ISSO / Control Evaluator – Senior Job Description

Position Overview

Key Responsibilities

• Serve as the senior ISSO and security compliance advisor for assigned SBA systems, applications, services, and cloud environments.
• Provide leadership and technical oversight for RMF assessment, authorization, and continuous monitoring activities in accordance with NIST SP 800-37 Rev. 2.
• Conduct and oversee testing and validation of NIST SP 800-53 Rev. 5 security and privacy controls in accordance with NIST SP 800-53A assessment procedures.
• Develop, review, update, and maintain cybersecurity and privacy documentation including SSPs, CMPs, ISCPs, ISCP Test Reports, ERAs, POA&Ms, and architecture diagrams.
• Support SBA Ongoing Authorization (OA) activities including development and execution of OA Playbooks, positive testing, and negative testing methodologies.
• Document Determine If Statements (DISs), assessment evidence, and technical findings to demonstrate security control effectiveness.
• Develop Security Assessment Plans (SAPs), Security Assessment Reports (SARs), Annual Assessment Reports (AARs), and remediation recommendations.
• Coordinate vulnerability management activities including validation of remediation actions, mapping vulnerabilities to NIST controls, and tracking POA&M closure activities.
• Support FISMA reporting, cybersecurity metrics collection, dashboard reporting, and Governance Risk and Compliance (GRC) tool updates.
• Provide audit support for IG, GAO, FISMA, and internal assessments by coordinating artifact collection, walkthroughs, and audit response activities.
• Support High Value Asset (HVA) assessment activities and FedRAMP Continuous Monitoring (CONMON) management activities.
• Review system architectures, network topologies, cloud environments, and security configurations to identify cybersecurity risks and compliance gaps.
• Participate in SBA Enterprise Change Control Board (ECCB) activities and cybersecurity governance reviews.
• Provide technical guidance to system owners, ISSMs, engineers, administrators, and program stakeholders regarding cybersecurity compliance and remediation strategies.
• Ensure all deliverables are peer reviewed, aligned with SBA implementation procedures, Section 508 compliant, and submitted within required timelines.
• Support enterprise cybersecurity continuous monitoring, risk analysis, and automation/visualization initiatives.

Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Assurance, Information Technology, Computer Science, Engineering, or related discipline.
• Minimum of eight (8) years of experience supporting federal cybersecurity, RMF, ISSO, or information assurance activities.
• Minimum of five (5) years of experience conducting security controls assessments, compliance evaluations, or continuous monitoring activities for federal systems.
• Extensive knowledge of NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, NIST SP 800-37 Rev. 2, FISMA, and OMB cybersecurity guidance.
• Experience supporting ongoing authorization (OA), continuous monitoring, and cybersecurity governance activities.
• Experience developing and maintaining cybersecurity documentation including SSPs, SARs, SAPs, AARs, POA&Ms, and related RMF artifacts.
• Experience supporting cloud security assessments and FedRAMP environments including AWS, Azure, Microsoft 365, and SaaS platforms.
• Experience supporting federal cybersecurity audits including IG, GAO, and FISMA reviews.
• Strong analytical, technical writing, communication, and stakeholder engagement skills.
• Experience using Governance Risk and Compliance (GRC) platforms and cybersecurity assessment tools.
• Relevant certifications such as CISSP, CAP, CISA, Security+, GSLC, or equivalent preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting civilian federal agencies including SBA, DHS, or CISA.
• Experience supporting Zero Trust Architecture initiatives and FedRAMP CONMON activities.
• Experience coordinating penetration testing or vulnerability assessment remediation activities.
• Experience supporting enterprise cybersecurity dashboards, automation, and visualization reporting.