Information System Security Officer (ISSO)

Description

Job Description:

The Federal Health Operation has an opening for an Information System Security Officer (ISSO) located at Ft. Detrick, MD. The position is with the Enterprise Information Technology (eIT) Project Management Office (PMO), supporting medical research activities. Candidate will work for the eIT PMO Compliance Lead.

The ISSO will frequently interface with the Govt Cyber Consultant and ISSM regarding the status of the eIT PMO system(s). The ISSO is responsible for implementing and maintaining the Project’s cybersecurity compliance in DHA’s eMASS. This position will work closely with the CITI team, Product Development & Sustainment, and Cyber/Compliance Teams to evaluate the organization’s security needs and establish best practices and standards to support the eIT PMO Projects, such as Medical Research Information Technology System (MeRITS). The ISSO will assist be designing, implementing, maintaining and upgrading all security measures needed to protect organizations’ data, systems, and networks in compliance with U.S. Government / DoD / Army / DHA and USAMRDC Cybersecurity regulations and policies. Daily activities include handling routine administrative and technical tasks such as vulnerability scanning, evaluating Security Technical Implementation Guides (STIGs), cyber audits, entering data and updating the Risk Management Framework (RMF) activities, responding to security questions from System/Database Administrators, and reporting.

PRIMARY DUTIES:

Assist in maintaining the MeRITS Risk Management Framework (RMF) package within Enterprise Mission Assurance Support Service (eMASS), including managing assets, loading scans, and updating POA&Ms. Validate security configurations on system components by performing periodic vulnerability assessments to ensure the eIT PMO systems are being maintained in accordance with the Authority to Operate (ATO). This includes checking for changes in Information Assurance Vulnerability Assessment (IAVA) and Security Technical Implementation Guidelines (STIG) compliance within the scope of applicable configuration management guidelines. Provide IA technical insight and guidance to the technical staff on an as needed basis via team meetings, and Engineering Review Board (ERB) meetings. Propose technical and procedural solutions to the system and database admins for vulnerabilities and risks discovered during vulnerability assessments. Conduct Assured Compliance Assessment Solution (ACAS) scans (both scheduled and on-demand). Conduct review and analysis of scan results. Required accounts: The ISSO must request and receive access to DHA Enterprise Mission Assurance Support Service (eMASS), (ACAS), and Host Based Security System (HBSS) accounts. Additionally, it is required to sign up to receive notifications of IAVMs. Be prepared to respond to cybersecurity issues that extend beyond normal duty hours, with the ability to adapt the work schedule to maintain a 40-hour work week. Have the ability to work overtime hours only in support of emergency cybersecurity issues such as contingency and recovery operations. Ability to understand the DHA CSTAR system to support as needed for RMF activities.

SECONDARY AND/OR MORE SPECIFIC DUTIES:

Report any cybersecurity issues/concerns to the eIT PMO Cyber Consultant and ISSM periodically via the Technical In-Progress Report brief. Participate in recurring IA and Engineering Review board meetings. Contribute to weekly status reports. Provide cyber security support in the areas of security engineering and information assurance requirements. Provide planning oversight and execution of the RMF via eMASS for eIT PMO. Report daily findings and recommendations in order to maintain the eIT/PMO ATO. Review proposed system changes for ERB-review and determine how those changes affect the overall project from a cybersecurity perspective. Conduct weekly Information Assurance Vulnerability Management (IAVM) reviews to determine applicability to the eIT PMO infrastructure, operating systems, and applications. The ISSO shall analyze the results of automated scans and manual checks for compliancy status, and document the findings in a Plan of Action and Milestone (POA&M) within eMASS. Draft IA related Change Requests (CRs) and Change Proposals (CPs) for submission through the eIT PMO Configuration Management process. Detail impacts to the Project and discuss with the Validation Analyst the recommended level of testing. Identify vulnerabilities that are needed to ensure findings are remediated and the project remains Cybersecurity compliant. Contribute to and document the mitigation/remediation strategy for every non-compliant IA control within eMASS. Perform monthly security reviews using the SCAP tool (or equivalent) to analyze the available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) to determine applicability and compliance to the overall Project, operating systems, and applications, and document the review’s results in a monthly STIG compliance report. Coordinate and participate in periodic exercises, such as the Continuity of Operations Plan (COOP) exercise, RMF annual security review, Incident Response Plan (IRP) exercise. Provide impact statements of non-mitigatable findings to the ISSM. Contribute to the documentation of deficiencies and lessons learned during accreditation activities in the IA Post Exercise Report and recommended solutions or actions to correct any accreditation discrepancies. Assist the ISSM in responding to SCA-V requirements such scoping questionnaire, accreditation artifacts and other information required to be uploaded in eMASS. Assist and advise the eIT Government and ISSM in responding to eIT cyber governance, compliance, issues, risks, and concerns. Create and maintain cybersecurity related documentation including Cybersecurity Management Plan and related SOPs.

Basic Qualifications

BS Degree and and 4 – 8 years of prior relevant experience

MUST HAVE:

• Completed IAM-II approved baseline certification as required per DoD, eIT PMO, and contracting agency.

IAM-II includes a Certified Information System Security Professional (CISSP) equivalent certification. Other examples: CAP, CASP+ CE, CISM, GSLC, CCISO, HCISPP. Need technical skills to perform the job.

Must have a college degree from an accredited university or equivalent experience, with IAM Level II Approved Baseline Certification. Knowledge of MeRITS suite of products currently within eIT PMO is a plus. Examples: CMT, eCTD, EDC, EDMS, LIMS, SAE Must have excellent English, written and interpersonal communication skills. Must be proficient with Adobe Acrobat, Notepad, Microsoft Office Suite programs. Familiar with the RMF process as well as eMASS, Nessus-ACAS, HBSS and IAVM alerts. Familiarity with good documentation practices. Must be able to successfully complete a Single Scope Background Investigation (SSBI). U.S. citizenship or permanent residency is required. Required Knowledge, Skills and Abilities knowledge of applicable highly complex office procedures and techniques relating to position. Ability to learn quickly, pay attention to detail, and work effectively with others and independently.

Preferred Qualifications

Be able to communicate with users and vendor support about problems with the system. In-depth knowledge of DoD Acquisition process per DoD 5000.75 Agile methodology

Pay Range: