Information System Security Officer

ISSO III job description:

Position Summary:

The Information Systems Security Officer (ISSO) is responsible for ensuring the secure operation of assigned information systems in compliance with organizational policies and federal cybersecurity standards such as NIST, FISMA, FedRAMP, and RMF. The ISSO supports authorization and assessment activities, maintains continuous monitoring programs, and responds to incidents to safeguard the confidentiality, integrity, and availability of systems and data.

Serving as the principal advisor to the Information System Owner (ISO) and the Chief Information Security Officer (CISO), the ISSO provides subject matter expertise on all security matters related to assigned systems. This includes developing and maintaining security documentation, coordinating with technical staff and external partners, and ensuring security controls remain effective throughout the system lifecycle. The ISSO plays a central role in authorization activities (RMF Steps 1–6), ensuring that information systems remain compliant, resilient, and aligned with applicable policies and standards.

Duties and Responsibilities:

Compliance and Risk Management:

• Ensure assigned systems comply with NIST, FISMA, FedRAMP, and organizational frameworks, regulations, and guidance.
• Conduct risk assessments and support the development of mitigation plans.
• Assist in the creation and validation of System Security and Privacy Plans (SSPPs).
• Validate the implementation of security controls in accordance with RMF requirements.
• Support the Assessment and Authorization (A&A) process.

Documentation and Reporting

• Prepare and maintain SSPs, SARs, POA&Ms, ISCPs, IRPs, CMPs, and related artifacts.
• Track and manage POA&Ms to address vulnerabilities and deficiencies.
• Generate system security status reports and metrics for leadership and auditors.
• Ensure documentation is accurate, current, and aligned with compliance requirements.

Monitoring and Incident Response:

• Conduct system log reviews and monitor activity for abnormal behavior or potential compromise.
• Review, analyze, and report on vulnerability and compliance scan results.
• Ensure continuous monitoring of implemented security controls.
• Participate in incident response activities, including investigation, reporting, and after-action documentation.

Collaboration and Stakeholder Engagement:

• Collaborate with ISOs, ISSMs, system administrators, engineers, and other stakeholders.
• Serve as a liaison with auditors, assessors, and external entities during reviews.
• Provide security training and awareness to system owners and users as needed.
• Support contingency planning, testing, and disaster recovery activities.

Policy and Procedure Development:

• Contribute to the development and review of cybersecurity policies and procedures.
• Ensure systems are operated, maintained, and disposed of in compliance with policy.
• Support supply chain risk management requirements and validate the use of third-party software.

Lifecycle and Change Management:

• Provide guidance on security requirements and architecture during system design, development, and deployment for on-premises, hybrid, and cloud systems.
• Ensure controls remain effective through operations, sustainment, and system disposal.
• Review, recommend, and validate configuration and change management requests for assigned systems.
• Participate in Configuration Control Boards (CCBs) and ensure security reviews are documented and compliant with policy.

Oversight and Governance:

• Maintain positive working relationships with technical teams and stakeholders.
• Ensure security authorization and assessment activities are executed in accordance with established procedures.
• Support development of BIAs, PIAs, ISAs, and MOUs/A as required.
• Participate in security audits, assessments, and exercises.
• Report incidents, risks, and issues to ISSMs, CISOs, and other stakeholders.
• Complete required annual training and certifications.
• Support additional duties as assigned by leadership.

Required Qualifications:

• Education: Master’s degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science from an accredited institution fulfills the educational requirement.
• Experience: Previous experience and working knowledge of Cloud Infrastructure. Minimum of ten (10) years of experience in Information Technology (IT) or Information Security (IS).
  This includes any combination of relevant experience, not ten years for each listed area.
• Certifications: Must hold at least one DoD 8140/8570-compliant certification or be able to obtain one within six (6) months of hire. Certification must be maintained during employment.
• Clearance: Must hold an active Secret clearance or higher and be eligible for Top Secret if required .

Education and Experience Substitution:
Additional experience may substitute for education, and vice versa:

• 1.5 years of relevant experience = 1 year of education.
• High school diploma = +3 years’ experience to reach an associate degree.
• Associate degree = +6 years’ experience to reach a master’s degree.
• Relevant DoD 8140 intermediate or advanced certifications may count as 1.5 years of experience.

Preferred Qualifications:

• CCISO, CISSP, or CISSP-ISSEP
• CISA or CISM
• CPTE or CySA+
• FITSP-A
• GCSA, GSLC, or GSNA

Information System Security Manager (ISSM) Certifications:

• SASP, SSCP
• CCISO, CCSP, CISSP-ISSMP
• CGRC/CAP
• CISM
• CompTIA: Cloud+, Security+ CE, Security X
• FITSP-M
• SANS: GCIA, GCIH, GCSA, GICSP, GSEC, or GSLC

Additional Information:
This position requires comprehensive expertise in information system security and risk management across all phases of the system lifecycle. The ISSO serves as the principal advisor to the Information System Owner and senior management officials on all matters involving system security, including:

• Identifying, implementing, and assessing common security controls.
• Developing and updating System Security Plans (SSPs) and coordinating security impact assessments for system changes.
• Ensuring systems are operated, maintained, and disposed of in accordance with approved authorization packages.
• Reporting and managing security incidents and supporting the restoration of system security features.
• Conducting annual assessments to ensure ongoing compliance with policy and standards.
• Participating in Configuration Control Boards (CCBs) to ensure configuration management for cybersecurity-relevant components.
• Ensuring security requirements are addressed throughout all system lifecycle phases.
  Reviewing audit trails, maintaining logs in accordance with policy, and ensuring preventive measures against malicious code.
• Evaluating assigned information systems’ security control compliance with federal and organizational requirements.
• Managing risks associated with the administration and use of assigned information systems.
• Providing guidance aligned with cybersecurity best practices and monitoring strategies.
  Analyzing collected data to identify vulnerabilities and communicating findings effectively to system owners and leadership.
• Supporting system integration, testing, operations, and maintenance of system security controls.

Developing and maintaining Standard Operating Procedures (SOPs) and maintaining hardware and software inventories.

• DoD 8140/8570-compliant certification
• Do you have direct experience implementing or managing FedRAMP compliance for cloud-based information systems?

Education:

• Master's (Preferred)

Security clearance:

• Secret (Required)

Ability to Commute:

• Arlington, VA 22202 (Required)

Work Location: In person