Risk Management Framework Validator/Information Systems Security Officer (ISSO) /Project Manager

Title: Risk Management Framework Validator/Information Systems Security Officer (ISSO) /Project Manager

Location 100% Remote

Client: US Navy

Duration Full Time Permanent

Active secret clearance is required.

Job Purpose

The ISSO provides information systems security and consultation services as assigned in support of MARCORLOGCOM, Albany GA authorization requirements.

Duties and Responsibilities

• Completes authorization and assessment packages within 120 days of system ATO expiration.

• Ensures stakeholders are kept informed of risk, status, and roles and responsibilities throughout the RMF process.
• Guides information owners through completion of Step 0 System Registration in Marine Corps Compliance and Authorization Support Tool (MCCAST) or similar DoD tool.
• Guides information owners through Step 1, System Categorization, in MCCAST or similar DoD tool based on information provided by the information owner IAW ECSM 018, FIPS Publication 199 and NIST SP 800-60.
• Guides information owners through Step 2, select security controls. Determine appropriate defense level and appropriate overlays.
• Provides information owner with an export of the MCCAST or similar DoD tool selected security controls and applied overlays to populate the Implementation Details.
• Reviews completed security control implementation details and gains validator approval before uploading into MCCAST or similar DoD tool for ISSM submission for an Initial Risk Assessment (IRA).
• Manages MCCAST or similar DoD tool entries updates on behalf of the ISSM and information owners assisting with preparation and review of Federal Information Security Management Act (FISMA) documentation.
• Guides information owners in the development of a System Security Plan (SSP) that addresses objectives for the assessment, methods for verifying security control compliance, the schedule for the initial control assessment, and actual assessment procedures.
• Works with ISSM and lead Government RMF ISSO to conduct the initial assessment of the effectiveness of the security controls and document the issues, findings, and recommendations in a Security Assessment Report (SAR).
• Develops a project plan and accompanying Plan of Action and Milestones (POA&M) for the RMF package that addresses all un- remediated vulnerabilities, failed Security Technical Implementation Guideline (STIG) failures and failed security controls. Develops and reports metrics that include the percentages of completion in every step of the RMF process.
• Works the POA&M with the ISO, and includes all elements required by MCCAST or similar DoD tool. Update the POA&M at least monthly for the life cycle of the information system using the latest vulnerability scans and STIG checklists.
• Attends scheduled and ad-hoc Cybersecurity branch meetings for update and coordination of cyber and RMF efforts.
• Continuously monitors the information system IAW existing and emergent Continuous Monitoring policies.
• Initiates RMF package creation NLT 12 months from current information system Authority to Operate expiration date.
• Maintains all RMF artifacts and documents in the designated Government repository.
• Provides support and technical expertise related to Defense in Depth principles and technology in security engineering designs and implementation.
• Using the system POA&M, documents and reports cybersecurity audit findings and recommendations for each system to the PM and ISSM.
• Provides continuous feedback in the form of lessons learned to the Government to ensure process and practices remain efficient and effective.

Qualifications

• Bachelor's degree in computer science, engineering, or mathematics and five (5) years' experience in IT or cybersecurity OR eight (8) years' experience in IT or cybersecurity
• CISSO, CISSP, or CISM preferred
• Marine Corps Compliance and Authorization Support Tool (MCCAST) experience preferred
• SECRET security clearance

Working conditions

No special working conditions.

Physical requirements

No special physical requirements.

Job Purpose

The risk management framework validator provides validator/auditing and consultation services as assigned in support of MARCORLOGCOM, Albany GA authorization requirements.

Duties and Responsibilities

• Performs validation/auditing of MARCORLOGCOM HQ Unclassified RMF authorization requirements in accordance with Enterprise Cybersecurity Manual (ECSM) 018 Marine Corps Assessment and Authorization Process (MCAAP).
• Provides independent verification and validation (IV&V) of Marine Corps system's security controls and safeguards designed through the security engineering process.
• Validates applicable cybersecurity controls for an assigned Marine Corps system, including developing the appropriate test procedures if necessary, executing the test procedures and accurately documenting the results of security testing.
• Performs the requisite preparatory IV&V steps and conditions as required, performs the actual validation steps, compares the actual results with the expected results, and analyzes the differences for impact and risk. Documents results in a government-specified format and repository.
• Performs CVSS Scoring via MCCAST v2, develops the Security Assessment Report (SAR) and other Validation support requirements as required by DoD and USMC policies and guidance for the assigned system(s). Facilitates the coordination of the Program Manager, ISSM/ISSO, User Representative, and Marine Corps AO agreement of the documentation. Documents results in a government-provided repository.
• Develops metrics and report metrics that include the percentages of completion in every step of the validation process.

Qualifications

• DoD 8570.01-M IAM Level III Certification
• Bachelor's degree in Information Assurance or InfoSec field and 4 years of experience OR 7 years of experience
• SECRET security clearance