation.
• Develop, update, and monitor all Plans of Action and Milestones (POA&Ms) and ensure closure once requirements have been met. - Ensure that application of security patches for commercial products integrated into the system design meets the timelines dictated by the management authority for the intended operational environment.
• Prepare and maintain security Assessment and Authorization (A&A) documentation (e.g., IA SOP, SSP, RAR, SCTM); participate in system categorization; Active experience with the Xacta.
• Ensure the development, documentation, and presentation of IS security education, awareness, and training activities for users and others, as appropriate.
• Provide cybersecurity oversight, guidance, and training to all general and privileged users.
• Perform tasks related to the orchestration and compliance of Continuous Monitoring Plans (e.g., audit log review, security patching, software, and hardware configuration management).
• Perform system auditing, vulnerability risk assessments, Assured File Transfers, data integrity containments and investigations on IA related security violations/incidents. Develop and implement risk mitigation strategies that minimize security risks and ensure IS security posture.
• Perform security testing, including penetration testing, vulnerability assessment, code review, and security audits, to identify and remediate IS security vulnerabilities.
• Conduct reviews and technical inspections to identify and mitigate potential security weaknesses and ensure all security features applied to a system are implemented and functional.
• Participate in Change Control Boards (CCB) to ensure configuration/change management of cybersecurity-relevant software, hardware, and firmware is maintained and documented.
• Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative.
• Analyze and interpret Assured Compliance Assessment Solution (ACAS),  Security Technical Implementation Guides (STIG), Security Requirements Guide (SRG) , Security Content Automation Protocol (SCAP), scan results to identify vulnerabilities, assess risk, and drive timely remediation efforts.
• Work with cross-functional teams to align initiatives with ECS goals and objectives.
• Identify opportunities for continuous improvement and innovation.
• Other duties, as assigned.