CLEARANCE |
TS/SCI w/CI Poly |
LOCATION |
OnsiteHerndon, VA |
TRAVEL |
None |
JOB
DESCRIPTION |
The Information Assurance/Security Engineer, Level 4 (ISSO), plays a vital role in supporting the security and compliance of information systems within an Intelligence Community (IC) environment. This position involves the design, implementation, and continuous monitoring of security controls to ensure the integrity, confidentiality, and availability of mission-critical systems and data. As an ISSO, you will be responsible for defining security requirements, conducting vulnerability assessments, implementing Security Technical Implementation Guides (STIGs), and supporting security authorization processes in alignment with NIST Risk Management Framework (RMF), FISMA, and other industry standards.
In this role, you will engage in a range of activities to safeguard systems, including configuring security tools such as Splunk, developing Security Test Procedures (STPs), conducting risk analysis, and providing security oversight in Agile development settings. Your work will also include collaborating with system administrators and architects to identify and resolve vulnerabilities, ensuring compliance with regulatory requirements, and supporting reporting to key IC and DoD authorities. You will play a pivotal role in maintaining the security posture of the organization by ensuring that all systems meet or exceed security requirements and compliance standards.
This position is ideal for a highly skilled ISSO professional with a strong background in security engineering, compliance, and risk management, ready to contribute to national security efforts through secure system design and monitoring. |
Job Duties |
Security Design & Integration
- Define and integrate information security requirements into hardware, operating systems, and software applications to meet cybersecurity objectives and compliance standards.
- Develop and implement security designs that ensure systems and components align with cyber security requirements, including Security Controls Traceability Matrix (SCTM) compliance.
- Assist system architects and developers in identifying and implementing appropriate security functionalities to ensure consistent application of security policies.
- Support security authorization activities, ensuring alignment with the NIST Risk Management Framework (RMF) and compliance with FISMA, NIST SP 800-53, and related regulations.
- Validate control implementations to ensure they enforce required data access and network flow restrictions as part of a continuous monitoring strategy.
Vulnerability Assessment & Risk Analysis
- Conduct risk analysis using tools like ACAS, CVEs, and plugins to identify security vulnerabilities and assess their impact on the system.
- Provide risk analysis and remediation guidance to system administrators, collaborating to mitigate vulnerabilities.
- Develop and manage Plans of Action & Milestones (PO&AMs) for identified vulnerabilities, tracking progress and remediation efforts.
- Guide the remediation of vulnerabilities and malware, offering technical recommendations to prevent future incidents.
Security Testing & Monitoring
- Implement, validate, and enforce Security Technical Implementation Guide (STIG) requirements for system security and compliance.
- Develop, customize, and configure security monitoring tools such as Splunk to provide enhanced visibility into security events and activities.
- Develop and execute Security Test Procedures (STP) to verify compliance with required security configurations and ensure systems are meeting security standards.
- Conduct self-assessments and support A&A testing to validate the security designs and configurations of existing or new systems.
- Execute continuous monitoring efforts, responding to security data calls, scan requests, and weekly/monthly reporting requirements.
Reporting & Documentation
- Provide detailed and timely reports on system security status, vulnerabilities, and compliance activities to senior management and government stakeholders.
- Prepare and maintain documentation for security processes, assessments, configurations, and policies, ensuring all security measures are properly documented and tracked.
- Participate in the preparation of reports for compliance with government security and regulatory frameworks (e.g., NIST, FISMA, DoD policies).
- Assist in preparing and delivering security documentation for security audits, assessments, and certifications.
Collaboration & Stakeholder Engagement
- Work with system administrators, engineers, and developers to ensure security controls are applied consistently across all stages of system development and operations.
- Participate in Agile planning events, providing input on security requirements and ensuring security is integrated into development workflows.
- Collaborate with government authorities, such as USCYBERCOM and IC-SCC, to address security concerns and ensure compliance with federal security mandates.
- Engage with external agencies for support and validation during the certification and accreditation process.
Incident Response & Security Remediation
- Provide guidance and support for incident handling, ensuring that security events are promptly identified, analyzed, and mitigated.
- Assist in the investigation and resolution of security incidents, coordinating with incident response teams and providing expert analysis to prevent future occurrences.
- Ensure that incident response procedures align with federal and organizational security policies, maintaining appropriate documentation of events and actions taken.
Agile Development & Secure System Lifecycle
- Participate in Agile development sprints to ensure security requirements are incorporated into the development process from the outset.
- Integrate security features into commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) systems throughout their lifecycle.
- Advise on secure system integration, cross-domain solutions, and secure coding practices to minimize risk during system design and development.
|
QUALIFICATIONS |
Citizenship & Residence:
- Applicants must be U.S. citizens.
Minimum Years of Experience Required:
- 4 years: Job-related experience including Information Systems Security Officer (ISSO), NIST, FISMA and other regulatory requirements.
- 8 Years: Relevant Information Assurance and Information Security.
Security and Compliance Frameworks
- FISMA compliance
- NIST RMF, NIST SP 800-37, NIST SP 800-53, NIST SP 800-53A
- CNSSI No. 1243 (Certification & Accreditation)
- DoD Security Technical Implementation Guides (STIGs)
- Security Content Automation Protocol (SCAP)
- NIST Cybersecurity Framework (CSF)
- Risk Management and Vulnerability Assessment
Risk analysis and assessment (ACAS, CVEs, CWEs, and plugins)
- Plans of Action & Milestones (PO&AM) management
- Vulnerability remediation and malware guidance
- Security Control Assessment (SCA) and evaluation
- Incident handling, response, and remediation
- FISMA and NIST certification requirements experience
Tools and Technologies
- Splunk configuration and dashboard creation
- Experience with Xacta and CSAM tools
- Experience with AWS security configurations
- Familiarity with ACAS, Nessus, OpenVAS, and similar vulnerability scanning tools
- Security Information and Event Management (SIEM) tools
System Security Design and Architecture
- Security architecture design and integration
- Security testing and validation (Security Test Procedures, STIG validation)
- System integration and cross-domain solutions
- Authentication, authorization, and cryptographic techniques
- Configuration management and change control
Communication and Reporting
- Advanced verbal and written communication skills
- Preparation of security reports and technical documentation
- Experience presenting findings to government agencies (e.g., USCYBERCOM, IC-SCC)
- Policy development and security training for federal or DoD programs
Agile and Development Integration
- Agile development lifecycle participation
- Integration of security into DevSecOps environments
- Secure coding and software development best practices
Desired Additional Experience:
- Experience in Security Control Assessments (NIST SP 800-37, SP 800-53A).
- Familiarity with CSAM tool for risk management and compliance.
- Experience with Amazon Web Services (AWS), Xacta, and FISCAM compliance.
|
Education |
Bachelors degree in Computer Science, Information Security, Information Technology, or a related field from an accredited university.
-OR-
Masters degree in a relevant field; this may reduce the minimum number of years experience by 2 years.
-OR-
Waiver: A Bachelor’s degree may be waived with four (4) additional years ISSO experience. |
Certification(s) |
Required:
- Security+, CISSP, CISA, or equivalent certification (DOD 8570 IAM 2 level or higher).
|