Senior Information System Security Officer (ISSO) (Cybersecurity Analyst III)

New
Posted: May 18, 2026

This role is contingent upon award

I. Program Overview

Program Description

The IT CSSS program provides information security support to the Federal Bureau of Prisons Information Technology & Data Division and other DOJ components as required. The program supports BOP obligations to protect federal information systems under FISMA, OMB Circular A-130, the Privacy Act, NIST RMF guidance, DOJ policy, and related cybersecurity requirements.

Program Scope

The program covers ATO maintenance and rapid ATO activities, RMF lifecycle support, JCAM-based authorization management, FISMA/FISCAM audit support, security architecture and engineering support, vulnerability and risk management, privacy documentation, FedRAMP assessment support, continuous monitoring, and coordination with BOP system owners, CORs, AOs, and technical stakeholders.

II. Position Overview

The Senior ISSO supports BOP and DOJ cybersecurity authorization, compliance, and continuous monitoring activities for federal information systems. The role develops, maintains, and assesses SA&A packages; supports ATO maintenance and rapid ATO efforts; coordinates with system owners, assessors, technical teams, and government stakeholders; and ensures cybersecurity documentation, risk decisions, and control evidence remain accurate, defensible, and aligned to federal requirements.

Work Environment

• Work Location: BOP Central Office, Washington, DC; in-office required, telework as approved
• Security Clearance: Public Trust / Suitability

III. Key Responsibilities

RMF and ATO Lifecycle Support

• Develop, maintain, and assess SA&A packages supporting ATO, re-ATO, ongoing authorization, and rapid authorization activities for BOP information systems.
• Support RMF preparation, categorization, control selection, implementation, assessment, authorization, and continuous monitoring in accordance with DOJ and BOP requirements.
• Use JCAM and government processes to document system registration, categorization, control baselines, authorization status, and required ATO artifacts.
• Assemble authorization packages, including SSPP/SSP artifacts, SARs, POA&Ms, residual risk reports, risk analysis reports, executive briefings, and authorization documentation.

Security Control Assessment and Documentation

• Develop and maintain assessment plans, control documentation, implementation statements, test evidence, and assessment results.
• Assess security and privacy controls against NIST SP 800-53, DOJ Cybersecurity Standards, BOP policy, and applicable federal guidance.
• Identify documentation gaps, validate evidence, and coordinate corrective actions with system owners, engineers, assessors, and government stakeholders.
• Update SSPP/SSP, SAR, POA&M, contingency plan, incident response plan, configuration management plan, privacy, and supporting artifacts as system conditions change.

Risk, POA&M, and Continuous Monitoring

• Track and report cybersecurity risks, vulnerabilities, weaknesses, and remediation activities through POA&M closure, risk acceptance, or corrective action.
• Support ongoing authorization by monitoring system and environment changes, initiating security and privacy impact analysis, and updating artifacts as required.
• Prepare security and privacy status reporting on system security posture, major risks, vulnerability status, POA&M progress, and key authorization activities.
• Coordinate with vulnerability management, SIEM, compliance, configuration management, and technical teams to collect evidence and support near real-time risk management.

Stakeholder Coordination and Reporting

• Coordinate with BOP system owners, CORs, AOs, SCOP/privacy officials, assessors, technical teams, and contractor leadership to resolve authorization risks.
• Prepare cybersecurity briefings, risk summaries, status updates, and decision support materials for government stakeholders and program leadership.
• Support monthly status reporting by documenting completed activities, deliverables, risks, issues, corrective actions, and staffing or performance considerations.
• Provide senior-level cybersecurity guidance regarding SA&A readiness, ATO package quality, risk communication, and compliance expectations.

IV. Qualifications

Education

• Bachelor’s degree required.
• Degree in cybersecurity, information systems, computer science, information technology, management information systems, or a related discipline preferred.

Professional Certifications

Candidate must possess at least one of the following required certifications:

• CISA – Certified Information Systems Auditor.
• CRISC – Certified in Risk and Information Systems Control.
• CISSP – Certified Information Systems Security Professional.
• CGRC – Certified in Governance, Risk and Compliance.

Minimum Qualifications

• Minimum of seven (7) years of cybersecurity experience.
• Minimum of six (6) years developing, maintaining, and assessing SA&A packages resulting in an ATO for IT systems.
• Experience supporting RMF, ATO maintenance, continuous monitoring, POA&M management, control assessment, and security authorization documentation.
• Experience preparing or maintaining SSP/SSPP, SAR, POA&M, risk assessment, residual risk, incident response, contingency planning, configuration management, privacy, and authorization package artifacts.
• Ability to coordinate with system owners, technical teams, assessors, authorizing officials, privacy stakeholders, CORs, and program leadership.
• Public Trust / Suitability required; must be able to obtain and maintain required access for the duration of assignment.

Preferred Qualifications

• Prior DOJ, BOP, or federal law enforcement cybersecurity support experience.
• Experience using DOJ JCAM or similar governance, risk, and compliance systems to manage authorization artifacts and evidence.
• Working knowledge of NIST SP 800-37, NIST SP 800-53, FISMA, FISCAM, OMB Circular A-130, Privacy Act requirements, DOJ cybersecurity policy, and FedRAMP concepts.
• Experience supporting on-premises, cloud, hybrid, or air-gapped federal systems.
• Strong written communication skills with the ability to produce audit-ready cybersecurity documentation and executive-level risk summaries.