Previous Job
Information System Security Officer (ISSO)
Ref No.: 18-03524
Location: College Park, Maryland
Position Type:Contract
Start Date: 04/10/2018
Project Description:
1.1 The National Archives and Records Administration (NARA) is an independent Federal agency with a mission to serve American democracy by safeguarding and preserving the records of our Government, thus ensuring that people can Client, use, and learn from this documentary heritage. NARA ensures continued access to the essential documentation of the rights of American citizens and the actions of their Government. We support democracy, promote civic education, and facilitate historical understanding of our national experience.

1.2 NARA's IT operating environment is comprised of approximately 90 classified (28) and unclassified systems (62). NARA has a number of systems which are externally hosted by commercial or government providers with Memoranda of Understanding (MOUs) which specify roles and responsibilities for security authorization. In addition to the systems, NARA has major business systems, including email and collaboration services, hosted or planned to be hosted by Federal Risk and Authorization Management Program (FedRAMP) certified cloud service providers.

1.3 NARA is dedicated to establishing and maintaining a high security posture to preclude unauthorized access and malicious activity to NARA systems, data, and records. The objective of this Performance Work Statement (PWS) is to extend enhanced security support services to NARA's systems. A complete list of systems and descriptions is provided as Government Furnished Information (GFI).

Task Description:

Required Skills/Level of Experience ISSO:
4.5 Position Requirements. ISSO Personnel should meet the following requirements:

a. BS/BA in Computer Science, Information Systems, Software Engineering or other related analytical, scientific or technical discipline.
b. CISSP Certification highly preferred.
c. Five (5) years of experience in IT security, including SA&A and/or IT security risk analysis, preferably in support of the Federal Government.
d. Knowledge of Federal Government SA&A practices and policies, particularly FISMA and NIST Special Publications 800 series.
e. Industry recognized and accepted certifications relating to IT security preferred (CISSP, GIAC, CEH, TNCP, Security+, Network+ etc.).
f. Ability to work independently and also collaborating with application developers, engineers and others.
g. Must be motivated and results oriented.
h. Effective written and oral communication skills.
i. Previous Federal Government experience a plus.

The Project Manager must meet the above requirements and also have at least 5 years' experience managing projects to implement Risk Management Framework in the federal government.

4.7 Mandatory Personnel Requirement: proposed personnel for this position will be subject to a Government Security Investigation and must meet eligibility for access to classified information.

The Vendor will provide sufficient personnel to Cover TS Systems and have at least 1 personnel on staff to backfill TS requirements.

Job Description

2.1 Security Support Services The Vendor will provide the following Information Systems Security Officer (ISSO) support services for the systems identified in the Master System List and any other systems that may be added

2.2 For each system the appointed ISSO will:

a. Ensure NARA systems are accessed, integrated, accredited, operated, maintained and disposed of in accordance with applicable security policies and practices outlined in NIST Publication 800-53 (latest revision)_Security and Privacy Controls for Federal Information Systems and Organizations, NARA Directive 202 NARA Classified Information Security Program and NARA Directive 804 Information Technology (IT) Systems Security;

b. Coordinate with the System Owners to ensure that system accounts requests are for valid users, who are eligible for access to the information systems, have a valid need to access the systems, and that all requirements have been met before authorizing access to system(s);

c. Develop and maintain a comprehensive project plan (roadmap) that at a minimum identifies the tasks to be accomplished in the course of completing the requirements, defines project staff roles/responsibilities, and provides a detailed timeline for completion of tasks. The project plan shall include at a minimum the following:
i. Milestones and dates for completion of each deliverable per system
ii. Gantt chart for project plan showing milestones and dates for completion of each deliverable per system
iii. Resources assigned to each system on project plan
iv. Detailed Communications Plan dedicated to the handling of communications between the Vendor, System Owners, O&M Vendors and the Government.

d. Assist system owners to review and validate (recertify) non-privileged user accounts annually and privileged user accounts and rights monthly in accordance with the NARA IT Security Requirements (provided as a GFI) (security control AC-2), to ensure the user's continued need for system access and that the assigned privileges for each user are the minimum required for their current job functions;

e. Perform Security Controls Testing to audit and inspect system security controls, processes and procedures;

f. Manage and track system security requirements during all phases of the system's life cycle for all operational and development projects;

g. Create, update, and maintain the following security documentation (status of each system's documentation is provided in the attached systems list):

1. FIPS 199 (Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems) form;
2. System Security Plan (SSP) completed in accordance with NIST Special Publication 800-18. Security plans are maintained in Xacta or on Shared Drives;
3. Contingency Plan in accordance with NIST Special Publication 800-34;
4. Annual Contingency Test Plan and Contingency Test Report conducted in accordance with the NARA IT Security Requirements (security controls CP-2 and CP-4);
5. Configuration Management Plan in accordance with NIST Special Publication 800-128;
6. Incident Response Plan in accordance with NIST Special Publication 800-6;
7. Annual Incident Response Plan Test conducted in accordance with NARA IT Security Requirements (security controls IR-3) and Incident Response Plan Test Report generated;
8. Plan of Actions & Milestones (POA&M) in accordance with the NARA IT Security Requirements, security control PM-4;
9. Where applicable, resolve and track vulnerabilities identified during security assessments within the timeframe indicated in the POA&M;
10. Business Impact Analysis (BIA) in agreement with NIST Special Publication 800-34;
11. Initial Privacy Review (IPR) and Privacy Impact Assessment (PIA) in accordance with NIST 800-53 appendix J and the NARA IT Security Requirements, security control AR-2;
12. System level Policy and Procedure documentation;
13. System Component inventory to include the following information:
i. Hostname
ii. Current IP Address
iii. Component Model Number
iv. NARA Asset Number/Serial Number
v. Primary software running on that component (e.g., Operating System, Database, Web server, Application Software, Backup Software, etc.)
vi. Environment (identify whether component is a production, test, or development machine)
vii. Location of Component

h. Report, respond, and track security incidents in accordance with the NARA Computer Security Incident Handling Guide;

i. Ensure that audit trails are reviewed weekly and retained for the period of time defined in the SSP.

j. Respond to data calls (e.g. OIG data calls, COR requests for system information) to provide security artifacts as requested.