Information Systems Security Officer - Security

About The Position

Requirements

• Experience developing and documenting DoD Assessment and Authorization documentation
• Knowledge of CNSSI 1253, NIST 800 Series (primarily 800-53, 800-53A, 800-171), RMF
• 3 + years of IA/Cyber Security experience
• Bachelor’s degree or higher in Computer Science or Security
• Security+ certification CEH or equivalent
• Experience with DCSA tools such as eMASS, STIGs and SCAP
• US Citizenship and Active TS clearance or higher

Nice To Haves

• Familiar with RMF package creation and maintenance artifacts to support A&A decision
• Experience using DISA Security Technical Implementation Guides (STIGs), Security Requirements Guide (SRGs) and Security Content Automation Protocol (SCAP) to audit and securely configure network-enabled devices
• Fundamental knowledge of DISA Enterprise Mission Assurance Support Service (eMASS)
• Familiar with vulnerability tools and audit review tools which include audit log analysis and report generation (Nessus and Splunk experience preferred)
• Ability to advise the ISSOs/ISSEs or relevant security personnel to remediate system deficiencies
• Experience conducting risk analysis on products and system components through review of CVEs, plugins, CWEs
• Experience in conducting software due diligence with COTS and GOTS solutions
• Strong communication and documentation skills
• Flexible and able to adapt to a rapidly changing environment
• Positive, self-motivated individual who can complete tasks independently
• Working knowledge of system functions, security policies, technical security safeguards, and operational security measures.

Responsibilities

• Oversee day-to-day operations required to perform RMF
• Delegate tasks and create deadlines to meet security requirements
• Be forward facing for customer interactions which will translate into system requirements
• Spearhead building RMF packages within eMASS and perform continuous monitoring for the full duration of the information system lifecycle
• Implement the Risk Management (RMF) process throughout the entire A&A lifecycle of the system(s) or multiple ATOs across different locations, supporting all efforts pre and post Authority to Operate (ATO) determination
• Assist the ISSM in meeting their duties to support A&A activities and coordinate with system’s Security Controls Assessor (SCA) and Authorizing Official (AO)
• Perform and review technical security assessments of the system(s) to identify points of vulnerability, non-compliance with established cybersecurity standards and regulations, and recommend mitigation strategies to maintain operational security posture for the boundary systems
• Conduct risk analyses from vulnerability, compliance scans, penetration testing results, and/or other audit activities
• Create and maintain Plan of Action and Milestones (POA&Ms), System Security Plans (SSPs), Security Control Traceability Matrices (SCTMs), Standard Operating Procedures (SOPs), Configuration Management Plans, Contingency Plans and Test Result/Security Impact Analyses
• Ensure approved procedures are in place for clearing, sanitizing, and destroying various types of hardware and media
• Conduct continuous monitoring (ConMon) activities for applicable authorization boundaries
• Apply and maintain up to date application of Security Technical Implementation Guides (STIGs) to required components of the information systems
• Maintain inventory and asset configuration to include change management documentation
• Lead System level change request through formalized Configuration Control boards (CCB)
• Ensure that the appropriate operational security posture is maintained for the information system, working in close collaboration with the information system owner and the ISSM
• Notify ISSM when changes occur that might affect the authorization determination of the information system(s)
• Experience in advising System Administrators to Remediate system decencies
• Report all security-related concerns and incidents to the ISSM
• Able to also handle security concerns in lieu of ISSM advise on security concerns IAW system procedures