About the Role: The Contractor ISO will act as an Information System stakeholder; the primary point of contact for all information security matters, inquiries, data calls, audit requests, Federal Information Security Modernization Act (FISMA) reporting, A&As, OSAs, and management reporting pertaining to the CDIS Solution and remain current on the duties pertinent to the roles and responsibilities of an ISO as included in the Department’s policies, directives, standards and the ISO appointment memo. The ISO must develop, implement, manage, operate and maintain the CDIS Solution to ensure the operational interests of such systems’ user communities are addressed. The Contractor ISO must coordinate with operational teams and solution development teams in all areas of the CDIS Solution. The Contractor ISO must draft and review the Enterprise Investment Management Board (EIMB) requests, Enterprise Review Board (ERB) requests, and EATI requests applicable to the CDIS Solution.
Role Description:
- Drive the implementation of a risk management framework (RMF), as documented under NIST SP 800-37, as amended (NIST SP 800-37), to cover RMF steps 0-6. This requires updates to the CDIS Solution in the GRC Tool.
- Drive the successful completion of the ISO functions in the A&A and the OSA activities to ensure NIST SP 800-53 controls implementation statements, evidence, and self-assessment is accurate, delivered timely, is reflected in the GRC Tool, and complies with the Department’s published policies, standards, and procedures.
- Attend, contribute, document, and represent the CDIS Solution in Department symposiums, workshops, trainings, meetings, and AO briefings.
- Serve as the primary point of contact for all information security matters, inquiries, and management reporting pertaining to the CDIS Solution to include FISMA reports, security control assessments and authorizations, and audits.
- Follow the documented POA&M SOP to ensure tracking, execution, and timely completion of all assigned POA&Ms and RAFs.
- Update, close, and maintain the POA&Ms (for tracking the security-related vulnerabilities/failures) in the GRC Tool. Such updates must include recommended corrective actions and ensure POA&Ms remediation by working closely with the ISSO.
- Ensure that a risk management process and a continuous monitoring process is developed and implemented whereby information security risks are identified, stakeholders are informed, and appropriate remediation/mitigation actions are taken to minimize the risk to Department operations, Department assets, and individuals resulting from the operation of the CDIS Solution.
- Develop all required system security documentation, timely and accurately using the latest published Department templates to remain current. The documentation must be updated as required by Department policies, standards and SOPs and uploaded to the GRC Tool.
- Develop and maintain DRP, CP and IRP and ensure the plans are tested at least annually. The results of the DRP, CP and IRP test must be documented and posted to the GRC Tool.
- Develop, maintain, and test relevant CP documents (Information System Contingency Plan (ISCP) and BIA) and ensure those documents are updated appropriately, in sync with each other, per the Department policies, standards and SOPs and uploaded in the GRC Tool.
- Ensure the integration between the Department’s Business Continuity Plan (BCP), BIA, and ISCP are integrated with the enterprise risk management processes.
- Ensure an SSP is completed and kept current and in compliance with NIST Special Publications (SPs) (i.e., NIST SP 800-18, NIST 800-53, etc.) and all Department policies, standards, and SOPs. Additionally, at the same time the Contractor ISO must coordinate with the ISSO to generate the SSP review checklist. All system documentation must be posted in the GRC tool.
- Complete and finalize all Privacy Impact Assessment (PIA) and Privacy Threshold Analysis (PTA) and upload to the GRC Tool.
- Report and resolve IT security incidents in accordance with Department established procedures.
- Authorize CDIS Solution Privileged Users Access (PUAs) requests, within 48 business hours, based on role and background clearance level of user.
- Maintain a current listing of the authorized users, periodically conducting account validation and upload the latest validation report under the Department’s Information Technology (IT) System Access Control (AC) Standard, as amended, AC- 2, Account Management, in the GRC Tool.
- Provide support for CDIS Solution Onboarding, including participating and completing all necessary steps in the EPMR boards, the GRC Tool registration form, and updating the CDIS Solution record in the GRC Tool.
- Create and/or review the CM-04 Impact Assessments (CMIA) within two (2) business days for any intended change to Department systems to ensure all NIST SP 800-53 impacted controls are documented, reflecting the impact against the applicable control in the GRC Tool. The Contractor ISO must also upload the CMIA in the GRC Tool.
- Respond to all data calls (i.e., vulnerability, audit, and any new mandate) accurately and timely when requested.
- Maintain active access, and review no less than weekly, the Federal Risk and Authorization Management Program (FedRAMP) packages for all provided cloud systems (Cloud Service Providers (CSPs)).
- Review the monthly updated CSP POA&M reports for the assigned CSPs and inject the Department applicable POA&Ms in the GRC Tool.
- Ensure that all Interconnection Security Agreements (ISAs), Inter-Agency Agreements (IAAs), and MOUs are in place prior to connecting with any internal an external entities when sharing services, assets, or information.
- Follow the guidance in the Department’s Common Controls Catalog so the system owners can inherit the appropriate controls. The Contractor ISO must ensure the proper physical, administrative, and technical controls are offered to the dependent systems whether common or hybrid, as applicable initially and with any new change.
- Assist the ISSO in identifying residual risk and provide justification for AO risk decisions.
- Ensure the operating system (OS), Web, and Data Base (DB) scans are requested, conducted, and reviewed per the Department set timelines (OS is twice a week, and Web DB are monthly) and that all discovered vulnerabilities are tracked and remediated. If not remediated within the Department defined timelines, the ISO must ensure a POA&M(s) is injected to the GRC Tool per Department procedure.
- Ensure the OCIO CSF Risk Scorecard’s (CFS Risk Score Card) “Daily CSAM Documentation Status”, “CSAM Data Discrepancy Report”, daily POA&Ms details, and the CDIS Solution related pages under the are current and in line with CSAM documentation.
- Ensure the CRF Risk Scorecard score for CDIS Solution remains above “risk tolerance.”
Required Qualifications & Education:
- 5+ years of experience performing functions and responsibilities as an ISO, ISSO or ISSM for complex systems that either have a high or Moderate FIPS 199 categorization or High Value Asset (HVA).
- Bachelor of Science in Computer Science, Information Systems, Mathematics, Engineering, related degree or an additional two (2) years of experience.
- Minimum certification: Must hold, in good standing, one of the following professional certifications, CISSP or CISM.
Desired Qualifications:
- Proven experience in managing system risk for systems including CSAM and Splunk or other security tools or SIEM systems.
- Experience in cybersecurity compliance requirements and keeping the security risk of in scope systems at or below the prescribed level.
- Excellent communication, teamwork, and interpersonal skills.
Clearance and Location Requirements:
- Able to be cleared for a Public Trust clearance.
- This is a remote position.
About NR Labs
At NR Labs, our passion is to solve the hard problems that keep security leaders up at night in a way that caters to their unique technical, financial, political, and business posture. Our company empowers every organization to achieve its cyber potential. NR Labs focuses on cybersecurity for public and private sector clients and is dedicated to solving their most complex cyber challenges. If you are curious in learning more about NR Labs, please visit our website at nrlabs.com.