Simply put, Information Systems Security Officers (ISSO) document and manage cyber risks to information systems. Often, this takes the form of:
- knowing the state of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security and privacy controls for information systems,
- documenting the state of NIST SP 800-53 security and privacy controls in a system security plan (SSP) for each information system, and
- tracking the resolution of residual risk in each information system, as recorded in a plan of action & milestones (POA&M) document.
To accomplish the above responsibilities, ISSOs work in collaboration with Security Controls Assessors (SCA) and Information Systems Security Engineers to stage risk decisions made by an Authorizing Official (AO).
In particular, ISSOs are responsible for the Monitor step of the NIST Risk Management Framework (RMF) process to fulfill the Federal Information Security Modernization Act (FISMA). However, ISSOs may manage cyber risks based on all manner of Information Assurance (IA) requirements including laws, regulation, and policy.
This job description is meant to advertise a range of ISSOs from Bachelors and 0 years of experience, through and including Bachelors and 20 years of experience. More experienced candidates will require certifications to qualify for contract labor categories, such as: Security+, Certified Information System Security Professional (CISSP) and/or Certified Information Security Manager (CISM).
