Jan 10
Public Trust
Senior Level Career (10+ yrs experience)
$120,000
No Traveling
IT - Security
Position Description:
The Information System Security Officer (ISSO) is responsible for the cybersecurity of a program, organization, system, or enclave. The ISSO ensures that the security and privacy posture is maintained for an organizational system and works in close collaboration with the agency system owner. The ISSO serves as a principal advisor on all matters, technical and otherwise, involving the security and privacy controls for the system and has the knowledge and expertise to manage the security and privacy aspects of an organizational system.
Experience:
Requires 8 -10 years of relevant cyber security experience to include experience in a senior role.
Certification Requirement:
The ISSO candidate is required to be an active ISC2 Certified Information Systems Security Professionals (CISSP) certified and keep certification throughout the period of performance of the Task Order.
Security Requirements:
All candidates shall be U.S. Citizens that can successfully pass the background investigation.
Qualifications:
SKILLS
· Execute the Security Authorization Package Development project plan for each new or existing Information System, developing security documentation in accordance with the approved Security Authorization Package Development project plan
· Hands on experience with creating RMF related documents for new and O&M systems
· Strong critical analysis skill in analyzing the systems current security posture and identifying the gaps.
· Assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
· Applying cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
· Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system
· Skilled technical writer, able to write about facts and ideas in a clear, convincing, and organized manner.
KNOWLEDGE
· An organization's information classification program and procedures for information compromise.
· Applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
· Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
· Authentication, authorization, and access control methods.
· Computer algorithms.
· Controls related to the use, processing, storage, and transmission of data.
· Critical information technology (IT) procurement requirements.
· Current and emerging threats/threat vectors.
· Current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
· Cyber defense and information security policies, procedures, and regulations.
· Cyber defense and vulnerability assessment tools and their capabilities.
· Log capture and log analysis tools
· Enterprise incident response program, roles, and responsibilities.
· How traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
· Incident categories, incident responses, and timelines for responses.
· Incident response and handling methodologies.
· Industry-standard and organizationally accepted analysis principles and methods.
· Information security program management and project management principles and techniques.
· Intrusion detection methodologies and techniques for detecting host and network-based intrusions.
· Laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
· Measures or indicators of system performance and availability.
· Network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
· Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
· Network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
· Network traffic analysis methods.
The Information System Security Officer (ISSO) is responsible for the cybersecurity of a program, organization, system, or enclave. The ISSO ensures that the security and privacy posture is maintained for an organizational system and works in close collaboration with the agency system owner. The ISSO serves as a principal advisor on all matters, technical and otherwise, involving the security and privacy controls for the system and has the knowledge and expertise to manage the security and privacy aspects of an organizational system.
Experience:
Requires 8 -10 years of relevant cyber security experience to include experience in a senior role.
Certification Requirement:
The ISSO candidate is required to be an active ISC2 Certified Information Systems Security Professionals (CISSP) certified and keep certification throughout the period of performance of the Task Order.
Security Requirements:
All candidates shall be U.S. Citizens that can successfully pass the background investigation.
Qualifications:
SKILLS
· Execute the Security Authorization Package Development project plan for each new or existing Information System, developing security documentation in accordance with the approved Security Authorization Package Development project plan
· Hands on experience with creating RMF related documents for new and O&M systems
· Strong critical analysis skill in analyzing the systems current security posture and identifying the gaps.
· Assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
· Applying cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
· Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system
· Skilled technical writer, able to write about facts and ideas in a clear, convincing, and organized manner.
KNOWLEDGE
· An organization's information classification program and procedures for information compromise.
· Applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
· Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
· Authentication, authorization, and access control methods.
· Computer algorithms.
· Controls related to the use, processing, storage, and transmission of data.
· Critical information technology (IT) procurement requirements.
· Current and emerging threats/threat vectors.
· Current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
· Cyber defense and information security policies, procedures, and regulations.
· Cyber defense and vulnerability assessment tools and their capabilities.
· Log capture and log analysis tools
· Enterprise incident response program, roles, and responsibilities.
· How traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
· Incident categories, incident responses, and timelines for responses.
· Incident response and handling methodologies.
· Industry-standard and organizationally accepted analysis principles and methods.
· Information security program management and project management principles and techniques.
· Intrusion detection methodologies and techniques for detecting host and network-based intrusions.
· Laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
· Measures or indicators of system performance and availability.
· Network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
· Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
· Network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
· Network traffic analysis methods.
group id: 90982409
