Information Systems Security Manager (ISSM)-Aviation Platforms

APOGEE RESEARCH LLC•Arlington, VA

14h•Onsite

About The Position

Apogee Research is seeking a highly skilled Information System Security Manager (ISSM) to lead cybersecurity Assessment and Authorization (A&A) efforts for Department of Defense (DoD) aviation platforms. The ideal candidate will have extensive experience in navigating the Risk Management Framework (RMF) process to obtain and maintain Interim Authority to Test (IATTs), Authority to Test (ATTs), and Authority to Operate (ATOs) for airborne systems, platform information technology (PIT), and the ability to secure air-gapped or embedded systems and associated ground support equipment. The ISSM will report directly to the Director of Operations and coordinate with Apogee Director and Program Manager to provide comprehensive information systems security support to our Department of Defense customer. The ISSM will be responsible for providing day-to-day system security operations by ensuring that operational security is maintained for information systems. They will interface daily with government personnel regarding system security and their requirements. The ISSM will also be responsible for maintaining effective communications with the Information System Owner, Authorizing Official (AO) or Delegated Authorizing Official (DAO), and the Security Control Assessor (SCA). The ISSM must have a working knowledge of system functions, security policies, technical security safeguards, and operational security measures. This is an excellent opportunity for an energetic and experienced ISSM who is compliance focused, conscientious, detail-oriented, and enjoys working with a close-knit team. The position is based out of our Arlington, VA office (full-time in person). Candidates must have an active DoD Top Secret clearance with SCI eligibility.

Requirements

8+ years of cybersecurity experience, with at least 3+ years directly in an ISSM or senior ISSO role for DoD aviation or weapons systems.
Experience in obtaining authority to test (ATT) and authority to operate (ATO) approvals for operational and tactical systems.
Extensive knowledge with certification/authorization requirements as outlined in the NISPOM, RMF, JISG, ICD 503, NIST SP 800-53 Rev 4/5, DoD STIG Overlays, and other USG IS/Security-related policies.
In-depth knowledge and experience with technical configuration standards relating to information system security; experience configuring Linux operating systems, experience with server systems, system virtualization and other related peripherals.
Experience configuring Linux (RHEL) and Windows (Windows 11 and Windows Server 2022) based systems to conform to selected Security Technical Implementation Guides.
RMF Training as specified in the DSS Assessment and Authorization Process Manual
Required to hold and maintain DoD 8140/8570 approved baseline certification (e.g., Security+, CySA+, etc.)
Self-starter, highly motivated, able to multi-task and meet tight deadlines. A strong candidate must have the ability to work well under pressure and deal with changing priorities.
Excellent communication skills (oral and written), ability to work in a team environment, and must work well with others.
Effective at problem-solving and proven ability to cope with conflict, stress and crisis situations.

Nice To Haves

Experience specifically supporting NAVAIR, NAVWAR, or Air Force Life Cycle Management Center (AFLCMC) programs.
Familiarity with Platform IT (PIT) and weapons systems cyber certification.
ATO/ATT Acquisition: Develop, review, and submit comprehensive authorization packages (SSP, SAP, SAR, POA&M) in eMASS to achieve and maintain IATTs/ATTs/ATOs.
Apply cybersecurity policies (e.g., AFI 17-101, SECNAV M-5239.3) to DoD aviation platforms, including platform IT (PIT), embedded systems, and ground support equipment.
Apply cybersecurity policies (e.g., JSIG, ICD-503, NISPOM) to embedded aircraft systems, mission systems, and communication enclaves.
Experience with secure data transfer, high-assurance encryptors, or cross-domain solutions.
Experience with flight test data security and embedded system architecture.

Responsibilities

Ensure users follow established information security policies and procedures to protect, operate, maintain, and dispose of systems and data in accordance with security policies and practices as outlined in the assessment and authorization document packages.
Develop and maintain relationships with DOD and Intelligence Community agencies for the purpose of obtaining and maintaining authority to operate (ATO) on Apogee classified systems and operational systems for DOD customers.
Work with US Government Security Control Assessors (SCAs) and Authorizing Officials (AOs) to develop a comprehensive Risk Management Framework (RMF) package including System Security Plans (SSPs), Information Continuous Security Monitoring Plans, and a body of evidence to support system authorization.
Configure and secure LAN, WAN, and/or standalone machines in accordance with the developed SSPs and the Security Control Traceability Matrix (SCTM).
Develop, review, maintain and oversee all information Systems Security Plans (SSPs) Assessment and Authorization in accordance with DoD mandated policies.
Perform security audits on all systems under purview to validate proper use; ensure documentation (i.e., training records, system baseline, etc.) is kept current.
Coordinate with program/project stakeholders, the Contract Program Security Officer (CPSO)/Facility Security Officer (FSO) and IT team members to define, implement and maintain an acceptable information systems security posture.
Ensure procedures are developed and followed for responding to security compliance incidents and investigating and reporting security violations and incidents as appropriate.
Ensure a Plan of Action and Milestone (POA&M) is maintained for all security related vulnerabilities and continually update SCA’s and AO’s as to the current status of planned activities for correcting vulnerabilities associated with required security controls.
Track, review, and conduct AIS training.
Identify AIS vulnerabilities and implement countermeasures.
Perform AIS self-inspection; notify the customer when changes occur that might affect AIS authorization.