ECS is seeking an experienced Senior Information Systems Security Engineer to support a mission-critical federal cybersecurity program in the National Capital Region or Huntsville, Alabama. This role provides senior-level cybersecurity engineering support for Security Assessment and Authorization, Risk Management Framework execution, technical control implementation, security assessment, continuous monitoring, vulnerability remediation, audit readiness, and risk management for federal information systems.
Please Note: This position is contingent upon contract award.The selected candidate will coordinate with system owners, ISSOs, ISSMs, engineering teams, program leadership, and authorization stakeholders to strengthen authorization package quality, reduce technical control gaps, improve evidence completeness, and support timely, defensible risk-based decisions. Depending on assignment, the ISSE3 may support division-level security engineering, resource and project coordination, or new cloud technology security activities.
Key Responsibilities include:
- Lead and support implementation of the Security Assessment and Authorization program for assigned federal information systems.
- Support RMF activities across the Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor phases.
- Guide system categorization based on mission impact, classification, FIPS 199 categorization, hosting environment, technical complexity, data sensitivity, and applicable federal cybersecurity requirements.
- Advise on the selection, tailoring, implementation, testing, and documentation of security controls aligned to system risk posture and authorization needs.
- Develop, review, and improve RMF and SAA artifacts, including System Security Plans, control implementation descriptions, security assessment plans, security test plans, risk assessments, POA&Ms, continuous monitoring artifacts, inventories, network diagrams, data flow diagrams, and authorization packages.
- Support security control assessments by reviewing technical and procedural controls, validating evidence, identifying gaps, documenting findings, and supporting risk-based recommendations.
- Identify technical control gaps, assess risk, recommend remediation strategies, and coordinate corrective actions with system owners, engineers, ISSOs, and ISSMs.
- Support vulnerability remediation activities, including scan result analysis, POA&M development, remediation tracking, control impact analysis, and response to vulnerability reporting requirements.
- Support FISMA audit preparation, documentation quality reviews, evidence validation, audit response packages, and corrective action planning.
- Review proposed technical changes for security impact, compliance implications, architecture alignment, vulnerability exposure, and required mitigation.
- Support cloud-hosted, hybrid, or newly introduced technologies, including review of cloud control implementation, architecture, inherited controls, and authorization evidence, as assigned.
- Develop or improve templates, checklists, SOPs, evidence standards, control implementation guidance, dashboards, and repeatable processes to improve quality, consistency, and efficiency.
- Track and communicate risks, findings, remediation status, assessment progress, documentation quality, schedule concerns, and improvement opportunities to program leadership and stakeholders.
- Mentor cybersecurity personnel and help drive complex security engineering activities to closure.
- Active Top Secret clearance with SCI eligibility.
- U.S. citizenship.
- Minimum of 8 years of experience in secure design, analysis, and testing of information security systems and products.
- Minimum of 8 years of experience applying cybersecurity methods, standards, and approaches to ensure baseline security safeguards are properly implemented and documented.
- Minimum of 8 years of experience creating or updating security test plans for detecting, assessing, and mitigating risk to information systems.
- Experience supporting RMF, Security Assessment and Authorization, ATO, continuous monitoring, security control implementation, security assessment, POA&M management, and authorization package development.
- Strong understanding of NIST SP 800-53, NIST SP 800-53A, FIPS 199, FIPS 200, CNSS requirements, FISMA, vulnerability management, and federal cybersecurity policy.
- Experience assessing technical security evidence and developing risk-based recommendations for decision-makers.
- Strong written and verbal communication skills, including the ability to explain technical risks, evidence gaps, remediation options, and authorization impacts to technical and non-technical stakeholders.
- Ability to coordinate across system owners, engineering teams, ISSOs, ISSMs, program leadership, and authorization stakeholders.
- CISSP or CEH certification required.
