Information Systems Security Officer

Based in Northern, VA, Axiologic Solutions LLC has opportunities for you to become part of our high-quality team that delivers innovative solutions to key federal clients. We are currently seeking a Senior Information Systems Security Officer to fulfill customer requirements with outstanding customer service and engagement. This dynamic position requires the ability to anticipate needs, think critically, and offer solutions to problems with a high level of professionalism.

Responsibilities:

• Lead and execute Security Assessment and Authorization (SA&A) activities for assigned systems, ensuring full compliance with Risk Management Framework (RMF) and Security & Privacy Assessment & Authorization (SPAA) Handbook guidance.
• Prepare, update, and maintain security authorization packages for Authorization to Operate (ATO) and Authorization to Test (ATT), including System Security Plans, Configuration Management Plans, Incident Response Plans, Information System Contingency Plans, system narratives, architecture diagrams, and associated memoranda.
• Manage all required system artifacts and documentation, ensuring all deliverables are accurate, timely, and conform to DOJ-approved templates, with meticulous attention to detail (including formatting, grammar, and compliance).
• Conduct and document annual core controls assessments, periodic vulnerability and compliance scans, audit log reviews, Security Impact Analyses (SIAs), and risk-based decision memoranda with actionable remediation and mitigation plans.
• Oversee Plan of Action and Milestones (POA&M) development, tracking, and reporting; ensure weaknesses, vulnerabilities, and mitigation milestones are promptly documented, managed, and independently closed per DOJ policy.
• Maintain and update system security documentation and records (e.g., ATO, ATT, ISCP, IRP, CMP, POA&M, BIA, IPA, PIA, RIMcert) in the Joint Cybersecurity Assessment Management (JCAM) system as operational events require.
• Ensure ongoing information system compliance through continuous monitoring (CM), including periodic review and remediation of vulnerabilities, and validation of implemented system, privacy, and security controls.
• Lead the incident response lifecycle for assigned systems, including incident detection, analysis, reporting, containment, eradication, recovery, and post-incident documentation in coordination with DOJ stakeholders.
• Prepare and submit FISMA, FISCAM, OMB A-123, DOJ data calls, and other audit/certification artifacts and reports, ensuring responses are timely, comprehensive, and audit-ready.
• Initiate and coordinate completion of privacy assessments-including Initial Privacy Assessment (IPA), Privacy Impact Assessment (PIA), and SORN-in collaboration with the Office of Privacy and Civil Liberties, when required.
• Execute and validate asset tagging and asset inventory corrections for assigned systems, through regular reviews in JCAM.
• Oversee and document Business Impact Analyses (BIA) in support of contingency planning, ensuring steps are completed and reviewed at least annually or as significant system changes arise.
• Coordinate and deliver all documentation, briefings, and system owner presentations required for ATO/ATT pre-briefs and authorization milestones.
• Support department supply chain risk management (SCRM) by conducting system and vendor risk assessments, submitting SCRM intake forms, and responding to SCRM program requests.
• Monitor Ongoing Authorization (OA) triggers, submit OA eligibility requirements, and deliver quarterly OA briefs and supporting documentation to Authorizing Officials, highlighting system status and risk posture.

Required:

• Must have an active/current TS/SCI and be able to pass a CI Poly.
• Must have at least 6 years of experience with GRC, RMF, NIST Publications, Information Assurance (IA), and Cyber Security.
• Must have at least 3 years supporting and maintaining system authorizations for a federal government department or agency identified as either a cloud system (i.e. Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS)), major application, mission critical, high categorization, or a high value asset
• Must have proficient knowledge in network defense, cloud systems, and good knowledge on how to use various security tools, such as but not limited to: JCAM, (or an equivalent Governance, Risk, and Compliance (GRC) tool), Tenable, BigFix, and Splunk (or Security Incident and Event Management (SIEM)), and/or equivalent
• Must have and maintain at least two of the following:
  • Certification List
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Governance, Risk and Compliance (CGRC)
  • Certified in Risk and Information Systems Control (CRISC)
  • Information Systems Security Management Professional (ISSMP)
  • Certified Information Systems Auditor (CISA)
  • Certified Cloud Security Professional (CCSP)
  • Certified Ethical Hacker (CEH)
  • CompTIA Security+
  • Project Management Professional (PMP)
• Experience with JCAM
• Experience with the DoD, DIACAP, and/or RMF process and requirements.
• Network architecture, security engineering, and operations experience required.
• Experience with tools such as Tenable and/or Splunk required.
• Excellent oral and written communication skills with customers, team, and leadership.