Senior Information Systems Security Officer

About The Position

Requirements

• Active Secret Required
• Bachelor’s degree in Computer Science, Information Technology, or a related discipline from an accredited institution.
• CISSP – Certified Information Systems Security Professional (required per contract)
• 7 to 10 years of experience as an Information Systems Security Officer or Manager in a federal or federal contractor environment.
• Solid, hands-on understanding of NIST RMF (SP 800-37 Rev 2), NIST SP 800-53 Rev 5, NIST SP 800-53A, NIST SP 800-137 Rev 2, and FISMA requirements.
• Experience developing and maintaining complete SA&A packages including SSPs, POA&Ms, SARs, BIAs, CPs, and CPTs.
• Experience with Governance, Risk, and Compliance (GRC) platforms, preferably Xacta 360.
• Experience interpreting security and privacy findings from assessments, audits, vulnerability scans, and continuous monitoring tools.
• Understanding of cloud security architecture across AWS, Azure, and/or Oracle Cloud environments.
• Ability to obtain and maintain the required security clearance and pass suitability screening.

Nice To Haves

• CASP+ – CompTIA Advanced Security Practitioner
• GDSA – GIAC Defensible Security Architect
• Other equivalent certifications covering similar information security domains, depth of knowledge, or experience will be considered

Responsibilities

• Develop and maintain a full suite of SA&A artifacts, including: FIPS 199 categorizations, System Security Plans (SSPs), Privacy Threshold Analyses (PTAs), Privacy and Civil Liberties Impact Assessments (PCLIAs), Contingency Plans (CP) and Contingency Plan Tests (CPTs), Business Impact Analyses (BIAs), Security Assessment Reports (SARs), IV&V Reports, Risk Acceptances, Waivers, MOUs/ISAs, and Deviations.
• Develop, update, and maintain Plan of Action & Milestones (POA&M) reports on a monthly basis and as directed, providing trending analysis and remediation recommendations. Monitor open POA&Ms to ensure timely resolution.
• Conduct daily continuous monitoring of agency systems to ensure compliance with all applicable requirements and generate associated reports.
• Coordinate with System Owners to ensure system security documentation is maintained and that changes to systems are evaluated for security impact through the agency change management process.
• Support the development, maintenance, and reporting of Authority to Test (ATT) and Security Impact Analysis (SIA) documentation on a monthly basis or as required.
• Ensure that system audit trails are regularly examined and anomalies are reported to the bureau CSIRC or other designated security officials.
• Support the implementation and ongoing authorization of agency systems using NIST SP 800-137 Rev-2 (ISCM) guidance, supporting the Bureau’s transition from time-based ATOs to Ongoing Authorization.
• Maintain and support 100% of the agency’s system ATOs in an active and compliant status at all times.
• Ensure documentation detailing IT hardware and software configuration and all security countermeasures are developed and maintained.
• Utilize the Agency’s Governance, Risk and Compliance (GRC) solution for development and maintenance of all required SA&A documentation.
• Analyze reports from security and privacy monitoring tools including vulnerability scanners, SIEM (Splunk/Elastic), Endpoint Detection and Response (EDR), CDM tools (CrowdStrike/Qualys), and coordinate corrective actions with IT team members.
• Support the agency in responding to audits, oversight reviews, and investigations from internal or external oversight organizations.
• Lead and coordinate the gathering of audit artifacts in response to Provided by Client (PBC) requests from the Office of Inspector General (OIG), GAO, and other internal and external oversight bodies; establish and maintain a PBC tracking matrix with artifact owners, due dates, and submission status to ensure complete and on-time responses.
• Analyze audit findings, Notices of Findings and Recommendations (NFRs), and corrective action requests; assess root cause, scope, and systemic risk; and develop technically accurate, fully documented Plan of Action and Milestones (POA&M) entries and Corrective Action Plans (CAPs) with realistic milestone schedules and responsible party assignments.
• Draft formal agency finding responses, management comments, and corrective action narratives in response to OIG and GAO audit reports; coordinate review and approval with the CISO, System Owner, and AptNexus program leadership prior to submission; ensure responses are factually grounded, professionally written, and audit-ready.
• Support pre-audit readiness reviews by assessing the completeness and accuracy of system security documentation, POA&M status, access control records, training completion records, and configuration baselines prior to scheduled audit engagements; identify and remediate documentation gaps before audit commencement.
• Support change management activities including risk analysis of existing and new systems and identifying security requirements for new systems (security by design).