Information Systems Security Manager (ISSM)

System Authorization & Accreditation (A&A / RMF)

• Lead the Assessment and Authorization (A&A) process for all classified IS under the Risk Management Framework (RMF) in accordance with NIST SP 800-37 and DAAPM.

• Prepare, maintain, and submit System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), and Authorization to Operate (ATO) packages.

• Serve as the primary liaison with DCSA and Government customer representatives during system assessments, inspections, and audits.

• Maintain and manage the System Security Authorization Agreement (SSAA) or equivalent documentation for all IS operating at the TS level or above.

Compliance & Policy Management

• Ensure all classified information systems comply with 32 CFR Part 117 (NISPOM), applicable DoD and IC cybersecurity policies, Contract Data Requirements List (CDRLs), and Statement of Work (SOW) security requirements.

• Develop, implement, and maintain facility-level Information Systems Security policies, procedures, and Standard Operating Procedures (SOPs).

• Enforce configuration management (CM) controls and ensure all hardware/software changes to classified IS are reviewed and approved prior to implementation.

• Conduct periodic self-inspections of classified IS programs and remediate findings in coordination with the FSO and program leadership.

Continuous Monitoring & Incident Response

• Implement and manage a Continuous Monitoring (ConMon) program for all authorized classified information systems.

• Monitor audit logs, SIEM alerts, and vulnerability scan results; investigate anomalies and potential insider threats.

• Serve as the Facility Incident Response Manager for classified information system security incidents; coordinate reporting to DCSA and GCAs within required timeframes.

• Conduct or oversee technical vulnerability assessments and penetration testing as required by the CSA or contract requirements.

Personnel Security & Training

• Oversee ISSM-delegated Information System Security Officer (ISSO) personnel; provide mentorship, task delegation, and performance oversight.

• Develop and deliver annual IS security awareness training and role-based training for users of classified information systems.

• Maintain personnel access records and access control lists (ACLs) for all classified IS; ensure need-to-know verification prior to system access grants.

• Coordinate with the FSO to ensure the integration of personnel security and information security requirements.

Physical & Technical Security Integration

• Coordinate with facilities and physical security teams to ensure IS are housed in appropriately accredited spaces (SCIFs, Closed Areas, SAPs) in accordance with ICD 705 and DCSA physical security standards.

• Manage and enforce media protection, sanitization, and destruction procedures for classified storage media in accordance with NSA/CSS EPL requirements.

• Oversee PKI, multi-factor authentication (MFA), and privileged access management (PAM) implementations across classified networks

• Active Top Secret (TS) security clearance; SCI eligibility required or must be obtainable within 6 months of hire.

• Minimum of 10 years of progressive experience in information systems security within a DoD or Intelligence Community classified environment with 5 or more year’s direct experience as an ISSM, ISSP, Security Control Assessor (SCA), or equivalent position

• Demonstrated ISSM or ISSO experience supporting DCSA-adjudicated classified IS programs under NISPOM/DAAPM.

• A minimum of 3 years of direct working knowledge of the NIST RMF process (NIST SP 800-37, 800-53, 800-171) and DoD Assessment Methodology (DAAPM).

• Experience preparing and managing ATOs, SSPs, SAPs, and POA&Ms for TS and SCI-level information systems.

• Proficiency with eMASS (Enterprise Mission Assurance Support Service) or equivalent GRC tool.

• Working knowledge of SIEM platforms, vulnerability scanners (e.g., ACAS/Nessus), and HBSS/endpoint security tools.

• IAM Level II or III certification required per DoD 8570.01-M / DoD 8140 (e.g., CISSP, CISM, GSLC, or equivalent).

• Master’s degree or Bachelor's degree with equivalent work experience and certifications in Cybersecurity, Information Technology, Computer Science, or a related technical discipline, OR equivalent verifiable experience.

• Current TS/SCI access with polygraph (CI or Full Scope).

• Experience supporting Special Access Programs (SAPs) or Sensitive Compartmented Information Facilities (SCIFs).

• Familiarity with Cross Domain Solutions (CDS), data transfer processes, and CDSE/NSA approval workflows.

• Experience with LINUX and Windows hardened STIG baseline implementation and validation.

• Knowledge of ICD 503, ICS 500-27, and CNSSI 1253 security control overlays.

• Prior DCSA inspection experience (NISP, SAP, or SCI programs).

• Additional certifications such as CASP+, CCSP, Security+, or CEH are a plus.

• Direct experience managing the system lifecycle of connected classified systems including Secret Defense Research and Engineering Network (SDREN), Secret Internet Protocol Router Network (SIPRNET), Non-classified Internet Protocol Router Network (NIPRNET, and Joint Worldwide Intelligence Communications System (JWICS) systems .