Position Title: Information Systems Security Officer (ISSO)
Position Type: Onsite
Position Location: Rosslyn, VA
Clearance: Secret Required, TS Preferred

Waypoint’s customer is seeking an experienced Information Systems Security Officer (ISSO) to join the cybersecurity compliance team. In this role, the ISSO will take ownership of documenting the system security posture, gathering supporting evidence, and ensuring readiness for authorization. The ideal candidate thrives at the intersection of technical security and compliance documentation — and can translate complex technical information into clear, auditor-ready language.
Responsibilities:

• Author and maintain the System Security Plan (SSP), detailing system boundaries, components, architecture, and implemented security controls.
• Map security controls to applicable frameworks (e.g., NIST SP 800-53).
• Collect and organize supporting artifacts (policies, diagrams, inventories, logs, SOPs).
• Coordinate with system owners, administrators, and SMEs to ensure accuracy and completeness.
• Manage updates to the SSP during continuous monitoring or when system changes occur.
• Track system vulnerabilities through scanning tools and review mitigation progress.
• Maintain the Plan of Action & Milestones (POA&M) for unresolved findings.
• Ensure periodic control reviews and re-validations are completed.
• Keep all security documentation current to reflect system changes or new risks.
• Act as the first point of contact for system security incidents.
• Ensure incidents are reported, documented, and investigated per policy.
• Support forensic investigations and post-incident remediation efforts.
• Ensure all system users complete security awareness and role-based training.
• Conduct periodic user access reviews to confirm least-privilege principles.
• Work with HR and IT to disable accounts for terminated or transferred personnel.
• Periodically verify that documented controls are operating effectively.
• Test and confirm inherited controls from enterprise systems.
• Document any changes to control implementation in the SSP.
• Review and assess proposed system changes for security impact.
• Participate in change control boards and approve changes from a security perspective.
• Maintain secure baseline configurations and ensure deviations are documented.
• Identify and assess new threats or vulnerabilities affecting the system.
• Recommend mitigations or compensating controls.
• Advise the AO and leadership on residual risk acceptance.
• Prepare and deliver evidence for internal and external security audits.
• Participate in assessor interviews and system walkthroughs.
• Coordinate remediation efforts after assessment findings.
• Serve as the bridge between technical teams, compliance staff, and leadership.
• Communicate security requirements and updates to system stakeholders.
• Coordinate with the AO, Security Control Assessor (SCA), and program managers during the RMF process.

Requirements:

• NIST RMF, NIST SP 800-37, NIST SP 800-53, and FedRAMP control baselines.
• Cybersecurity principles, risk management practices, and compliance frameworks.
• IT system architecture, networks, cloud environments, and operating systems.
• Strong technical writing and documentation skills
• Proficiency in GRC/compliance tools (e.g., eMASS, Xacta, CSAM).
• Effective communication with both technical and non-technical audiences.
• Evidence gathering, audit preparation, and artifact management.
• 5 years in cybersecurity, compliance, or information assurance.
• Experience authoring SSPs or similar compliance documentation.
• Familiarity with vulnerability management and security operations.

Desired:

• CISSP, CAP, Security+, CISM, or equivalent.