Information Systems Security Officer

The Information System Security Officer (ISSO) plays a critical, dual role in safeguarding OIM's information systems. This position demands a hands-on approach to designing, integrating, and governing the enterprise cybersecurity architecture, while also performing essential ISSO duties for OIM systems and their boundaries. This ensures that every technical solution is secure-by-design and compliant with all DOE and federal requirements. The Architect/ISSO functions as a bridge between technical architecture, day-to-day operations, and governance, acting as both a primary technical authority and a dedicated compliance steward to build and sustain a robust and resilient cybersecurity. The candidate will be involved with Assessment & Authorization and Vulnerability Management teams, including A&A Analysts, A&A Specialists, A&A SMEs, A&A Security Engineers, A&A Architects, Vulnerability Management Analysts, and Vulnerability Management Engineers to deliver the cyber authorization services. Experience with one or more of the following Federal security frameworks (FedRAMP, FISMA, Zero Trust Maturity Model, RMF, and NIST SP 800 series and NIST SP 800-53) and GRC tools (e.g. XACTA, ArchAngel, eMASS, CSAM).

• Develop, implement, and maintain comprehensive information security programs in accordance with federal mandates and agency policies.
• Oversee the continuous monitoring and improvement of security controls across diverse information systems.
• Collaborate with system owners and stakeholders to integrate security requirements throughout the system development lifecycle.
• Conduct thorough risk assessments to identify, analyze, and prioritize security vulnerabilities and threats.
• Develop and implement risk mitigation strategies and countermeasures to protect sensitive information and critical assets.
• Track and manage Plans of Action and Milestones (POA&Ms) to ensure timely remediation of identified weaknesses.
• Ensure strict adherence to federal regulations, such as NIST SP 800-53, FISMA, and agency-specific security directives.
• Perform ISSO responsibilities for OIM systems and boundaries, serving as the subject matter expert for assigned systems.
• Advocate for System Owners, coordinating cybersecurity activities and ensuring alignment with DOE policies and federal requirements.
• Provide regular security briefings to System Owners, ISSMs, and AODRs.
• Participate in Change Control Board (CCB) meetings, reviewing privileged access requests, risk assessments, and cybersecurity requests.
• Support and perform internal audits, inspections, and reviews of OIM accreditation boundaries.
• Support the Authorization to Operate (ATO) process by providing expert guidance and ensuring all required artifacts are complete and accurate.
• Draft, update, and enforce information security policies, standards, and procedures.
• Maintain comprehensive security documentation, including system security plans, contingency plans, and configuration management plans.
• Develop and deliver security awareness training to educate users on best practices and compliance requirements.
• Evaluate, recommend, and implement security technologies and tools, such as intrusion detection/prevention systems (IDPS), security information and event management (SIEM), and data loss prevention (DLP).
• Manage and monitor security configurations for operating systems, networks, and applications.
• Conduct vulnerability scanning and penetration testing to identify and address security weaknesses.
• Establish and maintain Interconnection Security Agreements (ISAs) and Memoranda of Understanding (MOUs/MOAs) with external partners.
• Prepare and review security authorization documentation, including Security Plans (SPs), Privacy Impact Assessments (PIAs), and Contingency Plans (CPs).
• Represent OIM in interagency security working groups and committees.
• Provide analysis of vulnerability, patch, and configuration data to protect OIM mission systems.
• Work with System Owners to develop and remediate POA&Ms, prioritizing based on Level of Effort (LOE).
• Recommend corrective actions for risk assessment issues identified during audits or inspections.

Minimum Qualifications

• Bachelor’s Degree in Computer Science or a related field or equivalent experience; Advanced Degree preferred.
• 10+ years of experience in cybersecurity architecture, compliance, or ISSO duties.

Other Job Specific Skills

• Deep expertise with SIEM, IDS/IPS, EDR, DLP, ICAM, CDM, and vulnerability management tools.
• Strong knowledge of DOE cybersecurity policies, FISMA, NIST 800-53, and federal directives.
• Proven experience drafting and maintaining FISMA artifacts and managing A&A processes.
• NIST 800-53 Rev 5.
• Risk Management Framework.
• CRISC (or equivalent), CISSP, CISM, CISSP-ISSAP, or equivalent.

Desired Skills

• Ability to balance technical architecture with compliance oversight.

• Strong communication skills for briefings, reporting, and stakeholder engagement.

• Experience leading audits, inspections, and risk assessments.

• Expertise in disaster recovery, COOP planning, and incident response.

• Strategic mindset with adaptability to emerging technologies and evolving threats.

• Reporting for information security activities
• Meet strategic information security objectives
• Manage security initiatives to support information security strategy and plan
• Address any information security related issues
• Implement the security controls specified in the security plan
• Conduct the information security risk assessment program
• Targeted security assessments to ensure appropriate level of security controls
• Maintain knowledge of general security administration programs and one or more security specialties (e.g.sensitive compartmented information, personnel security, technical security, operations security)
• Provide an interface to client information security audits
• Protect corporate cyber security information day to day
• Perform information security risk assessments and serves as an internal auditor for security issues
• Oversee the risk assessment and information security awareness
• Train all employees in effective information security measures
• Provide ad hoc information security and privacy assistance to projects and regional leaders and information security officers
• Reporting on business security incidents
• Create enterprise information security education and awareness platforms
• Escalate security project issues to management
• Provide periodic reporting on information security issues to the VC/VPIT
• Ensure all employees receive mandatory training in information security awareness and information security policies, guidelines and procedures
• Achieving security and privacy certifications