user avatar

Mid-Level Information Systems Security Officer (ISSO) / Control

Koniag Government Services

Posted today

Job Requirements

Washington, DC
Public Trust Polygraph Unspecified
Career Level not specified
Salary not specified
Join Premium to unlock estimated salaries

Job Description

Koniag Data Solutions, LLC, a Koniag Government Services company, is seeking a Mid-Level Information Systems Security Officer (ISSO) / Control Evaluator to support KDS and our government customer in Washington, DC. This position requires the candidate to be able to obtain a Public Trust.

We offer competitive compensation and an extraordinary benefits package including health, dental and vision insurance, 401K with company matching, flexible spending accounts, paid holidays, three weeks paid time off, and more.

Koniag Data Solutions, a Koniag Government Services company, is seeking a skilled Mid-Level Information Systems Security Officer (ISSO) / Control Evaluator to support the U.S. Small Business Administration (SBA). The ideal candidate is an experienced information security professional with a solid foundation in federal information security requirements, security control assessment, and the NIST Risk Management Framework (RMF). This individual will work closely with SBA system owners, the security authorization team, and senior cybersecurity staff to support the security authorization and continuous monitoring of SBA's information systems, ensuring compliance with applicable federal cybersecurity laws, regulations, and standards.

The Mid-Level ISSO/Control Evaluator will support the security authorization and continuous monitoring of SBA's information systems, performing security control assessments, maintaining security authorization documentation, and providing day-to-day information security support to system owners and program teams.

Principal responsibilities will include but are not limited to:
  • Serve as the Information Systems Security Officer (ISSO) for assigned SBA information systems, providing day-to-day information security support, guidance, and oversight to system owners, program teams, and IT staff responsible for the operation and maintenance of those systems.
  • Support the full NIST Risk Management Framework (RMF) lifecycle for assigned systems, including security categorization, security control selection and tailoring, security control implementation review, security control assessment, security authorization package development, and continuous monitoring activities.
  • Develop, maintain, and update security authorization documentation for assigned systems, including System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), Risk Assessment Reports (RARs), and other ATO package artifacts in accordance with NIST SP 800-53, NIST SP 800-53A, and SBA security requirements.
  • Conduct security control assessments and evaluations for assigned systems, applying NIST SP 800-53A assessment procedures to evaluate the design, implementation, and operational effectiveness of security controls, and documenting findings and recommendations in Security Assessment Reports (SARs).
  • Support the development and maintenance of POA&M items for assigned systems, tracking identified security weaknesses, compliance deficiencies, and audit findings, coordinating with system owners and IT teams on remediation activities, and updating POA&M status on a regular basis.
  • Perform continuous monitoring activities for assigned systems, including the review and analysis of security control assessment results, vulnerability scan findings, configuration compliance results, and other security-relevant data to assess the ongoing security posture of assigned systems.
  • Review and analyze vulnerability scan results from tools such as Nessus, Tenable.io, or equivalent platforms for assigned systems, assessing the severity and exploitability of identified vulnerabilities, coordinating remediation activities with system owners, and tracking remediation progress.
  • Support the preparation and submission of security authorization packages to the Authorizing Official (AO) and Authorizing Official Designated Representative (AODR), ensuring all required documentation is complete, accurate, and meets SBA and federal standards.
  • Collaborate with system owners, developers, and IT operations teams to ensure security requirements are implemented and maintained throughout the system lifecycle, providing technical guidance on the implementation of NIST SP 800-53 security controls.
  • Review and assess proposed system changes, configuration changes, and new technology deployments for assigned systems, evaluating potential security impacts and documenting findings and recommendations in accordance with SBA's change management and configuration management processes.
  • Support incident response activities for assigned systems, coordinating with the SOC and incident response team to ensure timely reporting, documentation, and resolution of security incidents affecting assigned systems.
  • Develop and maintain system-level security documentation beyond the core ATO package, including configuration management plans, incident response plans, contingency plans, and security awareness training records, ensuring all documentation remains current and accurate.
  • Assist in preparing for and supporting third-party security assessments, OIG audits, and other external evaluations of assigned systems, coordinating the collection and review of required evidence and supporting documentation.
  • Provide security guidance and consultation to system owners and program teams on security-related matters affecting assigned systems, including the security implications of proposed changes, new technology adoption, and evolving federal security requirements.
  • Contribute to the continuous improvement of SBA's security authorization and continuous monitoring program, identifying opportunities to enhance efficiency, documentation quality, and overall security posture across the system portfolio.

Education and Experience:

Required:
  • Bachelor's degree in Cybersecurity, Information Technology, Computer Science, Information Assurance, or a related field from an accredited college or university.
  • 4+ years of progressive experience in information security, with at least 2 years of dedicated experience as an ISSO, security control assessor, or security authorization specialist supporting federal information systems.
  • Demonstrated experience supporting the NIST RMF process, including the development and maintenance of security authorization documentation (SSPs, SARs, POA&Ms) for federal information systems.
  • One or more of the following certifications:
  • Certified Information Systems Security Professional (CISSP)
  • Certified Authorization Professional (CAP) / ISC2 Certified in Governance, Risk and Compliance (CGRC)
  • CompTIA Security+
  • GIAC Security Essentials (GSEC)
  • Certified Information Security Manager (CISM)

Desired:
  • Master's degree in Cybersecurity, Information Assurance, Information Technology, or a related field.
  • 6+ years of information security experience, with a strong background supporting federal civilian agency ISSO and security authorization activities.
  • Prior experience supporting SBA or other federal civilian agency ISSO or security control assessment programs.

Required Skills and Competencies:
  • Strong communication skills in English - both written and oral - with the ability to clearly communicate security control assessment findings, authorization status, and security recommendations to both technical and non-technical audiences, including system owners, program managers, and senior security leadership.
  • Solid working knowledge of the NIST Risk Management Framework (RMF) process, including all six steps of the RMF lifecycle (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) and their application to federal information systems.
  • Proficiency in developing and maintaining federal security authorization documentation, including SSPs, SARs, POA&Ms, RARs, and other ATO package artifacts, in accordance with NIST SP 800-53, NIST SP 800-53A, and federal agency security requirements.
  • Working knowledge of NIST SP 800-53 security and privacy controls, including the ability to interpret control requirements, assess control implementation, and document control effectiveness findings in SARs and related assessment artifacts.
  • Experience conducting security control assessments using NIST SP 800-53A assessment procedures, including the development of security assessment plans (SAPs), execution of assessment activities, and documentation of assessment findings and recommendations.
  • Familiarity with vulnerability management concepts and tools, including the ability to review and analyze vulnerability scan results from platforms such as Nessus or Tenable.io, assess vulnerability severity and exploitability, and support remediation tracking activities.
  • Knowledge of federal cybersecurity compliance requirements, including FISMA, OMB Circular A-130, FIPS 199, FIPS 200, and applicable CISA BODs and EDs, and their implications for ISSO responsibilities and security authorization activities.
  • Experience supporting continuous monitoring activities, including the review and analysis of security-relevant data to assess the ongoing security posture of federal information systems and identify emerging risks and compliance issues.
  • Ability to review and assess proposed system and configuration changes for security impact, applying sound judgment and federal security requirements to evaluate risk and develop appropriate recommendations.
  • Familiarity with GRC platforms and tools used for managing RMF documentation, POA&M tracking, and continuous monitoring activities within federal environments, such as CSAM, Archer, or ServiceNow GRC.
  • Strong organizational skills and attention to detail, with the ability to manage multiple assigned systems and concurrent documentation and assessment activities effectively.
  • Ability to work collaboratively with diverse stakeholders, including system owners, IT operations teams, developers, and senior security officials, in a fast-paced federal government environment.
  • Ability to obtain and maintain a Public Trust Clearance.

Desired Skills and Competencies:
  • Prior experience supporting SBA or other federal civilian agency ISSO, security control assessment, or RMF program activities, with demonstrated knowledge of agency-specific security authorization processes and documentation standards.
  • Experience with cloud security authorization activities, including supporting the RMF process for cloud-hosted systems and familiarity with FedRAMP authorization requirements, continuous monitoring obligations, and cloud security control implementation considerations.
  • Familiarity with the CDM (Continuous Diagnostics and Mitigation) program tools and data requirements, and their integration into continuous monitoring and security authorization activities for federal information systems.
  • Knowledge of supply chain risk management (SCRM) concepts and their application to ISSO responsibilities and security authorization activities, including NIST SP 800-161 and applicable OMB guidance.
  • Experience supporting security authorization activities for systems operating under interconnection agreements, including the development and maintenance of Interconnection Security Agreements (ISAs) and Memoranda of Understanding (MOUs).
  • Familiarity with DevSecOps principles and practices, and experience supporting security authorization activities for systems developed and deployed using Agile and DevSecOps methodologies.
  • Knowledge of privacy control requirements and their integration into ISSO responsibilities and security authorization documentation, including NIST SP 800-53 privacy controls and applicable OMB privacy guidance.
  • Experience using automated security assessment tools and techniques to support security control testing and evidence collection activities, improving the efficiency and quality of security control assessments.
  • Familiarity with containerized and microservices-based system architectures and their implications for security control implementation and assessment within the RMF context.
  • GIAC Certified Enterprise Defender (GCED) or GIAC Security Essentials (GSEC) certification.
  • Experience contributing to the development and improvement of agency-wide security authorization processes, templates, and standards to enhance the consistency and quality of security authorization activities across a federal system portfolio.

Our Equal Employment Opportunity Policy

The company is an equal opportunity employer. The company shall not discriminate against any employee or applicant because of race, color, religion, creed, ethnicity, sex, sexual orientation, gender or gender identity (except where gender is a bona fide occupational qualification), national origin or ancestry, age, disability, citizenship, military/veteran status, marital status, genetic information or any other characteristic protected by applicable federal, state, or local law. We are committed to equal employment opportunity in all decisions related to employment, promotion, wages, benefits, and all other privileges, terms, and conditions of employment.

The company is dedicated to seeking all qualified applicants. If you require an accommodation to navigate or apply for a position on our website, please get in touch with Heaven Wood via e-mail at accommodations@koniag-gs.com or by calling 703-488-9377 to request accommodations.

Koniag Government Services (KGS) is an Alaska Native Owned corporation supporting the values and traditions of our native communities through an agile employee and corporate culture that delivers Enterprise Solutions, Professional Services and Operational Management to Federal Government Agencies. As a wholly owned subsidiary of Koniag, we apply our proven commercial solutions to a deep knowledge of Defense and Civilian missions to provide forward leaning technical, professional, and operational solutions. KGS enables successful mission outcomes for our customers through solution-oriented business partnerships and a commitment to exceptional service delivery. We ensure long-term success with a continuous improvement approach while balancing the collective interests of our customers, employees, and native communities. For more information, please visit www.koniag-gs.com.

Equal Opportunity Employer/Veterans/Disabled. Shareholder Preference in accordance with Public Law 88-352
group id: 10201473
Find Koniag Government Services on Social Media
Recruiters
user avatar
About Us
Koniag Government Services (KGS) supports the values and traditions of our Native communities through an agile employee and corporate culture that delivers Enterprise Solutions, Professional Services, and Operational Management to Federal Government Agencies. We apply our proven commercial solutions to a deep knowledge of Defense and Civilian missions to provide forward leaning technical, professional, and operational solutions. KGS enables successful mission outcomes for our customers through solution-oriented business partnerships and a commitment to exceptional service delivery. We ensure long-term success with a continuous improvement approach while balancing the collective interests of our customers, employees, and Native communities. Through our wholly-owned subsidiary companies, including SBA Certified 8(a) and HUBZone companies, we provide exceptional service to our Government clients with a committed focus on: Community Mission. Solution Oriented. Exceptional People.

Koniag Government Services Jobs


Job Category
IT - Security
Clearance Level
Public Trust