Job DescriptionPosition/Title: Systems Engineer, Senior - Information System Security Officer (ISSO)Task Order: Pinnacle TO1 - Extended PoP - 25 October 2024Systems Engineer, Senior - Information System Security Officer (ISSO)
- Facilitates Assessment & Authorization ( A&A ) of internally developed applications and systems by leveraging customer A&A tools and applying applicable organizational and Intelligence Community (IC) policies to achieve desired Authorization to Operate (ATO) status.
- Serve as an advisor to the system owner and project team regarding security implications of their system development.
- Register system to the organizational A&A tool
- Identify system security boundary
- Calculate Confidentiality, Integrity, and Availability values for the system
- Calculate Overlay Values, if any, for the system
- Determine applicable system layers (i.e., Application, Service, Data-store, Operating System, hardware, and/or Network)
- Address applicable security controls by gathering or generating associated artifacts (i.e., bodies of evidence)
- Assist in the evaluation of security solutions to ensure they meet applicable security controls for processing classified information.
- Work with system owner and project team to implement mitigation strategies for controls.
- Formulate appropriate Plan of Action(s) and Milestone(s) (POAMs) or Risk Acceptance (RA) justification to mitigate/address affected security controls.
- Conduct monthly Rapid7 scans to ascertain vulnerabilities and to implement mitigation strategies (e.g., patching, software updates, CVE's, etc.). Ensure remediation actions based on the scan results, POAMs, and Risk Assessments are implemented.
- Upload scan results to customer A&A tool repository.
- Work with appropriate organizational External Partners that have a stake in the system's cyber security posture to provide them with applicable documentation (e.g., Contingency Plan, System Dependencies, Configuration Management).
- Work with appropriate ISSM's and Assessors to arrange for TEMs to obtain system security guidance/clarification.
- Solid knowledge of IC-Directive 503 (ICD-503) Risk Management Framework (RMF) to step through its respective stages.
- Solid knowledge of Committee on National Security Systems Instruction 1253 (CNNSI 1253) security controls.