Tal-Ex is partnering with a government services provider to identify an Information Systems Security Officer (ISSO).  This is a contract to hire role located in Arlington, VA.

ISSOs shall work with NPPD OCISO to audits/review ATO packages on all NPPD systems at the time of any document review request(s).

3.1.1 Documentation Compliance Review

ISSOs shall work with NPPD OCISO to audits/review ATO packages on all NPPD systems at the time of any document review request(s).

Review ISSO selected controls for completeness based on system FIPS 199 classification

Verify system compliance with DHS 4300A guidance, including implementation of system hardening guidelines Review uploaded system documentation utilizing IACS for completeness and clarity:
o Privacy impact assessment (if applicable)
o Continuous Monitoring Plan
o Contingency Plan
o Contingency Plan Testing
o Configuration Management Plans

Perform Requirements Traceability Matrix review in IACS following ISSO completion for validated testing and completeness

Review Risk Assessment to ensure all test results are properly documented

Develop customized training materials and resources to provide guidance to NPPD’s sub-components regarding document review remediation, as well as train them in the document review process

Maintain and recommend changes to the annual Security Authorization (SA) document review checklist supporting the annual NPPD Information Security Performance Plan

Recommend metrics to evaluate the performance of document reviews. Recommend changes to improve the quality and reduce the time of document reviews

Maintain logs of all review activities. Recommend metrics to improve overall NPPD information security posture and performance. Complete weekly progress reports on the status of all compliance reviews

3.1.2 Plan of Action & Milestone (POA&M) Review

Validate all POA&Ms are created and tracked in IACS
Review PO&AMs for completeness to ensure all system deficiencies are properly identified Validate POA&Ms are associated to a Security Assessment Report (SAR) generated finding if

applicable
Maintain and revise the NPPD POA&M Guide to reflect changing guidance and implement process

improvements. Evaluate the effectiveness of NPPD’s weakness remediation process and make changes to the POA&M Guide as requested by the Government.

3.1.3 Nessus Scan Review

Contractor shall support and offer FISMA compliance guidance to sub-component ISSMs and ISSOs as directed by NPPD OCISO.

Page 1 of 2

3.1.4 ISSM / ISSO Support

Contractor shall review Nessus scans for anomalies, open ports, encryption in use, identified vulnerabilities, authorized accounts, privilege accounts, and SSL configuration settings

Contractor shall support and offer FISMA compliance guidance to sub-component ISSMs and ISSOs as directed by NPPD OCISO.

3.1.5 Final Reports

Contractor shall perform final documentation review, and provide the following reports: Security Assessment Plan (SAP)
SAR
Risk Assessment (RA)

Draft Authorization letter for OCISO review, as appropriate Other documents, as required

3.1.6 Metrics and Strategies

Recommend metrics and recommend improvements for tracking progress on remediation information security weaknesses. Recommend strategies for evaluating overall Department and Component risks associated with outstanding weaknesses.

Monitor and report progress on Sub-Component-level remediation efforts

Assist NPPD Sub-Components with developing, improving, and reviewing Plans of Actions and Milestones (POA&Ms) ensuring quality standards are met

Develop and implement a compliance model for monitoring internal controls of Chief Financial Officer (CFO)-Designated Financial Systems in accordance with OMB A-123, as required.

Develop and recommend metrics for audit tracking. Identify methods for improving the tracking of information security weaknesses and supporting compliance activities

3.1.7 Validation

Contractor shall support the ISO Inventory Management Team to identify and validate component information system assets.

Examine system security documentation, system security artifacts, system configuration settings, walkthrough inspection(s) of the information system facility, and interviews with key personnel such as ISSM, technical personnel, and system owner

Develop and maintain a review methodology for conducting Outreach and Assistance Visits