ISSO - Information Systems Security Officer

Description of Task to be Performed:

AnaVation is seeking an Information System Security Officer (ISSO) to support the security posture of systems, applications, and networks. In this role, the ISSO will apply current Information Assurance (IA) technologies to the architecture, design, development, evaluation, and integration of enterprise environments to ensure compliance with Federal Information Security Modernization Act (FISMA) requirements and applicable security standards.

The ideal candidate will advise the Government on the use of security methods and technologies, including encryption, vulnerability analysis, and security management standards, to protect Government systems and applications. This role requires close coordination with program leadership, infrastructure teams, developers, and other security stakeholders to maintain compliance, support RMF activities, and sustain the overall system security posture.

Key Responsibilities / Skills

• Apply current Information Assurance (IA) technologies to maintain and improve the security posture of systems, applications, and networks.
• Advise the Government on security methods and controls, including encryption technologies, vulnerability analysis, and security management standards, to support FISMA compliance.
• Communicate security requirements clearly and accurately through strong verbal and written communication, including documentation within required security artifacts and RMF systems.
• Ensure annual FISMA deadlines are met, and notify the Government PM when deadlines are at risk or assistance is needed. 
• Prepare and maintain security documentation from approved templates, including:
• Configuration Management Plan (CMP)
• Incident Response Plan (IRP)
• Information System Contingency Plan (ISCP)
• Ensure documentation complies with FBI Policy Directives (PDs), Policy Guides (PGs), and Federal IA requirements, and coordinate required reviews and approvals. 
• Evaluate program policies and procedures, identify security or compliance gaps, and elevate issues to management for resolution. 
• Identify IA vulnerabilities and coordinate with Infrastructure and Development teams to remediate, mitigate, or document exceptions through the POA&M process.
• Review vulnerability findings, patches, updates, and compliance scan results, including SCAP and DISA STIG assessments, to ensure systems and applications remain compliant in both on-premises and cloud environments.
• Prepare and maintain Security Authorization packages to obtain and sustain an Authority to Operate (ATO), Authority to Test (ATT), or other authorization types for systems and applications.
• Attend Configuration Control Board (CCB) meetings and review change requests for impact to system and application security posture, Federal compliance requirements, and FBI PD/PG requirements; document outcomes in the CMP. 
• Coordinate security incident response activities and high-priority compliance responses with the FBI Enterprise Security Operations Center (ESOC).
• Represent program security interests in internal and external meetings with stakeholders, customers, and partner organizations.
• Schedule and lead meetings with program personnel to address findings, determine remediation paths, and document outcomes within the CMP and POA&M as needed. 
• Coordinate with other system ISSOs to ensure interconnection requirements, policies, procedures, and documentation are properly addressed and maintained.
• Assess current and emerging security threats within an operational environment and provide recommendations to reduce risk. 

This position requires active Top Secret (TS) clearance and the ability to obtain SCI access with a CI polygraph.

This position is on-site with our customer in Huntsville, Al.

• Associates Degree in Computer Security or related field of study; (ISC)2 Information Security Certification(s) (e.g., CISSP, CAP, etc.); or in lieu of education, five (5) years of documented experience that addresses all requirements of the position. 
• Minimum of 3 years of experience assessing and documenting results for systems, infrastructure, and applications in on-premises and cloud environments, including AWS GovCloud and/or Azure GovCloud.
• Experience evaluating systems against NIST SP 800-53 security controls and NIST SP 800-171 requirements.
• Experience supporting Risk Management Framework (RMF) processes, including the preparation and maintenance of authorization packages and supporting artifacts.
• Strong knowledge of FISMA requirements and Federal information assurance and cybersecurity compliance practices. 
• Experience preparing, reviewing, and maintaining security documentation such as CMP, IRP, ISCP, and POA&M.
• Experience identifying vulnerabilities and coordinating remediation efforts with infrastructure, development, and program teams.
• Experience reviewing and interpreting results from vulnerability scans, SCAP scans, STIG assessments, and patch/compliance activities.
• Familiarity with both on-premises and cloud-based environments, with AWS preferred.
• Strong understanding of security controls, risk mitigation, incident response, configuration management, and continuous monitoring practices.
• Excellent verbal and written communication skills, with the ability to clearly document requirements, findings, risks, and recommendations.
• Ability to work collaboratively with Government customers, program managers, technical teams, and other ISSOs.
• Active Top Secret (TS) clearance with eligibility for Sensitive Compartmented Information (SCI) with ability to obtain CI polygraph

• Certifications: CompTIA Security or CISSP or CISM
• Experience using a cyber risk and compliance management system, such as Xacta, RiskVision, or similar platforms. 
• Familiarity with scan types and compliance tools including patch/update reviews, SCAP, and DISA STIG assessments to help ensure patch and configuration compliance.
• Working knowledge of operating systems, network security, and application security to support the implementation of information security and assurance principles.
• Knowledge of Splunk software and related tools.
• Knowledge of TACLANE, encryption devices, and COMSEC technologies.