Information Systems Security Officer (ISSO) SME - U.S. Citizenship Required

CGI•Fairfax, VA

1d•Hybrid

About The Position

CGI is one of the top five largest global IT companies, operating in 40 countries with endless opportunities to expand and grow. As a CGI Federal member, you have the opportunity to be a shareholder at CGI and join a family of 90,000 members strong. CGI Federal is hiring an SME‑level Information System Security Officer (ISSO) for FIPS 199 moderate‑ to high‑impact cloud systems (IaaS, PaaS, or SaaS) to work with a skilled and motivated team of professionals on a high‑visibility Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity program. You will support a dynamic, fast‑paced project focused on improving the cybersecurity posture of civilian government agencies through the implementation and enhancement of a cybersecurity platform, providing integration services, and developing, securing, and maintaining cybersecurity dashboards. You will work closely with a variety of agency stakeholders, supporting their mission, priorities, organization, and unique challenges. You will also support the development of additional cybersecurity offerings focused on next‑generation security solutions and technologies. The successful candidate is a highly motivated, self‑starting individual who works effectively in a dynamic environment. This is a great opportunity with room to grow both on the program and within CGI Federal. This position is located in one of CGI Federal's offices in Fairfax, VA or Lafayette, LA; however, a hybrid working model is acceptable. You will be required to work in a CGI Federal office two days per week.

Requirements

Due to government contract and/or clearance requirements, U.S. citizenship is required, as well as successful completion of a CGI background check prior to beginning work. Candidates must also be able to obtain and maintain a DHS CISA EOD/Public Trust clearance.
Bachelor’s degree and 10+ years of experience working on cybersecurity teams for enterprise cybersecurity shared‑services programs or cloud programs.
Continuous monitoring experience with moderate‑ and high‑impact systems.
Experience with Federal Risk and Authorization Management Program (FedRAMP) cloud‑related projects.
Working knowledge of the following NIST Special Publications (in priority order):
800‑37 (Risk Management Framework)
800‑53 (Security & Privacy Controls)
800‑18 (System Security Plans)
800‑30 (Risk Assessment)
800‑137 (Continuous Monitoring)
Federal Information Processing Standards (FIPS), particularly FIPS 199 (Security Categorization).
If no experience with NIST: working knowledge of the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) or DoD Information Assurance Policy 8500.1 and the RMF.
If no experience with NIST or DITSCAP: working knowledge of the NSA Information Assurance process.
Experience with vulnerability‑management and security‑auditing tools such as Tenable or similar.
Experience updating and maintaining Plans of Action and Milestones (POA&Ms).
Demonstrated understanding of IT security principles, concepts, policies, and regulations.
Demonstrated ability to effectively document security controls.
Proficiency with Microsoft Word, Excel, and Microsoft Project.

Nice To Haves

Experience supporting FedRAMP authorization and maintaining required security documentation.
Technical/development background.
Experience with DevSecOps as an ISSO or security tester.
Relevant certifications such as CISSP, CGRC (formerly CAP), CCSP, CRISC, CISM, CEH, or others.
Experience with CISA’s Continuous Diagnostics and Mitigation (CDM) program.

Responsibilities

Operate the continuous monitoring program, develop, update, and maintain system security documentation, and implement security policies and procedures to support continuous monitoring.
Participate in the SDLC to integrate NIST 800‑37 Risk Management Framework (RMF) activities into appropriate phases.
Integrate security into configuration management (CM) and system development life‑cycle (SDLC) processes (waterfall, Agile, DevSecOps).
Support NIST 800‑37 RMF and associated processes, as well as ITIL guidelines, for achieving and maintaining systems’ Authority to Operate (ATO).
Conduct security control assessments in alignment with NIST RMF (SP 800‑53, 800‑37) and federal security requirements.
Support Authorization & Assessment (A&A) activities and prepare systems for initial authorization, reauthorization, and ongoing assessments.
Implement policies and processes for continuous monitoring to maintain system ATO.
Conduct routine vulnerability scans in accordance with federal security standards and document results for remediation.
Validate POA&M artifacts and verify closure of security findings through evidence review and follow‑up assessments.
Provide expert guidance on security control inheritance, boundary definitions, and system categorization to ensure accurate authorization packages.
Coordinate security remediation activities, schedules, and milestones with stakeholders; establish risk and mitigation strategies; and communicate status.
Update and maintain system security documentation.
Conduct risk and vulnerability assessments on changes to system architecture.
Participate in Change Control Boards (CCB) and provide analysis and recommendations based on changes affecting the system’s security posture.
Serve as the primary liaison between CISA and the Cloud Service Provider (CSP) on all security‑related matters.
Work with minimal supervision, lead teams, and take on increased responsibility as required.