Senior Information System Security Officer (ISSO)

About The Position

Requirements

• At least seven (7) years of experience as an ISSO
• Expertise with the agency's chosen GRC application (Xacta)
• Experience with FISMA controls
• Be able to perform periodic vulnerability and SCAP scans utilizing Nessus
• Managing and approving all IT security documentation (i.e., System Security Plans, Rules of Behavior, POAMs, etc.)
• Bachelors Degree or equivalent specialized experience in Information Technology or a degree in an information security related discipline.
• Nessus
• CompTIA Security+

Nice To Haves

• Certified Information Systems Security Professional (CISSP)
• CompTIA Network+

Responsibilities

• Ensure information systems comply with FISMA, NIST RMF (SP 800-37), SP 800-53, and agency-specific security requirements.
• Maintain and enforce system security policies, procedures, and standards
• Support Authority to Operate (ATO) processes, including continuous authorization.
• Identify, document, and assess system security risks and vulnerabilities.
• Develop, track, and manage Plans of Action and Milestones (POA&Ms).
• Conduct and support periodic risk assessments and security impact analyses.
• Have experience evaluating STIG compliance
• Ensure documentation remains current and reflects system changes.
• Develop, review, and maintain security artifacts, including: System Security Plans (SSPs) Security Assessment Reports (SARs) Contingency Plans (CPs) Incident Response Plans (IRPs)
• Implement and manage continuous monitoring activities.
• Review security control effectiveness and coordinate periodic control assessments.
• Monitor vulnerability scan results and ensure timely remediation.
• Support detection, analysis, containment, and reporting of security incidents.
• Coordinate incident response activities with SOCs, ISSMs, and government stakeholders.
• Ensure incidents are reported in accordance with contract and agency timelines.
• Review and approve security-relevant system changes.
• Participate in Change Control Boards (CCBs) to ensure security impacts are assessed.
• Ensure secure configuration baselines are established and maintained.
• Ensure proper user access controls, least privilege, and account lifecycle management.
• Review privileged access and audit logs for suspicious activity.
• Enforce multi-factor authentication and identity management requirements.
• Ensure users complete required security awareness and role-based training.
• Provide system-specific security guidance to administrators and users.
• Serve as the primary security liaison between the contractor, government ISSM, and system owners.
• Support audits, inspections, and assessments by government or third-party assessors.
• Brief leadership on system security posture and risk status.