ISSO / Control Evaluator Senior Job Description

Position Overview

Key Responsibilities

• Serve as the senior ISSO and security compliance advisor for assigned SBA systems applications services and cloud environments.
• Provide leadership and technical oversight for RMF assessment authorization and continuous monitoring activities in accordance with NIST SP 800-37 Rev. 2.
• Conduct and oversee testing and validation of NIST SP 800-53 Rev. 5 security and privacy controls in accordance with NIST SP 800-53A assessment procedures.
• Develop review update and maintain cybersecurity and privacy documentation including SSPs CMPs ISCPs ISCP Test Reports ERAs POA&Ms and architecture diagrams.
• Support SBA Ongoing Authorization (OA) activities including development and execution of OA Playbooks positive testing and negative testing methodologies.
• Document Determine If Statements (DISs) assessment evidence and technical findings to demonstrate security control effectiveness.
• Develop Security Assessment Plans (SAPs) Security Assessment Reports (SARs) Annual Assessment Reports (AARs) and remediation recommendations.
• Coordinate vulnerability management activities including validation of remediation actions mapping vulnerabilities to NIST controls and tracking POA&M closure activities.
• Support FISMA reporting cybersecurity metrics collection dashboard reporting and Governance Risk and Compliance (GRC) tool updates.
• Provide audit support for IG GAO FISMA and internal assessments by coordinating artifact collection walkthroughs and audit response activities.
• Support High Value Asset (HVA) assessment activities and FedRAMP Continuous Monitoring (CONMON) management activities.
• Review system architectures network topologies cloud environments and security configurations to identify cybersecurity risks and compliance gaps.
• Participate in SBA Enterprise Change Control Board (ECCB) activities and cybersecurity governance reviews.
• Provide technical guidance to system owners ISSMs engineers administrators and program stakeholders regarding cybersecurity compliance and remediation strategies.
• Ensure all deliverables are peer reviewed aligned with SBA implementation procedures Section 508 compliant and submitted within required timelines.
• Support enterprise cybersecurity continuous monitoring risk analysis and automation/visualization initiatives.

Required Qualifications

• Bachelors degree in Cybersecurity Information Assurance Information Technology Computer Science Engineering or related discipline.
• Minimum of eight (8) years of experience supporting federal cybersecurity RMF ISSO or information assurance activities.
• Minimum of five (5) years of experience conducting security controls assessments compliance evaluations or continuous monitoring activities for federal systems.
• Extensive knowledge of NIST SP 800-53 Rev. 5 NIST SP 800-53A Rev. 5 NIST SP 800-37 Rev. 2 FISMA and OMB cybersecurity guidance.
• Experience supporting ongoing authorization (OA) continuous monitoring and cybersecurity governance activities.
• Experience developing and maintaining cybersecurity documentation including SSPs SARs SAPs AARs POA&Ms and related RMF artifacts.
• Experience supporting cloud security assessments and FedRAMP environments including AWS Azure Microsoft 365 and SaaS platforms.
• Experience supporting federal cybersecurity audits including IG GAO and FISMA reviews.
• Strong analytical technical writing communication and stakeholder engagement skills.
• Experience using Governance Risk and Compliance (GRC) platforms and cybersecurity assessment tools.
• Relevant certifications such as CISSP CAP CISA Security GSLC or equivalent preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting civilian federal agencies including SBA DHS or CISA.
• Experience supporting Zero Trust Architecture initiatives and FedRAMP CONMON activities.
• Experience coordinating penetration testing or vulnerability assessment remediation activities.
• Experience supporting enterprise cybersecurity dashboards automation and visualization reporting.