Job Details

Business Operational Concepts (BOC) is a recognized leader in providing Technical and Program Management Services, Information Technology, and Support.

BOC has enabled their Government and Commercial clients to achieve their organizational initiatives through the application of high quality, innovative, and cost-effective professional services and solutions.  We provide a positive working environment, with opportunities for advancement in our growing Federal sector workforce. 

We offer an excellent compensation package which includes a generous salary, insurance (medical, dental, etc.), paid leave, 401k plan and more. We are committed to the diversity we bring to the marketplace and believe customer satisfaction comes first.

JOB SUMMARY: 

Business Operational Concepts (BOC) is currently seeking a Information Systems Security Officer (ISSO) to work with our government client. The selected candidate will serve as a technical and governance subject matter expert responsible for integrating cybersecurity risk management with system and infrastructure engineering. This position bridges the traditional gap between GRC and technical implementation by ensuring security is designed, implemented, and continuously monitored throughout the system development life cycle (SDLC).

DUTIES AND RESPONSIBILITIES:

The incumbent collaborates with system owners, developers, cloud and DevSecOps engineers, and security control assessors to ensure the confidentiality, integrity, and availability of agency information systems in alignment with federal requirements (e.g., FISMA, NIST RMF, FedRAMP, and OMB guidance).

QUALIFICATIONS:

Required (Minimum) Qualifications – Education, Certification, Experience, and Skills

Risk Management and Governance (40%)

• Serve as the primary technical lead for system-level RMF activities, including security categorization, control selection, implementation, and assessment.
• Develop and maintain system security documentation (SSPs, SARs, POA&Ms) and ensure continuous authorization (O-ATO) compliance.
• Conduct risk assessments to identify vulnerabilities, evaluate likelihood and impact, and recommend mitigation strategies.
• Support annual FISMA audits, OIG reviews, and internal compliance assessments with defensible technical evidence.
• Develop standardized risk metrics and dashboards that link system vulnerabilities to enterprise risk posture.

Security Engineering and Architecture Integration (35%)

• Embed security engineering practices into system design and cloud architectures, ensuring 'security-by-design' and 'Zero Trust' principles.
• Partner with system engineers and developers to integrate security controls in CI/CD pipelines, automation scripts, and infrastructure-as-code deployments.
• Validate security control implementations through technical testing, configuration review, and vulnerability analysis.
• Conduct secure architecture reviews and provide technical consultation on encryption, access control, and network segmentation.
• Collaborate with SOC and vulnerability management teams to ensure findings inform risk posture and remediation planning. 

Continuous Monitoring and Technical Validation (15%)

• Develop and maintain continuous monitoring strategies and implement automated data feeds from scanners, SIEM, and cloud tools into GRC systems.
• Validate and verify that implemented controls are operating as intended and produce desired security outcomes.
• Track and report control effectiveness and residual risks to leadership.

Policy, Audit, and Training Support (10%)

• Support updates to cybersecurity policy, SOPs, and agency guidance to reflect emerging threats and technologies.
• Provide training and mentoring to system owners and developers on secure design and RMF requirements.
• Support external audits by providing technical explanations and evidence of control effectiveness.

Knowledge, Skills, and Abilities (KSAs)

• Security Engineering: Knowledge of systems design, cloud infrastructure, encryption, access control, and secure configuration management.
• Risk Management: Knowledge of the principles and tools used for risk assessment and mitigation.
• Compliance & Governance: Expertise in NIST SP 800-37, SP 800-53, SP 800-53A, FIPS 199/200, FedRAMP, and OMB A-130.
• Vulnerability Management: Ability to analyze vulnerability data, interpret scanning results, and evaluate technical mitigations.
• Automation & Tools: Familiarity with GRC platforms (e.g., Archer, ServiceNow IRM, Xacta) and technical tools (e.g., Nessus, Splunk, AWS Config, Prisma).
• Communication: Skill in articulating technical risks and recommendations to both executive and technical audiences.
• Collaboration: Ability to partner effectively across multidisciplinary teams including developers, engineers, and policy staff.
• U.S. Citizenship required.
• Active Public Trust or higher clearance (or ability to obtain).
• Bachelor’s degree in Computer Science, Information Systems, Engineering, or equivalent experience.
• 3–5 years of experience in security engineering, GRC, or cybersecurity risk management.

Preferred Qualifications – Education, Certification, Experience, Skills, Knowledge, and Abilities

• Desired Certifications: CISSP, CISM, CAP, CGRC, CEH, Security+, or Cloud Security certifications

CLEARANCE REQUIREMENTS:

Public Trust or the ability to obtain and maintain a Public Trust clearance.  (Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information.)