Job Title

Information Systems Security Officer

Location

Washington, DC 20415 US (Primary)

Category

Information Technology

Job Type

Full Time

Career Level

Professional

Education

Refer to Job Requirements: Qualifications

Travel

Occasional

Salary Range

$110,000 - $140,000

Security Clearance Required

None

Salary Grade

Job Description

JOB SUMMARY:

Business Operational Concepts (BOC) is currently seeking a Information Systems Security Officer (ISSO) to work with our government client. The selected candidate will serve as a technical and governance subject matter expert responsible for integrating cybersecurity risk management with system and infrastructure engineering. This position bridges the traditional gap between GRC and technical implementation by ensuring security is designed, implemented, and continuously monitored throughout the system development life cycle (SDLC).

DUTIES AND RESPONSIBILITIES:

The incumbent collaborates with system owners, developers, cloud and DevSecOps engineers, and security control assessors to ensure the confidentiality, integrity, and availability of agency information systems in alignment with federal requirements (e.g., FISMA, NIST RMF, FedRAMP, and OMB guidance).

Job Requirements

QUALIFICATIONS:

Required (Minimum) Qualifications - Education, Certification, Experience, and Skills

Certifications: CISSP

Risk Management and Governance (40%)

• Serve as the primary technical lead for system-level RMF activities, including security categorization, control selection, implementation, and assessment.
• Develop and maintain system security documentation (SSPs, SARs, POA&Ms) and ensure continuous authorization (O-ATO) compliance.
• Conduct risk assessments to identify vulnerabilities, evaluate likelihood and impact, and recommend mitigation strategies.
• Support annual FISMA audits, OIG reviews, and internal compliance assessments with defensible technical evidence.
• Develop standardized risk metrics and dashboards that link system vulnerabilities to enterprise risk posture.

Security Engineering and Architecture Integration (35%)

• Embed security engineering practices into system design and cloud architectures, ensuring 'security-by-design' and 'Zero Trust' principles.
• Partner with system engineers and developers to integrate security controls in CI/CD pipelines, automation scripts, and infrastructure-as-code deployments.
• Validate security control implementations through technical testing, configuration review, and vulnerability analysis.
• Conduct secure architecture reviews and provide technical consultation on encryption, access control, and network segmentation.
• Collaborate with SOC and vulnerability management teams to ensure findings inform risk posture and remediation planning.

Continuous Monitoring and Technical Validation (15%)

• Develop and maintain continuous monitoring strategies and implement automated data feeds from scanners, SIEM, and cloud tools into GRC systems.
• Validate and verify that implemented controls are operating as intended and produce desired security outcomes.
• Track and report control effectiveness and residual risks to leadership.

Policy, Audit, and Training Support (10%)

• Support updates to cybersecurity policy, SOPs, and agency guidance to reflect emerging threats and technologies.
• Provide training and mentoring to system owners and developers on secure design and RMF requirements.
• Support external audits by providing technical explanations and evidence of control effectiveness.

Knowledge, Skills, and Abilities (KSAs)

• Security Engineering: Knowledge of systems design, cloud infrastructure, encryption, access control, and secure configuration management.
• Risk Management: Knowledge of the principles and tools used for risk assessment and mitigation.
• Compliance & Governance: Expertise in NIST SP 800-37, SP 800-53, SP 800-53A, FIPS 199/200, FedRAMP, and OMB A-130.
• Vulnerability Management: Ability to analyze vulnerability data, interpret scanning results, and evaluate technical mitigations.
• Automation & Tools: Familiarity with GRC platforms (e.g., Archer, ServiceNow IRM, Xacta) and technical tools (e.g., Nessus, Splunk, AWS Config, Prisma).
• Communication: Skill in articulating technical risks and recommendations to both executive and technical audiences.
• Collaboration: Ability to partner effectively across multidisciplinary teams including developers, engineers, and policy staff.
• U.S. Citizenship required.
• Active Public Trust or higher clearance (or ability to obtain).
• Bachelor's degree in Computer Science, Information Systems, Engineering, or equivalent experience.
• 3-5 years of experience in security engineering, GRC, or cybersecurity risk management.

Preferred Qualifications - Education, Certification, Experience, Skills, Knowledge, and Abilities

• Desired Certifications: CISM, CAP, CGRC, CEH, Security+, or Cloud Security certifications

CLEARANCE REQUIREMENTS:

Public Trust or the ability to obtain and maintain a Public Trust clearance. (Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information.)