Information Systems Security Officer (ISSO) Systems Engineer (Level 2)
Upper Marlboro, MD · Information Technology
Provides support for a program, organization, system, or enclave’s information assurance program. Provides support for proposing, coordinating, implementing, and enforcing information systems security policies, standards, and methodologies. Maintains operational security posture for an information system or program to ensure information systems security policies, standards, and procedures are established and followed. Assists with the management of security aspects of the information system and performs day-to-day security operations of the system. Evaluate security solutions to ensure they meet security requirements for processing classified information. Performs vulnerability/risk assessment analysis to support certification and accreditation. Provides configuration management (CM) for information system security software, hardware, and firmware. Manages changes to system and assesses the security impact of those changes. Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, Certification and Accreditation (C&A) packages, and System Requirements Traceability Matrices (SRTMs). Supports security authorization activities in compliance with NSA/CSS Information System Certification and Accreditation Process (NISCAP) and DoD Risk Management Framework (RMF).
Other Qualifications: Ten (10) years experience as an ISSO on programs and contracts of similar scope, type, and complexity is required. Bachelor’s degree in Computer Science or related discipline from an accredited college or university is required. DoD 8570 compliance with Information Assurance Management (IAM) Level I or higher is required. Four (4) years of additional experience as an ISSO may be substituted for a bachelor’s degree. Experience is to include at least two (2) of the following areas: knowledge of current security tools, hardware/software security implementation; communication protocols; and encryption techniques/tools.
In addition to the minimum required experience specified in the Statement of Work for the selected labor category, the following special technical skills are also required:
Experience as an ISSO supporting major federal information systems/applications
At least 5 years of experience in one of the following areas: knowledge of current security tools, hardware/software security implementation, communication protocols or encryption techniques/tools
5+ years of experience with developing Risk Management products and working through system accreditations.
Experience in interfacing with information assurance managers, including reviewing documentation, including systems security plans (SSPs), risk assessment reports, accreditation packages, and Plan of Actions and Milestones (POA&Ms).
Experience working with the XACTA IA Manager.
Knowledge of systems and network security, auditing, and user authentication
Solid understanding and experience with the Risk Management Framework
Experience with national security information system related security requirements (e.g. JSIG, ICD 503, RMF, DAAPM or NISPOM) to include technical computer/network system auditing.
Experience in the oversight and execution of the Assessment & Authorization processes (a.k.a. Certification & Accreditation).
DoD 8570 compliant certification, including IAM Level I or greater (Security+; CISSP; CISM; CASP; CSSLP, etc)
Experience creating and presenting documentation and management reports.
Perform on-call duties as needed
In addition to the minimum required experience specified in the Statement of Work for the selected labor category, the following special technical skills are also desired:
Have worked in the role of an ISSO/ISSE or ISSM
Experience with Enterprise Linux based operating systems
Knowledge for networking principles (i.ed firewall implementations, configuration, networking monitoring and associated protocols
Experience with USG STE/STN requirements
Expertise in Microsoft Office Suite (MS Word, PowerPoint, Excel, Project)
Experience developing system security plans (SSP)s and associated artifacts (e.g. POAMs, etc.), obtaining authorizations to operate (ATOs)
Experience conducting system/network audits, and remediating cyber-incidents.
A working knowledge of the security authorization processes and procedures as defined in the Risk Management Framework NIST SP800-37.
Familiarity with the ICD503, CNSSI1253, NIST SP800-53, etc.