DOJ - Lead ATO SME - Top Secret Required

About The Position

Requirements

• Active Top-Secret clearance
• 10 years of experience in IT Project Management in both Waterfall and Agile environments.
• 10 years of experience performing systems security assessments, preparing system security documentation, and/or performing security upgrades for live networks, desktop systems, servers, and enterprise data bases leading to successful certification and accreditation or security authorization of such systems.
• 10 years of experience assessing and enhancing IT systems security policies and procedures in response to the regulatory requirements associated with Federal and International standards.
• 10 years of IT Security experience with extensive knowledge in security regulations and security assessments having developed numerous security A&A and ATO on a range of systems including classified systems.
• Minimum of two of the following certifications: CISA, CRISC, CISM, CGEIT, CISSP, CAP

Nice To Haves

• Strong working knowledge with NIST Special Publications, NIST 800-53 for security control selection and NIST SP 800-37 SA using JCAM system is preferred.

Responsibilities

• Ensure all deliverables meet DOJ quality, completeness, and acceptance standards.
• Provide mentorship and technical guidance to Senior ATO SMEs and supporting engineers.
• Ensure compliance with classified and Controlled Unclassified Information (CUI) handling requirements.
• Support audits, inspections, and government reviews as required.
• Serve as the technical lead for end-to-end Risk Management Framework (RMF) execution supporting Authority to Test (ATT), Authority to Operate (ATO), and Continuous Monitoring (ConMon).
• Provide technical direction, quality assurance, and subject-matter leadership across all RMF phases in accordance with NIST SP 800-37, NIST SP 800-53, DOJ Cybersecurity Standards, and DOJ Security and Privacy Assessment and Authorization Handbook.
• Act as the primary technical interface between the contractor team, Authorizing Officials (AO), Senior Agency Officials for Privacy (SCOP), COR, and system stakeholders.
• Lead system preparation activities, including mission and business process identification, stakeholder identification, and asset inventory.
• Define system authorization boundaries and operational environments.
• Ensure system registration and documentation within the Joint Cybersecurity Assessment and Management (JCAM) system.
• Conduct and maintain system-level risk assessments and ensure security and privacy requirements are defined and allocated appropriately.
• Oversee development and validation of system descriptions, boundaries, and characteristics.
• Lead security categorization activities in accordance with FIPS 199 and DOJ requirements, including confidentiality, integrity, and availability impact analyses.
• Ensure identification and documentation of Personally Identifiable Information (PII) and coordination of Initial Privacy Assessments (IPA).
• Coordinate categorization reviews and approvals with the AO and SCOP and ensure final concurrence is documented in JCAM.
• Lead selection of baseline security and privacy controls using DOJ Cybersecurity Standard 0904 and NIST SP 800-53.
• Oversee control tailoring, scoping, and allocation decisions based on mission, risk tolerance, system architecture, and operational environment.
• Ensure justification for tailored controls is properly documented in the System Security and Privacy Plan (SSPP).
• Direct development and approval of the Information Security Continuous Monitoring (ISCM) Plan.
• Ensure SSPP and Requirements Traceability Matrix (RTM) are generated, reviewed, approved, and uploaded into JCAM.
• Provide technical oversight for implementation of system, hybrid, and common security and privacy controls.
• Ensure controls are implemented in accordance with DOJ standards and minimum assurance requirements.
• Review and approve use of compensating controls and associated POA&Ms, ensuring AO and SCOP concurrence when required.
• Ensure system documentation (SSPP, Incident Response Plan, Contingency Plan, Configuration Management Plan, privacy artifacts) reflects the “as-implemented” control state.
• Lead development and approval of Security Assessment Plans (SAPs).
• Oversee execution of security and privacy control assessments using automated and manual assessment techniques.
• Review Security and Privacy Assessment Reports (SARs) for accuracy, completeness, and risk clarity.
• Direct remediation analysis, severity determination, and corrective action planning.
• Ensure development, maintenance, and tracking of Plans of Action and Milestones (POA&Ms).
• Assemble and validate complete authorization packages, including SSPP, SAR, POA&Ms, risk analysis, residual risk reports, and executive briefings.
• Brief Authorizing Officials on system security posture, residual risks, and recommended risk responses.
• Support AO decision-making for ATO, Interim ATO, or denial of authorization.
• Ensure authorization decisions and signed ATO memoranda are properly recorded in JCAM.
• Lead Continuous Monitoring (ConMon) activities, ensuring assessment of one-third of controls annually and Re-ATO every three years.
• Oversee configuration management, change control, and security impact analyses for system and environment changes.
• Ensure timely updates to SSPP, SAR, POA&Ms, risk reports, and authorization artifacts.
• Direct ongoing risk response actions and reporting to AO and stakeholders.
• Oversee system disposal activities, including development of decommissioning and retirement documentation.
• Ensure all cloud services used by BOP systems maintain valid FedRAMP authorization (SaaS, PaaS, IaaS).
• Oversee review and validation of FedRAMP security packages and inheritance models.
• Ensure cloud security posture aligns with DOJ, NIST, and FedRAMP requirements.