Information System Security Officer (ISSO)

Remote /
Technology – Technology /
Full Time
Who we are:
Bixal is a mission-driven, woman-owned small business determined to improve people's lives through human-centered strategies and transformative technologies, with a firm belief that everyone has the right to an effective government.  
We deliver on this belief by partnering with leading Federal agencies to design, develop, and deliver powerful customer experiences through holistic digital product solutions and strategic communications initiatives––bringing a high standard and unique creative energy to our clients––and our wonderfully diverse culture is what makes it all possible.  
Bixal unites different people with different perspectives from all over the world! We provide our team with an open and empowered environment where collaboration thrives and solutions flourish. 

What will you do?

The Information Security Officer (ISSO) will lead efforts to conduct security control assessments of the security and privacy controls implemented by an information system to determine the overall effectiveness of the controls and the vulnerability state of components, applications and databases residing within the system boundary. Following the NIST Cybersecurity Framework, Risk Management Framework and using NIST 800-53A, the ISSO verifies the security status of existing information systems with an Authority to Operate (ATO) by performing appropriate assessments on any new system developed or deployed by the customer and conducts audits of security controls to ensure continuous monitoring of systems assigned. Assesses systems that have previously been assessed and received an ATO and systems that have not yet been assessed and do not have an ATO. 

You will also be given the unique opportunity of leading the certification and accreditation process for a fully cloud-based software development environment. You will be responsible for compliance testing, tracking issues, fixing problems, and documenting, documenting, documenting! The ISSO must possess expert level experience and knowledge in strategic planning and information security functions. This position allows you the opportunity to begin security planning, consulting, and implementation activities at the ground level in order to build fully accredited environment and platforms as a service within Amazon Web Services (AWS) and other FedRAMP certified cloud service providers. 


This role can be remote.  You must be legally eligible to work in the United States.  Bixal does not provide visa sponsorship.  You must be able to pass and maintain a Public Trust clearance.


    • Assist in developing a Security Control Assessment (SCA) strategy for the organization; to include an overall assessment process flow or swim-lane diagram which documents the steps required to conduct assessment activities and interact with all necessary parties. 
    • Integrate SCA functions with overall continuous monitoring and Continuous Diagnostic and Mitigation (CDM). 
    • Develop, document and review System Rules of Engagement (ROE), Security Assessment Plans (SAPs) and Security Assessment Reports (SARs). 
    • Work closely with ISSOs (contractors and Government) and the technical team and ensure all appropriate A&A supporting documentation is provided prior to conducting the assessment. 
    • Review and provide feedback system boundaries, common controls, the security categorization of information systems, applicable security control baseline based on system categorization. 
    • Conduct Security Assessment Kickoff briefings and SAR briefings. 
    • Review cyber/system/network security body of evidence and documentation for accuracy and completeness. 
    • Conduct security controls assessment of applicable security controls and privacy controls; assess implemented security controls and provide assurance that they are operating as intended 
    • Analyze security control findings for information systems and applications to convey weaknesses 
    • Document security assessment results accurately; read, understand, and convey vulnerabilities found during the assessments 
    • Create security assessment results and document recommendations in a SAR for remediations and security control measures 
    • Perform audits of each system and provide an authorization recommendation based on determination of risk to the customer; audits will include unprivileged and privileged scans against each applicable database management system (DBMS). 
    • Perform quality control on the assessment and associated deliverables 
    • Conduct Post Assessment Meetings with the customer 
    • Provide Plan of Action and Milestones (POA&M) support to ensure mitigations are completed or the teams are working to mitigate all vulnerabilities in a timely fashion and within customer policy timelines 
    • Develop and maintain a schedule for conducting reoccurring Continuous Monitoring and ongoing CDM efforts once the initial assessments are complete. 
    • Perform continuous monitoring to ensure implemented security controls remain functional throughout the lifecycle of the information system. 


    • Current professional certification (e.g., CISSP, CISM, CISA, CAP) or willingness to obtain certification 
    • Five years expert experience performing security testing, security control assessments, security configuration testing, 
    • Five years of experience with developing and documenting the ROEs, SAPs, and SARs 
    • Five years of experience and expert knowledge of the NIST Cybersecurity Framework, Risk Management Framework, FIPS, and other NIST A&A publications 
    • Five years of experience utilizing NIST 800-53 and 800-53A 
    • Strong experience assessing and providing recommendation on the following: Privacy Impact Assessment, Risk Assessment, System Security Plan, Disaster Recovery / Contingency Plan, and Incident Response Plan 
    • Strong knowledge of the Systems Development Life Cycle (SDLC) and its application in the development of technology solutions. 
    • Expert knowledge and skills to perform and document the assessment 
    • Significant experience with tools such as Nessus, Web Inspect, Db Protect and Splunk 
    • Strong technical background with Windows, Unix, legacy systems, databases, web servers/applications, cloud and virtualization environments 
    • Familiar with the cloud environments (services/security) and FedRAMP A&A process 
    • Strong project management, time management, and work sequencing skills 
    • Effective verbal and written communication skills with ability to effectively communicate with all levels of users and teammates both written and verbally 
    • Effective technical writing and documentation processing skills

Nice to Have:

    • PCI and HIPAA experience. 
    • Experience with applications that have been deemed High Risk on Cloud Service Providers  
    • Strong understanding of identity management, and the technology and tooling around IAM challenges. 
    • Secret Clearance 
    • ISACA Certified Information Systems Auditor (CISA) 
    • ISC2 Certified Information System Security Professional (CISSP) 
    • ISC Certified Authorization Professional (CAP) 
    • AWS Certified Security 

Perks & Benefits:

    • Competitive base salary
    • Flex hours
    • Work from home flexibility
    • 401K with matching incentive
    • Medical/dental/vision benefits
    • Flex Spending Account
    • Company provided short-term disability
    • Company provided life insurance
    • Commuter benefits
    • Generous PTO
    • Paid holidays
    • Professional development opportunities
    • New business referral bonus
No recruiters or agencies please. Bixal is an equal opportunity employer and is committed to building a safe, inclusive environment for people of all backgrounds.