Information System Security Officer

About The Position

Requirements

• A minimum of five (5) years of demonstrated experience in the Information Security or IT field.
• Demonstrates a proficiency with developing, maintaining and managing SA&A packages.
• Experience with developing and managing POA&M's.
• Strong problem solving and analysis skills, self-motivated, and able to work and communicate in a team environment.
• Strong understanding of federal cybersecurity frameworks (e.g., NIST RMF, FIPS-199, FISMA).
• Experience in developing and maintaining security documentation and plans.
• Possess experience conducting CPT's.
• Experience conducting audit log reviews.
• Technical experience with conducting vulnerability management, compliance scanning, and providing mitigation techniques.
• Excellent communication and coordination skills with technical and non-technical stakeholders.
• Ability to manage multiple systems and projects simultaneously in a dynamic environment.
• Excellent communication (written and verbal) skills.
• A minimum of at least one (1) certification identified in the DOD 8570 IAT Level II (e.g., Security+, GSEC, CASP) or any equivalent or more advanced.
• Library Suitability and Public Trust clearance.

Responsibilities

• Lead and conduct Pre-Security Assessment and Authorization (A&A) activities, including stakeholder identification, change request submissions, appointment memorandums, and IT Security Kickoff meetings.
• Supports the ISBO in day-to-day IT security activities.
• Assists the ISBO with reviews of the security posture of the system and report any findings to the ISBO, CISO, and the AO.
• Conduct Information System Categorization by identifying information types, completing FIPS-199 assessments, and facilitating Business Impact Analyses (BIA), Privacy Threshold Analyses (PTA), and Privacy Impact Assessments (PIA).
• Develop and maintain system security documentation, including: System Administration Plan (SAM), Configuration Management Plan (CMP), IT Contingency Plan (ITCP), Information Security Continuous Monitoring (ISCM) Plan, Incident Response Plan (IRP), Security Assessment Report (SAR), System Security Plan (SSP).
• Coordinate initial and annual ITCP testing in collaboration with the OCIO Business Continuity and Disaster Recovery (BCDR) Office.
• Develop and manage inter-agency agreements and documentation such as MOUs, MOAs, ISAs, IT Security Waivers, and Risk Acceptance Memorandums.
• Document and maintain Security Control Implementation details, ensuring updates are made according to required frequency.
• Coordinate vulnerability and compliance scans, Security Control Assessments (SCA), and track remediation efforts with the IT Security Test Team.
• Manage and update Plan of Action and Milestones (POA&M) entries, submitting remediated findings for closure.
• Prepare and present SAR to Authorizing Officials to obtain or renew ATO.
• Perform Information Security Continuous Monitoring (ISCM) activities to ensure ongoing compliance and security posture of systems.
• Develop and update project schedule, including A&A / SCA task and milestones, task dependencies, and personnel resources.
• Conduct A&A activities and tasks and obtain ATO in line with NIST and client guidance and directives.
• Determining the baseline IT Security requirements for IT Systems, identifying system boundaries, determining information categories, assisting with FIPS-199.
• Ensure that IT Systems are operated, used, maintained, and disposed of in accordance with internal security policies and practices.
• Enforce security policies and safeguards on all personnel having access to the IT System for which the ISSO has responsibility.
• Ensure users and system support personnel have the required authorization and need-to-know; have been indoctrinated; and are familiar with internal security practices before access to the IT System.
• Implement security controls based on IT System FIPS categorization.
• Document security control implementation in the system's Security Plan using the client's GRC tool.
• Document system's risk assessment per client directives and requirements.
• Review and monitoring system security and audit logs.
• Develop and maintain Plan of Actions and Milestones (POA&Ms) for IT systems.
• Update A&A documentation and artifacts on a regular basis (e.g. annually, after approved change).