Information System Security Officer (ISSO)

About The Position

Requirements

• Bachelor’s Degree in Computer Science or a related field or equivalent experience; Advanced Degree preferred.
• 10+ years of experience in cybersecurity architecture, compliance, or ISSO duties.
• Deep expertise with SIEM, IDS/IPS, EDR, DLP, ICAM, CDM, and vulnerability management tools.
• Strong knowledge of DOE cybersecurity policies, FISMA, NIST 800-53, and federal directives.
• Proven experience drafting and maintaining FISMA artifacts and managing A&A processes.
• NIST 800-53 Rev 5.
• Risk Management Framework.
• CRISC (or equivalent), CISSP, CISM, CISSP-ISSAP, or equivalent.

Nice To Haves

• Ability to balance technical architecture with compliance oversight.
• Strong communication skills for briefings, reporting, and stakeholder engagement.
• Experience leading audits, inspections, and risk assessments.
• Expertise in disaster recovery, COOP planning, and incident response.
• Strategic mindset with adaptability to emerging technologies and evolving threats.
• Able to build advanced alerts in SIEM
• Able to translate events into incident response ticket with full information for SOC lead and provide briefings to leadership
• Advanced knowledge of security tools.
• Assist Tier 2 and Tier 3 Analyst in incident response
• Has above basic Window and Linux CLI skills
• Has built understanding of multiple security tools i.e. EDR, IDP, IDS, Firewalls, etc.
• Optional certifications:
• GIAC Certified Intrusion Analyst (GCIA)
• Certified Information System Security Professional or Associate (CISSP or Associate)
• ISC2 Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• NIST Cybersecurity Framework (CSF)
• FedRAMP Authorization
• Tenable Nessus (ACAS)
• DISA STIGs
• CIS Benchmarks

Responsibilities

• Develop, implement, and maintain comprehensive information security programs in accordance with federal mandates and agency policies.
• Oversee the continuous monitoring and improvement of security controls across diverse information systems.
• Collaborate with system owners and stakeholders to integrate security requirements throughout the system development lifecycle.
• Conduct thorough risk assessments to identify, analyze, and prioritize security vulnerabilities and threats.
• Develop and implement risk mitigation strategies and countermeasures to protect sensitive information and critical assets.
• Track and manage Plans of Action and Milestones (POA&Ms) to ensure timely remediation of identified weaknesses.
• Ensure strict adherence to federal regulations, such as NIST SP 800-53, FISMA, and agency-specific security directives.
• Perform ISSO responsibilities for OIM systems and boundaries, serving as the subject matter expert for assigned systems.
• Advocate for System Owners, coordinating cybersecurity activities and ensuring alignment with DOE policies and federal requirements.
• Provide regular security briefings to System Owners, ISSMs, and AODRs.
• Participate in Change Control Board (CCB) meetings, reviewing privileged access requests, risk assessments, and cybersecurity requests.
• Support and perform internal audits, inspections, and reviews of OIM accreditation boundaries.
• Support the Authorization to Operate (ATO) process by providing expert guidance and ensuring all required artifacts are complete and accurate.
• Draft, update, and enforce information security policies, standards, and procedures.
• Maintain comprehensive security documentation, including system security plans, contingency plans, and configuration management plans.
• Develop and deliver security awareness training to educate users on best practices and compliance requirements.
• Evaluate, recommend, and implement security technologies and tools, such as intrusion detection/prevention systems (IDPS), security information and event management (SIEM), and data loss prevention (DLP).
• Manage and monitor security configurations for operating systems, networks, and applications.
• Conduct vulnerability scanning and penetration testing to identify and address security weaknesses.
• Establish and maintain Interconnection Security Agreements (ISAs) and Memoranda of Understanding (MOUs/MOAs) with external partners.
• Prepare and review security authorization documentation, including Security Plans (SPs), Privacy Impact Assessments (PIAs), and Contingency Plans (CPs).
• Represent OIM in interagency security working groups and committees.
• Provide analysis of vulnerability, patch, and configuration data to protect OIM mission systems.
• Work with System Owners to develop and remediate POA&Ms, prioritizing based on Level of Effort (LOE).
• Recommend corrective actions for risk assessment issues identified during audits or inspections.