Information Systems Security Officer (ISSO)

Overview

Credence is one of the largest and fastest growing privately-held government technology and services companies and is repeatedly acclaimed as a Top Workplace. As evidenced by our awards and certifications and maturity levels, as well as the agility and responsiveness, to tackle our customers’ most challenging mission needs. We also offer comprehensive benefits including health insurance with dental and vision coverage, retirement savings plans with employer matching, paid time off, and opportunities for professional development and growth. Additionally, employees enjoy wellness programs, flexible work arrangements, and various discounts and perks to support their overall well-being and work-life balance.

Credence is seeking an Information System Security Officer (ISSO) to provide IT professional support for Information System and Security Officer (ISSO) activities, working with the DoJ Federal Bureau of Prison's (FBOP) system owners and other operations and maintenance (O&M) staff to ensure compliance with DOJ security requirements and standards.

Responsibilities include, but are not limited to the duties listed below

• Provide ISSO support for the review of security assessments and associated documentation, and capture IT security changes of relevance and maintain IT system profiles in the DOJ’s Cyber Security Assessment and Management system (CSAM) repository both on premises and cloud instances.
• Develop IT Security Plan of Action and Milestones (POA&Ms) from CSAM and aid planning and implementing migration strategies, as necessary, and perform annual security assessments, including NIST SP 800-53 assessment and independent security assessments, as required.
• The ISSO support will include developing and maintaining an IT System Security Compliance Schedule that address POA&M Action Items, required ITSS reports/updates, Change Control Board Meetings, scheduled Vulnerability Scans, and updates to System IT Security Documentation.
• Collaborate with O&M support teams to develop and coordinate authorization documentation associated with the DOJ and customer processes including the Systems Categorization, Systems Security Plan, and Systems risk assessment
• Review information system infrastructure and application architecture to assess security requirements, and confirm Security Authorization Scope, including identifying the hardware and software components to be covered by the Security Authorization Package.
• Conduct assessments of assigned information systems security requirements, evaluate current security posture and recommend priorities for remediation. Assess and plan the engagement, leveraging relevant work completed for other systems to achieve schedule cost savings and minimize impact on customer staff resources.
• Update System Security Plans (SSPs) for IT system and complete the appropriate activities in CSAM to permit the generation of a complete SSP; coordinate distribution of SSP for review by project teams and track progress; and revise applicable areas in the CSAM tool as required.
• Update and maintain associated security plans using DOJ templates for contingency plan; configuration management plan; incident response plan; and a security awareness, training, and education plan.
• Complete security test and evaluation (ST&E) of IT system using DOJ’s CSAM Tool: verify ST&E using test case; coordinate distribution of ST&E for review by project teams and track progress; and revise ST&E as required.
• Complete risk assessment for IT systems: verify risk assessment using test case; coordinate distribution of risk assessment for review by project teams and track progress; and ensure that accurate risk information is entered CSAM.
• Perform Independent Verification and Validation (IV&V) of controls as required.
• Complete Certification Statement: Review SSP, ST&E, and RA; and include vulnerabilities revealed in SSP, ST&E, and RA
• Draft, approve, and validate POA&Ms while ensuring they are kept up-to-date, accurate, and represent a true plan to mitigate identified security weaknesses.
• Assess NIST SP 800-53, Rev 4. Controls and document results in DOJ’s CSAM repository. Ensure that CSAM contains quality data and that it is consistent with DOJ requirements.
• Review and conduct NIST-based self-assessments, identifying any weaknesses which need to be addressed, and developing a POAM for each of those weaknesses based on industry best practices.
• Support and document security controls tests, assist in remediation, and ensure that POAMs are being appropriately managed.
• Evaluate and strengthen standard SA&A Documentation, Security Assessment Reports and provide security infrastructure recommendations (i.e. IDS, firewalls, vulnerability scan tools, etc.)
• Using CSAM, generate the C&A package.
• Assist with review and strengthening of Business Continuity and Contingency Plan documents
• Develop and submit memorandums from Certification Official, and Designated Approving Authority.

Education, Requirements and Qualifications

• Ability to obtain a Public Trust is required.  A Top Secret security clearance is preferred.
• Bachelor's degree (or significant equivalent experience)
• Five (5) years years of expertise in developing, maintaining, and assessing Security Assessment & Authorization (SA&A) packages resulting in an authority to operate (ATO) for IT systems.
• Must possess certification(s) in CISSP, CAP, Security+, CISA, or CISM
• Must be able to function resourcefully and independently and work with a diverse team of IA/cybersecurity practitioners
• Strong written and verbal communication skills required.
• Experience working within DOJ Offices, Boards, and Divisions (OBDs), with an understanding of unique organizational security policies and security controls implementations within specific IT environments is desired