Job Description
Company: cFocus Software Incorporated
cFocus Software seeks a Information Systems Security Manager (ISSM) to join our program supporting the National Institutes of Health (NIH). This position is fully remote. This position requires a Public Trust or the ability to obtain a public trust clearance.
Qualifications:
• Public Trust Clearance
• B.S. Computer Science, Information Technology, or a related field
• 7+ years of progressively responsible experience supporting Federal cybersecurity programs.
• 5+ years serving as an ISSM, Senior ISSO, Security Manager, or equivalent cybersecurity leadership role.
• Demonstrated experience managing multiple federal information systems through the RMF lifecycle.
• Experience supporting FISMA High, Moderate, or Low systems.
• Active CISSP, CISM, CAP, GSLC, or Security+
Duties:
• Lead enterprise implementation of the NIST Risk Management Framework (RMF) across NIH/OD information systems.
• Manage the complete Assessment & Authorization (A&A) lifecycle for Low and Moderate FISMA systems.
• Direct the development, review, and approval of System Security Plans (SSPs), Security Assessment Plans (SAPs), Security Assessment Reports (SARs), Plans of Action & Milestones (POA&Ms), Security Control Traceability Matrices, and authorization packages.
• Oversee continuous monitoring activities to ensure ongoing security authorization.
• Supervise and mentor Information System Security Officers (ISSOs) supporting NIH/OD systems.
• Provide cybersecurity guidance to System Owners regarding implementation of NIST SP 800-53 Rev. 5 security controls.
• Manage enterprise cybersecurity risk assessments and recommend appropriate risk mitigation strategies.
• Oversee Risk Mitigation Waiver documentation, approvals, compensating controls, and periodic reassessment of residual risk.
• Coordinate with Security Control Assessors (SCAs), Authorizing Officials (AOs), System Owners, Privacy Officials, and executive leadership throughout the authorization process.
• Ensure compliance with FISMA, HHS, NIH, NIST, OMB, and Federal cybersecurity requirements.
• Review security architectures and proposed system changes for compliance with security requirements.
• Direct enterprise POA&M management activities, remediation tracking, and corrective action reporting.
• Review security assessment findings and validate remediation activities.
• Develop executive-level cybersecurity metrics, dashboards, and risk briefings.
• Support audit activities conducted by internal and external oversight organizations.
• Coordinate continuous monitoring strategies, vulnerability remediation activities, and compliance reporting.
• Provide technical leadership regarding Cybersecurity Supply Chain Risk Management (C-SCRM), common controls, and enterprise security governance.
• Review security exceptions and risk acceptance packages for executive approval.
• Ensure all RMF documentation remains current throughout the system lifecycle.
• Support strategic cybersecurity planning and governance initiatives.
Source: LinkedIn