Information System Security Engineer (ISSE) II

ROTHR Information System Security Engineer (ISSE)

This job opportunity is for the ROTHR Information System Security Engineer (ISSE) position at ROTHR Chesapeake, VA facility. The ISSE is responsible for the local DoD Mission network servers and workstations in accordance with the authoritative USG requirements documents including (but not limited to): DISA STIGS, DD254, SCGs, CND Directives, OPORDS, etc. The Information System Security Engineer (ISSE) holds a vital role throughout the Risk Management Framework (RMF) process, with key responsibilities particularly evident in the implementation, assessment, and continuous monitoring phases

What You Will Do

System Design and Architecture

• Oversee the development and maintenance of a system's cybersecurity solutions.
• Participate in the system engineering process to ensure that cybersecurity requirements, design, and testing are properly addressed throughout the system lifecycle.
• Engage with the Network Engineer, Systems Engineer, and Integrated Product Team (IPT) lead to confirm the compatibility of cybersecurity architecture and design with the overall system design and integration.
• Identify where their system resides within the overall Navy security architecture (e.g., network, ship, site).
• Coordinate with all primary connecting systems to determine what protections can be inherited.
• Apply system security and privacy engineering principles and practices to securely develop and integrate system components into information systems.

Security Control Management (Implementation and Tailoring)

• Lead the security control implementation and testing efforts. Identify and tailor the security control baseline with applicable overlays.
• Consider control inheritance and inheritance models when assigning controls during the security control selection process.
• Conduct all preliminary technical testing, including Security Technical Implementation Guides (STIGs), Security Requirement Guides (SRGs), and Assured Compliance Assessment Solution (ACAS)/Nessus scans.
• Document detailed results of each Assessment Procedure (AP) within eMASS in the 'Test Results' section for each AP.
• Implement approved security controls (often in coordination with the ISSM).
• Remediate findings and/or implement mitigating controls as possible.
• Update the Plan of Actions & Milestones (POA&M) with non-compliant security controls as required.

Risk Assessment

• Perform vulnerability-level risk assessments on the POA&M/CAP.
• Conduct an initial complete risk assessment and document results in the POA&M.
• For identified deficiencies, determine the theoretical attack path for potential exploitation.
• Work with the Program Manager/Information System Owner (PM/ISO) to develop the Risk Assessment, incorporating vulnerabilities from the formal assessment.

Security Assessment Plan (SAP) & Authorization

• Assist with the development, maintenance, and tracking of the Security Plan (SP)
• For assessment efforts that do not require a Navy Qualified Validator (NQV), the ISSE (as part of program personnel) is responsible for developing a comprehensive SAP and submitting it for Security Control Assessor (SCA) review and approval.
• Ensure the execution of any security testing required as part of Assessment & Authorization (A&A) or annual reviews.
• Execute the SAP and assess applicable security controls (Validator participation is encouraged but not required).
• Ensure data entered in the eMASS record and POA&M is consistent with implementation results.
• Document and provide all requested rework to the Package Submitting Officer (PSO)/Program Management Office (PMO) for review.

Continuous Monitoring

• Oversee cybersecurity testing to assess security controls and record their compliance status during the continuous monitoring phase of the lifecycle.
• Support the Information System Security Manager (ISSM) in implementing the System Level Continuous Monitoring (SLCM) Strategy, tracking compliance of associated security controls, and communicating security findings.
• Update the Security POA&M as necessary during the monitoring step.

Coordination and Documentation

• Identify Authorizing Official (AO) and SCA cognizance of the system, as well as any specific authorization requirements such as reciprocity, cross domain solutions, and applicable overlays to support System Categorization.'
• Utilize the Collaboration Board in the eMASS workflow for formal coordination during the RMF process, posting detailed findings in the Artifacts tab if necessary
• The ISSE is generally accountable to the Program Manager/System Owner (PM/SO) and is considered a system-specific role within RMF personnel.

Qualifications You Must Have

• Active and transferable U.S. government issued Top Secret security clearance is required prior to start date. U.S. citizenship is required, as only U.S. citizens are eligible for a security clearance."
• Typically requires a BS degree in Science, Technology, Engineering or Mathematics(STEM) and a minimum of 2 years of prior relevant experience unless prohibited by local laws/regulations.
• Required DoD 8570.01 IAT Level 2 (requires one or more of the following Professional Certifications: CNA Security, GICSP, GSEC, Security+ CE, SSCP )

Learn More & Apply Now!