Constellation West is currently looking for an Information Security Specialist to provide services necessary to act as Information Systems Security Officer (ISSO) for the systems identified, as designated by the FTC system owner. Perform duties in a manner that aligns with Federal information security continuous monitoring (ISCM), privacy, and records management principles, Center for Internet Security (CIS), and the NIST Risk Management Framework. These services include the following tasks:
- Assist in the overall compliance of the assigned information system, to include: security authorization and assessment (SA&A), risk analysis and mitigation, IT security awareness training, IT security baseline compliance, continuous monitoring, and vulnerability assessment.
- Assist in the determination of an appropriate level of security commensurate with the Federal Information Processing Standard (FIPS) 199 sensitivity level. Assist with the identification of the appropriate level of authentication as required by federal guidance.
- Develop and maintain the SA&A documentation for FTC information systems according to FTC policy, ensuring the selection of NIST SP 800-53 baseline security controls are appropriate for the information system based on the FIPS 199 security categorization.
- Review and update the technical architecture, design, procedural documents and other system documentation to support SA&A as changes are made to information systems.
- Assist in the implementation of controls for privacy and records management and development and maintenance of documentation supporting compliance with Federal privacy and records management guidance for the applicable information system.
- Assist the system owner in recording all known security weaknesses of assigned information systems in the plan of action and milestones (POA&M) in accordance with the FTC Policy.
- Develop and maintain Rules of Behavior (ROB) specific to the information system and ensuring compliance with the ROB. This requires interaction with not only OCIO staff, but also stakeholders and FTC’s Chief Privacy Officer and General Counsel.
- Ensure required updates are performed to key documents in accordance with NIST SP 800-37 for continuous monitoring and identify changes to FTC systems that may impact security controls, performing the security impact assessment of proposed changes, reporting any change in risk posture, and providing recommendations for risk mitigation.
- Monitor remediation actions and create and track Plans of Action and Milestones (POA&Ms) from initiation to closure based on sources such as OCIO risk registers, security control assessments, vulnerability scans, configuration change documents, and audit findings. This will require close interaction with other contractors and FTEs in order to ensure the work necessary to close POA&Ms is completed in accordance with the proposed schedule.
- Act as the technical lead in annual FISMA audits and ensure the technical accuracy of security related documentation. Assist in gathering information to support reporting on data calls, audit information, and ad hoc information requested from the FTC.
- Reviewing results of security control assessments (SCAs) and assist the System Owner in determination of mitigation strategies and risk assessments on identified vulnerabilities and control non-compliance results.
- Develop, gather, and report measurements and metrics to support FTC’s information security continuous monitoring (ISCM) program.
- Ensure Cyber Security Assessment Management (CSAM) or its successor accurately contains required information system inventory, categorization, POA&Ms and other security metrics and documentation required by the FTC.
- Serve as a technical expert and advise the System Owner, Chief Information Security Officer, and Chief Information Officer on innovative approaches to managing information system boundaries and securing agency systems.
- Assist in the development and maintenance of the Privacy Threshold Analysis (PTA) and, if required, the Privacy Impact Assessment (PIA) for assigned information systems by providing information and input to the Program Manager and Chief Privacy Officer (CPO).
- Participate in meetings as required by the COR.