In immediate need of an ISSM for a short term contract in Washington, DC. The candidate works under general direction, performs all procedures necessary to ensure the safety of information systems and to protect systems from intentional or inadvertent access or destruction. Interfaces with user community to understand their security needs and implements procedures to accommodate them. Ensures that user community understands and adheres to necessary procedures to maintain security. May require familiarity with domain structures, user authentication, and digital signatures. Conducts accurate evaluation of the level of security required. May require understanding of firewall theory and configuration. Must be able to weigh business needs against security concerns and articulate issues to management.
- Candidate must have senior level experience in the implementation and execution of steps 1, 2, 3 and 6 of the Risk Management Framework (RMF)
- Ability to execute FIPS199, E-Authentication, and Privacy Threshold Analysis/Privacy Impact Assessment; ability to describe the business processes being supported by an application or information system; ability to describe/define the functional characteristics of a system/application; ability to describe/define how/where a system/application is located in the development, test and operational environments; the ability to define/describe the flow of information to and from the information system/application, ability to define/describe system users (internal/external/elevated privileges)and access privileges; ability to establish a logical and physical system boundary; ability to register a system as required to determine if/where a system is entered into inventory or not
- Ability to identify common and inheritable controls and determine their applicability to a systems/applications under review; ability to determine security control baseline and select and tailor controls to in accordance with the categorization and business process needs of the agency; ability to draft a system/application continuous monitoring plan
- Ability to create concise security control implementation statements;
- A complete understanding of the configuration management process as defined in NIST; ability to conduct a security impact analysis; ability to review selected sets controls to be assessed during the continuous monitoring process; ability to create POA&Ms with findings and mitigation plans (milestones); ability to monitor/manage POA&M remediation; complete understanding of the reporting and escalation process used with POA&M management; ability to update security plans and POA&Ms during the continuous monitoring process; ability to report the status of the system/application security posture; complete understanding of system decommissioning as it relates to the SDLC
- An understanding of information system architecture, technologies, protocols and architectures to include on premises, contractor (cloud, third party, hybrid)
- Senior level ability to develop and execute oral and written presentations for both executive and technical staff
- Senior level experience/knowledge of SA&A applications (i.e., archer, exacta, CSAM…)
- Experience in conducting interviews with key client stakeholders to evaluate the current state of Information systems according to information security practices
- Reviewing security policy and procedural documentation
- Reviewing system configuration data to identify security weaknesses
- Developing recommendations for security issues and vulnerabilities identified during assessments
- Provide ongoing subject matter expert support for clients
- Assist system owners for all assessment & authorization activities
- Assist system owner for all continuous monitoring (configuration management change control) activities
- Assist system owners with all security documents required to complete NIST Risk Management Framework (RMF)
- Documentation of security needs and requirements
- Perform vulnerability assessment and risk assessment that will combine knowledge of business objectives, information flow, safeguard requirements, network architecture, and operational policies and procedures
- Provide recommendations regarding network security and security control
- Development and maintenance of documentation, reports, project plans, and other materials
- Review documents and provide recommendations to the AO.
- Ability to use collaborative communication skills and establish productive working relationships.
- Awareness of the diagnostic and mitigation aspects of Information Security Continuous Monitoring.
- Assists in documenting and managing artifacts in online SharePoint and CSAM security repositories, so SharePoint and CSAM experience is a must.
- Responsible for insuring the systems are following all processes and procedures through continuous monitoring.
- Experience with NIST 800-53 Rev. 3 or 4.
- Bachelor degree in the area of computer science, computer information system technology, or information technology is preferred.
Must have at least one IT Security certification. The following are acceptable: Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) or CAP (Certified Authorization Professional).
Job Status: Contract/Temporary