The Information Systems Security Manager (ISSM) supports IDA's classified and unclassified information systems and represents IDA with cognizant US Government accrediting agencies. You will provide technical leadership for up to three Information System Security Officers (ISSOs). You will get to develop an information systems security, education, training, and awareness program. You will manage and coordinate information security monitoring, inspections, and classified spill or data loss incident responses.
What will you do in this role?
The ISSM collaborates closely with IDA researchers, IT, and US Government accrediting agencies to identify appropriate security control baselines and ensure they are implemented prior to being introduced into a production environment. You will review and authorize proposed changes to ensure they are done in a controlled and documented fashion. You will manage inspections of IDA unclassified and classified systems by US Government agencies.
What are the ISSM’s key responsibilities?
The ISSM is responsible for IDA industrial security information systems security programs.
Serves as Information Systems Security Manager (ISSM) for IDA classified and unclassified systems.
Makes sound decisions and manages all aspects of information systems security as it applies to systems that are accredited by DOD and Intelligence Community agencies.
Develops, implements and manages a formal information systems security program.
Ensures ISSO's, IT staff, and users follow established information security policies and procedures to protect, operate, maintain, and dispose of systems and data in accordance with security policies and practices as outlined in the assessment and authorization document packages.
Develops, reviews, maintains and oversees all information Systems Security Plans (SSPs) Assessment and Authorization in accordance with DOD mandated policies.
Coordinates with the Facility Security Officer/Senior Insider Threat Security Official to ensure insider threat detection and awareness is addressed.
Represents IDA with cognizant US Government agencies responsible for classified computing
Develops and maintains relationships with many DOD and Intelligence Community agencies for the purpose of obtaining and maintaining authority to operate (ATO) on IDA classified systems.
Engages in continuous dialog with US Government Agencies to provide changes in IDA’s security posture and learn of new government systems security requirements
Works with US Government Security Control Assessors (SCAs) and Authorizing Officials (AOs) to develop a comprehensive Risk Management Framework (RMF) package including System Security Plans (SSPs), Information Continuous Security Monitoring Plans, and a Body of Evidence to support system authorization.
Conducts risk assessments to identify potential threats, gauge the likelihood of exploitation based on mitigating factors, and determine the residual risk level for individual systems.
Collaborates closely with IDA researchers, IT, and US Government accrediting agencies to identify appropriate security control baselines
Advises IT on required security configurations and assists with the development of technical security enhancements.
As a voting member of the IDA Change Management Board, review proposals for changes to hardware and software on classified information systems. Assesses the security impact of proposed modifications to each Information System.
Reviews and ensures implementation of bulletins and advisories that impact the security posture of information systems covered by SSPs.
Oversees collection and continuous monitoring of security related information from classified systems.
Performs a technical assessment of a system’s implemented security configuration to ensure compliance before the system moves to a production environment.
Conducts reviews and technical inspections to ensure compliance with IDA and US Government policies, and to identify vulnerabilities or security weaknesses. Recommends corrective actions and ensures proper vulnerability reporting.
Ensures the ISSOs regularly audits all systems under purview to validate proper use, and that all documentation (i.e., training records, system baselines, etc.) is kept current.
Manages and coordinates security compliance incident response, such as classified spills.
Ensures procedures are developed and followed for responding to security compliance incidents and investigating and reporting security violations and incidents as appropriate.
Lead IDA efforts manage inspections of IDA unclassified and classified systems by US Government agencies
Manage inspection process while DOD inspectors are at IDA.
Leads periodic cyber self-inspections to assess systems based on DISA STIGs, NISPOM Chapter 8, or DJSIG/JSIG requirements using the following vulnerability scanning tools: Security Content Automation Protocol Scans, STIG Viewer, ACAS, and Retina
Trains IT staff and ISSOs on how to use vulnerability scanning tools, determines which systems will be assessed.
Ensure a Plan of Action and Milestone (PO&M) is maintained for all security related vulnerabilities and continually update SCA’s and AO’s as to the current status of planned activities for correcting vulnerabilities associated with required security controls.
Leads an annual internal Command Cyber Readiness Inspection of the IDA SIPRNet as a part of this effort.
Analyzes results and prepares final management report with recommendations and any required action plans.
Develops an information systems security education, training, and awareness program.
Ensures all ISSMs, ISSOs, security personnel, IT staff, and users receive the required technical and security training, and appropriate briefings.
Who are we?
The Institute for Defense Analyses (IDA) operates three Federally Funded Research and Development Centers supporting federal decision making – two serving the Department of Defense and one serving the Office of Science and Technology Policy in the Executive Office of the President of the United States. IDA assists the United States Government in addressing important national security issues, particularly those requiring scientific and technical expertise.
What will you need?
U.S. Citizenship is required.
Bachelor’s degree in an IT-related or similar relevant field or equivalent experience.
Minimum four years’ experience in Information Technology or in an Information System Security Officer/Manager role. At least two years of the four must be in an ISSO/ISSM role.
Experience supporting various computer hardware platforms and multiple operating systems, both stand-alone and network configurations
Working knowledge of operating systems security features and settings (i.e., Windows, Linux)
Working knowledge of security configuration requirements for individual applications (i.e., Microsoft Office, Web Browsers, Network Devices, etc.) and Physical Security.
Candidate must have the following Information Assurance certifications or security training or obtain the certificates within 6 months of hire:
RMF Training as specified in the DSS Assessment and Authorization Process Manual
DOD 8570.01-M certification at IAM level 3, such as CISM, CISSP, or GSLC
Customer service skills, including good interpersonal skills and the ability to communicate effectively with all levels of employees, and a professional demeanor.
Ability to obtain and maintain Top Secret/SCI clearance.
IDA is the Institute for Defense Analyses, a not-for-profit corporation that operates three Federally Funded Research and Development Centers (FFRDCs) in the public interest: the Systems and Analyses Center, the Science and Technology Policy Institute, and the Center for Communications and Computing. IDA provides objective analyses of national security issues and related national challenges, part...icularly those requiring extraordinary scientific and technical expertise. Employees are subject to a security investigation, must meet the requirements for access to classified information and be a U.S. citizen.