Information Systems Security Officer

About The Position

Requirements

• Must be eligible for Public Trust clearance
• Bachelor’s degree in Computer Science, Information Technology, or a related discipline from an accredited institution
• One or more of the following certifications: CISSP – Certified Information Systems Security Professional (required per contract), CASP+ – CompTIA Advanced Security Practitioner, GDSA – GIAC Defensible Security Architect, or other equivalent certifications covering similar information security domains, depth of knowledge, or experience
• 7 to 10 years of experience as an Information Systems Security Officer or Manager in a federal or federal contractor environment
• Solid, hands-on understanding of NIST RMF (SP 800-37 Rev 2), NIST SP 800-53 Rev 5, NIST SP 800-53A, NIST SP 800-137 Rev 2, and FISMA requirements
• Experience developing and maintaining complete SA&A packages including SSPs, POA&Ms, SARs, BIAs, CPs, and CPTs
• Experience with Governance, Risk, and Compliance (GRC) platforms
• Experience interpreting security and privacy findings from assessments, audits, vulnerability scans, and continuous monitoring tools
• Understanding of cloud security architecture across AWS, Azure, and/or Oracle Cloud environments
• Ability to obtain and maintain the required security clearance and pass suitability screening

Nice To Haves

• Active Treasury MBI or Secret clearance
• Experience with ServiceNow GRC
• Familiarity with SCADA and Industrial Control Systems (ICS) security

Responsibilities

• Provide assigned ISSO support for agency systems throughout their lifecycle
• Perform daily, weekly, and continuous systems monitoring duties in alignment with the NIST Risk Management Framework (RMF), Departmental/Treasury policy, and Agency-specific cybersecurity requirements
• Ensure applicable cybersecurity policies and controls are implemented for the agency’s existing and new systems, maintaining an operational security posture consistent with current policy
• Serve as the principal advisor to the Authorizing Official (AO), System Owner (SO), and/or CISO on all matters (technical and otherwise) involving assigned system security
• Develop and maintain a full suite of SA&A artifacts, including: FIPS 199 categorizations, System Security Plans (SSPs), Privacy Threshold Analyses (PTAs), Privacy and Civil Liberties Impact Assessments (PCLIAs), Contingency Plans (CP) and Contingency Plan Tests (CPTs), Business Impact Analyses (BIAs), Security Assessment Reports (SARs), IV&V Reports, Risk Acceptances, Waivers, MOUs/ISAs, and Deviations
• Develop, update, and maintain Plan of Action & Milestones (POA&M) reports on a monthly basis and as directed, providing trending analysis and remediation recommendations
• Monitor open POA&Ms to ensure timely resolution
• Conduct daily continuous monitoring of agency systems to ensure compliance with all applicable requirements and generate associated reports
• Coordinate with System Owners to ensure system security documentation is maintained and that changes to systems are evaluated for security impact through the agency change management process
• Support the development, maintenance, and reporting of Authority to Test (ATT) and Security Impact Analysis (SIA) documentation on a monthly basis or as required
• Ensure that system audit trails are regularly examined and anomalies are reported to the bureau CSIRC or other designated security officials
• Support the implementation and ongoing authorization of agency systems using NIST SP 800-137 Rev-2 (ISCM) guidance, supporting the Bureau’s transition from time-based ATOs to Ongoing Authorization
• Maintain and support 100% of the agency’s system ATOs in an active and compliant status at all times
• Ensure documentation detailing IT hardware and software configuration and all security countermeasures are developed and maintained
• Utilize the Bureau’s Governance, Risk and Compliance (GRC) solution for development and maintenance of all required SA&A documentation
• Analyze reports from security and privacy monitoring tools including vulnerability scanners, SIEM (Splunk/Elastic), Endpoint Detection and Response (EDR), CDM tools (BigFix, ForeScout, CyberArk), and coordinate corrective actions with IT team members