It's fun to work in a company where people truly BELIEVE in what they're doing!

We're committed to bringing passion and customer focus to the business.

Please note that CNI is closely monitoring Executive Orders and will be following any final decisions or mandates regarding the COVID-19 Vaccination as a federal contract provider.

SUMMARY

The Information System Security Manager (ISSM) provides support to the Department of Defense (DOD), Defense Security Cooperation Agency (DSCA) Information Technology (IT) Division. The ISSM develops and maintains formal Information System (IS) security policies for the assigned areas of responsibility and ensures compliance with DSCA management policies.

ESSENTIAL DUTIES AND RESPONSIBILITIES

Essential duties and responsibilities include the following. Other duties may be assigned.

Responsible for the integration of CNI Core Competencies into daily functions, including the commitment to integrity, knowledge/quality of work, supporting financial goals of the company, initiative/motivation, cooperation/relationships, problem analysis/discretion, accomplishing goals through the organization, positive oral/written communication skills, leadership abilities, commitment to Affirmative Action, reliability/dependability, flexibility, and ownership/accountability of actions taken.

Provides technical and procedural Information System (IS) Security advice to the Program Manager, project manager, and technical support teams

Coordinates with the Program Manager to approve External Information Systems (e.g., interconnected system with another organization).

Must be able to work on-site in the Mechanicsburg facility at least two days a month and attend quarterly team meetings to discuss system issues.

Ensures the Local Area Networks (LANs) are prepared for, execution of, and respond to external cyber audits such as Command Cyber Operational Readiness Inspection (CCORI), Command Cyber Readiness Inspection (CCRI), Cybersecurity Service Provider (CSSP), Federal Information Security Management Act (FISMA), and Federal Information Systems Controls Audit Manual (FISCAM) audits. This includes but is not limited to aggregating documents and artifacts, securing the facilities and infrastructure necessary to house auditors and meetings, developing presentations, briefs, and other products as needed to brief stakeholders on audit readiness status, coordinating audit activities across the DSCA enterprise, and conducting routine internal audit assessments to ensure a continuous level of audit readiness.

Works with the Program Manager to use continuous monitoring scoring and grading metrics to identify possible vulnerabilities and weaknesses of the program .

Ensures proper measures are taken when an IS incident or vulnerability is discovered.

Ensures Configuration Manager policies and procedures for authorizing the use of hardware/software on an IS are followed. Any additions, changes, or modifications to hardware, software, or firmware must be coordinated with the appropriate Program Manager before the addition, adaptation, or modification.

If applicable, serves as a voting member of the Configuration Control Board (CCB) and/or the Risk Executive Board. The ISSM will have the authority to veto any proposed change they feel is detrimental to security.

Manages, maintains, and executes the information security system’s continuous monitoring plan.

Ensures a record of all security-related vulnerabilities and that serious or unresolved violations are reported to the Program Manager. Assess changes to the system, its environment, and operational needs that could affect the security authorization.

Performs quarterly self-assessment activities by scheduling meeting(s) for testing, examining, and interviewing system stakeholders to identify deficiencies, gaps, or other issues and provide remediation recommendations to the Program Manager.

Researches and works with the Program Manager to correct the severity of any weaknesses or deficiencies discovered in the system and its operating environment. Recommend corrective actions to address identified vulnerabilities.

Assists the Program Manager with developing system artifacts, including system security plans, control family plans, system inventories, asset device findings, STIGs, categorization information, topology, system scan reports, and other relevant system documentation.

Creates Plans of Action and Milestones (POA&Ms) in eMASS to identify weaknesses and implement effective/acceptable mitigation strategies. Ensure timelines are adequate and on track and submit them for review and approval.

Prepares information systems for Approval to Operate (ATO) assessments. This includes (e.g., completing a Security Assessment Plan (SAP), System documentation, STIG Checklists, and self-assessment.)

Discusses vulnerabilities in the bi-weekly meeting with the expectation that a mitigation plan will be presented during the monthly ASI. Bi-weekly meetings are held with the technical support team to discuss IAVA, ACAS, STIGS, and POAMS and receive updates from each branch of projects that affect the network's security posture. Review ACAS vulnerabilities weekly.

Plans daily activities within the guidelines of company policy, job description and supervisor’s instruction in such a way as to maximize personal output.

Responsible for aiding in own self-development by being available and receptive to all training made available by the company.

Responsible for keeping own immediate work area in a neat and orderly condition to ensure safety of self and co-workers. Will report any unsafe conditions and/or practices to the appropriate supervisor and human resources. Will immediately correct any unsafe conditions as the best of own ability.

Promotes and encourages a culture of compliance with all applicable rules (federal, state, local, Federal Acquisition Regulations, Code of Federal Regulations, Prime Contract requirements, etc.) for themselves and the company as a whole. Fosters an environment in which they will report any violations or reasonably suspected violation of CNI policy, FAR, and/or CFR and are comfortable discussing the myriad compliance, conflict, FAR, CFR, etc. issues that arise during the performance of a government contract.

EDUCATION / EXPERIENCE

Bachelor's degree in a related field of study and a minimum of ten (10) years’ relevant experience, or equivalent combination of education / experience. Five (5) years’ experience in managing IT projects or programs focused on interpreting and applying DoD CS policy and guidance to operational DoD IT environments. Prior Security Control Assessor experience a plus.

Demonstrated skills and experience in at least Eight (8) of the following 15 areas of expertise :

Current Microsoft server and workstation OS security configurations Current Red Hat Linux Enterprise OS security configurations Current Unix OS security configurations Current Microsoft server and desktop application security VMWare security Database security (e.g., Oracle, MS SQL, and MS Access) Border device security (e.g., firewall, TCP/IP, IP addressing and routing, WAN technologies, Ports, and Protocols) Encryption standards Vulnerability scanning using approved DoD scan method Application code scanning with Fortify or other industry standard product HBSS monitoring Auditing (e.g., system accounts, security logs, system, and network anomalies) Working knowledge of DoD Components Metrics – capture and documentation Technical writing – technical documents and user training materials

CERTIFICATES / LICENSES / REGISTRATION

Must possess a current DoD Secret Clearance which requires U.S. Citizenship

Active IAM-II or III certification through one of the following certifications :

Certified Authorization Professional - CAP

CompTIA Advanced Security Practitioner – CASP+

Certified Information Security Manager - CISM

Certified Information Systems Security Professional - CISSP or CISSP Associate

GIAC Security Leadership Certification - GSLC

JOB SPECIFIC KNOWLEDGE / SKILLS / ABILITIES

Knowledge of the MS Office Suite applications of Outlook, Word, Access, PowerPoint, and Excel to perform data evaluation, formulas, and analytics.

Specialized knowledge and advanced skills in security incident management policies, concepts, practices, and procedures, threat intelligence, and continuous monitoring.

Knowledgeable of security-related processes concerning Federal risk and compliance regulations and best practices.

Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, and non-repudiation).

Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.

Excellent critical thinking skills with the ability to identify, analyze and resolve problems / complex issues.

Excellent verbal and written communications skills with the ability to prepare quality reports and effectively communicate/interact with various technical and non-technical audiences (i.e., customers, team members, management, and federal staff).

Exceptional customer service skills with the ability to respond to requests in a professional, helpful, and timely manner.

Highly organized with the ability to manage multiple projects and priorities effectively.

Ability to work in a fast-paced environment and to learn and apply new knowledge and techniques related to incident response and continuous monitoring capabilities.

Ability to effectively work independently and in a team environment to achieve goals.

LANGUAGE SKILLS

Ability to read, analyze and interpret common scientific and technical journals, financial reports, and legal documents. Ability to respond to common inquiries or complaints from customers, regulatory agencies, or members of the business community. Ability to write speeches and articles for publication that conform to prescribed style and format. Ability to effectively present information to top management, public groups, and/or boards of directors.

MATHEMATICAL SKILLS

Ability to calculate figures and amounts such as discounts, interest, commissions, proportions, percentages, area, circumference, and volume. Ability to apply concepts of basic algebra and geometry.

REASONING ABILITY

Ability to define problems, collect data, establish facts, and draw valid conclusions. Ability to interpret an extensive variety of technical instructions in mathematical or diagram form and deal with several abstract and concrete variables.

PHYSICAL DEMANDS

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions of this job. Work is primarily performed in an office environment. Regularly required to sit. Regularly required use hands to finger, handle, or feel, reach with hands and arms to handle objects, and operate tools, computer, and/or controls. Required to speak and hear. Occasionally required to stand, walk, and stoop, kneel, crouch, or crawl. Must frequently lift and/or move up to 10 pounds and occasionally lift and/or move up to 25 pounds. Specific vision abilities required by this job include close vision, distance vision, depth perception, and ability to adjust focus. Exposed to general office noise with computers printers and light traffic.

EQUAL EMPLOYMENT OPPORTUNITY STATEMENT

All qualified applicants will receive consideration for employment without regard to race, color, sex, sexual orientation, gender identity, religion, national origin, disability, veteran status, age, marital status, pregnancy, genetic information, or other legally protected status.

#INDCNI

If you like wild growth and working with happy, enthusiastic over-achievers, you'll enjoy your career with us!