United States onlyISSO / Control Evaluator – Senior Job Description
Position Title: ISSO / Control Evaluator – SeniorOpportunity: SBA Enterprise Cybersecurity Services (ECS)
Position Overview
The ISSO / Control Evaluator – Senior shall provide cybersecurity governance, Risk Management Framework (RMF), continuous monitoring, and security controls assessment support services for the U.S. Small Business Administration (SBA) Enterprise Cybersecurity Services (ECS) program.Key Responsibilities
- Serve as the senior ISSO and security compliance advisor for assigned SBA systems, applications, services, and cloud environments.
- Provide leadership and technical oversight for RMF assessment, authorization, and continuous monitoring activities in accordance with NIST SP 800-37 Rev. 2.
- Conduct and oversee testing and validation of NIST SP 800-53 Rev. 5 security and privacy controls in accordance with NIST SP 800-53A assessment procedures.
- Develop, review, update, and maintain cybersecurity and privacy documentation including SSPs, CMPs, ISCPs, ISCP Test Reports, ERAs, POA&Ms, and architecture diagrams.
- Support SBA Ongoing Authorization (OA) activities including development and execution of OA Playbooks, positive testing, and negative testing methodologies.
- Document Determine If Statements (DISs), assessment evidence, and technical findings to demonstrate security control effectiveness.
- Develop Security Assessment Plans (SAPs), Security Assessment Reports (SARs), Annual Assessment Reports (AARs), and remediation recommendations.
- Coordinate vulnerability management activities including validation of remediation actions, mapping vulnerabilities to NIST controls, and tracking POA&M closure activities.
- Support FISMA reporting, cybersecurity metrics collection, dashboard reporting, and Governance Risk and Compliance (GRC) tool updates.
- Provide audit support for IG, GAO, FISMA, and internal assessments by coordinating artifact collection, walkthroughs, and audit response activities.
- Support High Value Asset (HVA) assessment activities and FedRAMP Continuous Monitoring (CONMON) management activities.
- Review system architectures, network topologies, cloud environments, and security configurations to identify cybersecurity risks and compliance gaps.
- Participate in SBA Enterprise Change Control Board (ECCB) activities and cybersecurity governance reviews.
- Provide technical guidance to system owners, ISSMs, engineers, administrators, and program stakeholders regarding cybersecurity compliance and remediation strategies.
- Ensure all deliverables are peer reviewed, aligned with SBA implementation procedures, Section 508 compliant, and submitted within required timelines.
- Support enterprise cybersecurity continuous monitoring, risk analysis, and automation/visualization initiatives.
Required Qualifications
- Bachelor’s degree in Cybersecurity, Information Assurance, Information Technology, Computer Science, Engineering, or related discipline.
- Minimum of eight (8) years of experience supporting federal cybersecurity, RMF, ISSO, or information assurance activities.
- Minimum of five (5) years of experience conducting security controls assessments, compliance evaluations, or continuous monitoring activities for federal systems.
- Extensive knowledge of NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, NIST SP 800-37 Rev. 2, FISMA, and OMB cybersecurity guidance.
- Experience supporting ongoing authorization (OA), continuous monitoring, and cybersecurity governance activities.
- Experience developing and maintaining cybersecurity documentation including SSPs, SARs, SAPs, AARs, POA&Ms, and related RMF artifacts.
- Experience supporting cloud security assessments and FedRAMP environments including AWS, Azure, Microsoft 365, and SaaS platforms.
- Experience supporting federal cybersecurity audits including IG, GAO, and FISMA reviews.
- Strong analytical, technical writing, communication, and stakeholder engagement skills.
- Experience using Governance Risk and Compliance (GRC) platforms and cybersecurity assessment tools.
- Relevant certifications such as CISSP, CAP, CISA, Security+, GSLC, or equivalent preferred.
- Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.
Desired Experience
- Experience supporting civilian federal agencies including SBA, DHS, or CISA.
- Experience supporting Zero Trust Architecture initiatives and FedRAMP CONMON activities.
- Experience coordinating penetration testing or vulnerability assessment remediation activities.
- Experience supporting enterprise cybersecurity dashboards, automation, and visualization reporting.
