Job Duties and Responsibilities
- Provide client support in compliance with the ISSO Roles and Responsibilities described in DHS 4300 A and CBP HB 1400-05D.
- Maintain the Security Authorization or Certification and Accreditation of their assigned system.
- Track the Security Authorization of their assigned system.
- Deliver all required documentation using the current DHS/CBP approved templates, forms, regulations, and methods.
- Continuously update all Security Authorization documentation as required by the ISSO SOP.
- Provide advisement to stakeholders to assign resources and establish timelines to ensure the successful Security Authorization of a system.
- Maintain all required documentation to maintain their assigned system’s Authority to Operate or system go live dates.
- Document all relevant NIST 800-53, 4300A, and 1400-05D Security Controls and/or applicable departmental policies for each IT system and network assigned.
- Draft a Security Package and perform any modifications throughout the lifecycle of the system.
- Work closely with the System Owner to identify any additional controls that are applicable to the system to maintain a favorable security posture.
- Perform an annual physical assessment of all General Support Systems (GSS) and Major Applications and sub-system interfaces.
- Provide oversight and advisement on all proposed change requests on an IT System and network as it relates to the possible change to the existing Controls Assessment.
- Work with auditors to identify Key Controls which must be assessed on a recurring annual basis.
- Evaluate and provide advisement on all privileged access requests to IT systems.
- Ensure software targeted for introduction to the production environment is evaluated and provide guidance to ensure that the introduction of risk to the environment is prevented.
- Ensure software deployed in the environment is audited on a quarterly basis and provide monthly reports to the System Owners, ISSM, and PM.
- Perform oversight of Information System Vulnerability Management (ISVM) inquiries, and ensure that the inquiries are addressed and reported within the allotted timeframe and reported via the accepted methods and formats.
- Generate Plan of Actions & Milestones (POA&Ms) for each non-compliant control for each managed IT System. Proper documentation shall be filed and updated as required.
- Manage all applicable POA&Ms throughout the lifecycle of the IT system. This includes but is not limited to the drafting of well documented waivers detailing the potential risk to the Authorizing Official.
- Support the Security Incident Response team in the remediation, documentation and reporting of all incidents for the ISSO and ISSM assigned systems.
- Perform a Weekly review of logs for each IT system.
- Participate in project discussions in support of the System Owner.
- Provide track and report security requirements throughout the project life cycle of all projects that are within the accreditation boundary of their assigned system.
- Work closely with Office of the Chief Information Security Officer (CISO) to provide guidance and oversight for all requested initiatives.
- Provide timely and detailed responses to all data calls.
- Provide support for all Office of the Inspector General (OIG) and other external audit activities.
- Provide oversight and guidance regarding requests to modify technical policies such as firewall rules, ports, protocols, etc. for each IT system.
- Coordinate with and brief government staff on all activities pertaining to each IT system as requested.
- Continuously maintain a thorough understanding of all configurations, architecture, installed software, accounts (both Operating System and Application), data flows, ports, protocols, and other relevant data for each IT System.
- Coordinate with the appropriate operational group to accurately update the System Design Document for each IT system to reflect the approved state of each IT system.
- Experience with Authority to Operate (ATO) process, continuous monitoring, POA&Ms, Security Authorizations (SA), NIST 800-37, NIST 800-53 Rev3 / Rev4, working with System Owners (SO)
- 5-7 years applicable professional experience
- Experience with the DHS/CBP C&A process
- Understanding of FISMA compliance
- Works well with team members
- CISSP, CISA or equivalent certifications (desired)
- System Admin or other technical background
- Bachelor's degree or equivalent experience
- Experience with Ongoing Authorizations
- Experience with DHS Information Assurance Compliance System (IACS/Xacta)
U.S. Citizenship required
DHS/CBP Clearance Desired (Must be able to pass a Federal background investigation)
Experience working at DHS and with DHS 4300 and CBP 1400-05D