Senior Information System Security Officer

CACI International•Washington, DC

1d•$105,100 - $231,100•Onsite

About The Position

CACI is searching for a Senior Information System Security Officer (Senior ISSO) to support the FEMA Office of the Chief Information Security Officer (OCISO) in Washington, D.C. As a Senior Information System Security Officer, you will play a crucial role in ensuring the security and compliance of FEMA's information systems. You will work in a dynamic environment, collaborating with IT system owners, stakeholders, and cybersecurity professionals to implement and maintain robust security controls. Your efforts will directly contribute to safeguarding FEMA's mission-critical systems and data. The Senior ISSO will serve as the single point of contact for the Cybersecurity Division on all systems security matters, leading cybersecurity engineering efforts for assigned Program Management Organizations with direct support to the Compliance Branch Lead. This includes spearheading systems' ATO efforts and maintaining a security posture in compliance with FISMA, DHS 4300 Series, NIST, and DHS and Component Directives. The Senior ISSO will execute complete Risk Management Framework (RMF) activities for Authority to Operate (ATO) decisions and ensure all security documentation is kept up to date.

Requirements

U.S. Citizenship required
Active Secret security clearance required
BS/BA + 15 years of applicable experience in information security
Must have one of the following Information Assurance Technician (IAT) Level III qualifications: Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), CompTIA Advanced Security Practitioner (CASP+)
10+ years of experience in information security
Demonstrated expertise in RMF, Information Security processes, audits, tools, implementation, FISMA, NIST, IT security
Experience developing System Security Plans, POA&Ms, and Configuration Management Plans
Knowledge of NIST SP 800-37, NIST SP 800-53, and DHS 4300 Series requirements

Nice To Haves

FEMA EOD suitability or Current DHS or FEMA EOD preferred
Previous DHS or DoD experience
Experience with CSAM, RegScale, eMASS, or similar GRC tools
Experience supporting emergency operations or disaster response missions
Knowledge of cloud security and FedRAMP authorization processes
Experience with continuous monitoring and automated security tools
Strong communication skills for presenting to senior leadership

Responsibilities

Execute complete Risk Management Framework (RMF) activities for Authority to Operate (ATO) decisions including system categorization, security control selection and implementation, self-assessments, POA&M development, and continuous monitoring.
Develop and maintain System Security Plans (SSPs) including control baselines, inheritance, Business Impact Analyses, implementation statements, technical and system descriptions, and hardware and software inventories.
Create and maintain Configuration Management Plans, conduct Security Impact Analyses, approve Change Requests, and test configuration changes.
Develop and test Contingency Plans and Incident Response Plans to ensure business continuity.
Conduct Risk Assessments, annual security assessments, and vulnerability assessments across assigned systems.
Develop security architecture designs, requirement traceability matrices, and authorization boundary diagrams.
Advise system owners and senior executives on all cybersecurity matters.
Develop remediation work plans for audit findings.
Maintain Hardware and Software Inventory Lists.
Conduct FISMA Scorecard Analysis on a daily basis.
Prepare Security Test Plans 90 days prior to testing and Security Test Reports within 15 days after testing.
Generate Risk Assessment Reports within 0 to 15 days after analysis completion.
Produce Weekly Activity Reports and Monthly Program Reports to track progress and compliance.
Ensure proper access controls are implemented for both system access and physical access to data processing facilities.
Track and suggest technologies, processes, and practices designed to protect networks, devices, programs, and data from malicious attack, damage, or unauthorized access.
Research and maintain proficiency in tools, techniques, countermeasures, and trends in computer and network vulnerabilities, data hiding, and network and device security and encryption.