Information Systems Security Officer

- Act as the primary technical lead for system-level Risk Management Framework (RMF) activities including security categorization, control selection, implementation, and assessment - Create and maintain system security documentation such as System Security Plans (SSPs), Security Assessment Reports (SARs), and Plans of Action and Milestones (POA&Ms) while ensuring compliance with continuous authorization - Conduct risk assessments to identify vulnerabilities, assess potential impacts, and propose mitigation strategies - Provide support for annual FISMA audits, Office of Inspector General (OIG) reviews, and internal compliance assessments using defensible technical evidence - Develop standardized risk metrics and dashboards to link system vulnerabilities with overall enterprise risk posture - Integrate security engineering practices into system designs and cloud architectures, ensuring adherence to security-by-design and Zero Trust principles - Collaborate with system engineers and developers to embed security controls within Continuous Integration/Continuous Deployment (CI/CD) pipelines and infrastructure-as-code deployments - Validate security control implementations through technical testing, configuration reviews, and vulnerability assessments - Examine secure architecture and offer technical consultation on encryption, access control, and network segmentation - Work alongside Security Operations Center (SOC) and vulnerability management teams to ensure findings are considered in risk posture and remediation planning - Formulate and sustain continuous monitoring strategies, implementing automated data feeds from various tools into Governance, Risk, and Compliance (GRC) systems - Verify that implemented controls are functioning as intended and yielding desired security outcomes - Track and report on control effectiveness and residual risks to leadership - Assist in the update of cybersecurity policies and Standard Operating Procedures (SOPs) to account for emerging threats and technologies - Mentor system owners and developers on secure design principles and RMF requirements - Support external audits by providing technical explanations and evidence of control effectiveness