IDIQ INFORMATION SYSTEMS SECURITY OFFICER

Strategic Resources, Inc. (SRI)is an international, ISO 9001:2015 Certified, CMMI Level 3 rated full-service provider with more than 34 years of experience in the Federal, military, and commercial marketplaces.
Overview: The Department of Homeland Security, Management Directorate, Office of Procurement Operations has a requirement for the provision of Employee Assistance and Work Life Referral Service Program for all DHS employees and their immediate family members. The Information Systems Security Officer (ISSO) shall be responsible for all Contractor systems security work performed under this contract.

Responsibilities:

• The ISSO shall be a single point of contact for systems security related issues.
• The ISSO shall be able to read, write, speak, and understand English.
• The ISSO shall be available to the Government via telephone between the hours of 8:00 am and 5:00 pm EST, Monday through Friday, and shall respond to a request for discussion or resolution of technical problems within 4 business hours of notification.
• Complies with the ISSO Roles and Responsibilities as prescribed therein DHS 4300A Sensitive Systems Handbook, DHS National Security Systems Policy Directive 4300B, and DHS Sensitive Compartmented Information (SCI) Systems 4300C Instruction Manual.
• Ensures that the security Assessment and Authorization (A&A) process is tracked, supported, and successfully completed.
• Ensures the accuracy of continuous monitoring information at least monthly.
• Ensures that all documentation leverages approved templates, forms, regulations, and methods.
• Updates all security documentation, as necessary, to ensure that all information is current and that the templates, forms, regulations, and methods stay current with updates and changes in appropriate laws, regulations, mandates, directives, policies, or controls applicable towards a U.S. Federal Department / Agency throughout the lifecycle of the system.
• Works with stakeholders to assign resources and establish timelines to ensure the successful Security Authorization of a system.
• Ensures that all Security Authorization documentation is delivered in a timely manner and will not negatively impact the Authority to Operate (ATO) or system go live date.
• Documents all relevant NIST Publications (continuously current versions), Office of Management and Budget (OMB) A-123 security controls, and DHS 4300A/B/C (continuously current versions) security controls, hardening / configuration guidance, and/or applicable departmental practices and procedures.
• Drafts security packages and performs necessary modifications throughout the applicable Risk Management Framework, based on the compliance assessment schedule to ensure the system attains and maintains its ATO.
• Works closely with the System Owner to identify any additional controls that are applicable to the system to maintain a positive security posture.
• Provides oversight and advisement on all proposed changes to an IT System as it pertains to the potential change to the existing baseline, using the established change and configuration management process.
• Works with auditors to identify Key Controls which must be assessed on a recurring annual basis.
• Evaluates and provides advisement on all access requests for privileged accounts to IT systems.
• Ensures software planned to be introduced to the production environment is evaluated and provides guidance regarding the potential for the software to introduce risk into the environment.
• Tracks the deployment of software to the environment that is not part of the base image.
• Ensures software deployed in the environment is audited on a quarterly basis.
• Provides reports to System Owners, Federal ISSO, ISSM, and to Operations and Maintenance (O&M) staff tailored with the level of detail or abstraction as appropriate.
• Performs oversight of Information System Vulnerability Management (ISVM) inquiries and ensures that the inquiries are addressed and reported within the allotted timeframe and reported via the accepted methods and formats.
• Generates Plan of Actions & Milestones (POA&Ms) for each non-compliant control and/or weakness based on the compliance assessment schedule.
• Manages all applicable POA&Ms throughout the lifecycle of the IT system.
• Supports the Security Incident Response team in the remediation, documentation and reporting of all incidents for the system.
• Performs a weekly review of logs for and presents a weekly system status report of any anomaly or malicious activity.
• Participates in project discussions in support of the System Owner, ISSM, and Federal ISSO.
• Tracks and reports security requirements throughout the life cycle of the system.
• Provides support for all Office of the Inspector General (OIG) and other external audit activities.
• Reviews the system security documentation when determining the appropriate security categorization.
• Reviews selected controls that are to be implemented within the system’s security boundary.
• Takes the appropriate DHS security training for ISSOs no more than 30 days after receiving the award and annually thereafter in accordance with DHS 4300 A or B or C as appropriate.
• Provides oversight and guidance regarding requests to modify technical policies such as firewall rules, ports, protocols, etc. for the system.
• Coordinates with and brief Federal staff on all activities pertaining to the system as requested.
• Maintains a thorough understanding of all configurations, architecture, installed software, accounts (both Operating System and Application), data flows, ports, protocols, and other relevant data for the system.
• Ensures that the System Design Document for the system is updated by the appropriate operational group to accurately reflect the approved state of the system before the scheduled security assessment.
• Ensures that Configuration Management is continuously updated with the appropriate system configurations via the program operation maintenance group.
• Coordinates with and briefs the ISSM, Federal ISSO, and System Owner on all scores on the FISMA scorecard concerning activities pertaining to the system as requested.
• Supports the system change management process by reviewing proposed Change Requests (CRs) and participate in the ICCB or C-ICCB where the proposed changes are reviewed.
• Reviews the baseline security controls in the FedRAMP security controls listed at: www.fedramp.gov.
• Based on the compliance assessment schedule, assists in obtaining the regular reports from the Cloud Provider Security Monitoring Operations (e.g., SOCs) for Cyber Security Risk Management and Compliance (CRMC) support.
• Assists with communication and coordination between the DHS Incident Response and the Cloud Provider Incident Responders in any incident handling activities involving DHS data.
• Engages the Common Control Working Group (CCWG), and ISSMs to further educate them on policies, standards, processes, and procedures for FedRAMP and Common Controls.

Minimum Required Skills, Education, Experience & Abilities:

• A bachelor's degree in computer science, engineering, or mathematics strongly preferred.
• Experience in IT or cybersecurity (5-10 years)
• CISSO, CISSP, or CISM preferred.
• Experience with network administration.
• Experience with Linux and Windows.
• Analytical and technical skills.

Details