United States House of Representatives
Information Assurance Risk Manager
United States House of Representatives, Washington, District of Columbia, us, 20022
Information Assurance Risk Manager
Salary Range:
$152,352.00 - 170,102.00
Closing Date:
1/31/2025
Job Summary
The Office of the Chief Administrative Officer (CAO) provides operations support services and business solutions to the community of 10,000 House Members, Officers and staff. The CAO organization comprises more than 600 technical and administrative staff working in a variety of areas, including information technology, finance, budget management, human resources, payroll, childcare, food and vending, procurement, logistics and administrative counsel.
Cybersecurity is seeking an Information Assurance Risk Manager to provide leadership in the development and practical application of risk management governance, risk, and compliance efforts in direct support of the U.S. House of Representatives CAO's Office of Cybersecurity.
This position has day to day supervisory/ managerial responsibilities.
Primary Duties/Responsibilities Risk Management Governance: Develop, implement and ensure the rigorous application of risk management focused information security policies, procedures and other governance artifacts. Create, promote, and adhere to standardized, repeatable processes for the delivery of risk management services to the CAO. Provide both generalized and specialized input concerning risk management security standards and policy for IT plans, roadmaps, and prioritization of projects. Assessment and Authorization (A&A) Expertise: Manage Information System Security Officers (ISSO) to support information technology (IT) security goals and objectives and reduce overall organizational risk. Advise ISSOs on all matters, technical and otherwise, involving the security of assigned IT systems. Provide role-based training for assigned ISSOs specific to their roles and responsibilities. Guide ISSOs in the development, and technical review of System Security Plans (SSP), which document all technical and procedural system security features. Lead the development and completion of security assessment packages that include the System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), system Plan of Actions and Milestones (POA&M) and appropriate authorization letters. Oversee independent assessors in the assessment of CAO authorization boundaries. Advise senior management (e.g., Information Assurance Director and Chief Information Security Officer [CISO]) on risk levels and security posture.) Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture. System Development Lifecycle Outreach: Engage with program offices in the development phase to recommend security capabilities, provide technical guidance, and identify existing security controls that can minimize risk for applications, infrastructure, and vendor/third parties. Review proposed new systems, networks, and software designs for potential security risks; recommend mitigation or countermeasures and resolve integration issues related to the implementation of new systems within the existing infrastructure. Work with House Information Security Compliance Program to ensure all software systems are implemented according to House information security policies and technical guidelines. Security Risk Management Reporting: Analyze, synthesize, and report on the security posture of the HIR using data maintained by stakeholders and recorded into the CAO's security risk assessment tool. Work with senior leadership to help determine acceptable levels of risk for the enterprise. Conduct independent or coordinated studies to identify, evaluate or recommend solutions to significant systems management problems that are likely to be complex and sensitive in nature. Interface with technology leadership, Internal Controls, and Office of the Inspector General to communicate A&A status, collaborate on implementation of the RMF, and manage open audit and internal control findings. Provide technical support for responding to and implementing Office of Inspector General and Internal Controls/Internal Audit recommendations. Develop, conduct, and prepare reports for security audits, reviews and other actions, as appropriate. Risk Management Program Oversight: Lead the daily activities for risk management team. Research and recommend innovative, secure, and (where possible) automated solutions to improve risk management processes and activities. Establish, assign and review short and long-term security risk management projects. Establish and support professional goals and objectives; train new employees and evaluate work performance. Resource Management: Perform various aspects of federal staff and contract management related duties. Lead direct reports and cross-functional teams as one unit or team. Performs other official duties as assigned. Qualifications
Minimum of eight (8) years
of demonstrated work experience in cybersecurity risk management. Demonstrated experience managing small-scale teams. Demonstrated experience in systems security assessments, reviewing system security documentation for successful security authorization of such systems. Strong knowledge and expertise with cybersecurity guidelines such as NIST publications. Demonstrated experience developing and maintaining assessment and authorization packages. Proven technical acumen and understanding of common operating systems and network technologies, risk management frameworks, and common security tools and scanners. Demonstrated understanding of cloud service models, hybrid applications, and mobile security technologies and tools. Understanding of management, operational and technical cybersecurity principles. Experience with privacy principles and frameworks is preferred. Excellent written and oral communication skills. Bachelor's degree in computer science, information technology, cybersecurity, or a related technical discipline required. Current and maintained certification in one or more of the following IT Security disciplines: Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) or equivalent certification required. Continued employment is contingent upon satisfactorily completing a criminal history records check (or other applicable security clearance) and a pre-employment drug-test (pre-identified position only).
Salary Range:
$152,352.00 - 170,102.00
Closing Date:
1/31/2025
Job Summary
The Office of the Chief Administrative Officer (CAO) provides operations support services and business solutions to the community of 10,000 House Members, Officers and staff. The CAO organization comprises more than 600 technical and administrative staff working in a variety of areas, including information technology, finance, budget management, human resources, payroll, childcare, food and vending, procurement, logistics and administrative counsel.
Cybersecurity is seeking an Information Assurance Risk Manager to provide leadership in the development and practical application of risk management governance, risk, and compliance efforts in direct support of the U.S. House of Representatives CAO's Office of Cybersecurity.
This position has day to day supervisory/ managerial responsibilities.
Primary Duties/Responsibilities Risk Management Governance: Develop, implement and ensure the rigorous application of risk management focused information security policies, procedures and other governance artifacts. Create, promote, and adhere to standardized, repeatable processes for the delivery of risk management services to the CAO. Provide both generalized and specialized input concerning risk management security standards and policy for IT plans, roadmaps, and prioritization of projects. Assessment and Authorization (A&A) Expertise: Manage Information System Security Officers (ISSO) to support information technology (IT) security goals and objectives and reduce overall organizational risk. Advise ISSOs on all matters, technical and otherwise, involving the security of assigned IT systems. Provide role-based training for assigned ISSOs specific to their roles and responsibilities. Guide ISSOs in the development, and technical review of System Security Plans (SSP), which document all technical and procedural system security features. Lead the development and completion of security assessment packages that include the System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), system Plan of Actions and Milestones (POA&M) and appropriate authorization letters. Oversee independent assessors in the assessment of CAO authorization boundaries. Advise senior management (e.g., Information Assurance Director and Chief Information Security Officer [CISO]) on risk levels and security posture.) Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture. System Development Lifecycle Outreach: Engage with program offices in the development phase to recommend security capabilities, provide technical guidance, and identify existing security controls that can minimize risk for applications, infrastructure, and vendor/third parties. Review proposed new systems, networks, and software designs for potential security risks; recommend mitigation or countermeasures and resolve integration issues related to the implementation of new systems within the existing infrastructure. Work with House Information Security Compliance Program to ensure all software systems are implemented according to House information security policies and technical guidelines. Security Risk Management Reporting: Analyze, synthesize, and report on the security posture of the HIR using data maintained by stakeholders and recorded into the CAO's security risk assessment tool. Work with senior leadership to help determine acceptable levels of risk for the enterprise. Conduct independent or coordinated studies to identify, evaluate or recommend solutions to significant systems management problems that are likely to be complex and sensitive in nature. Interface with technology leadership, Internal Controls, and Office of the Inspector General to communicate A&A status, collaborate on implementation of the RMF, and manage open audit and internal control findings. Provide technical support for responding to and implementing Office of Inspector General and Internal Controls/Internal Audit recommendations. Develop, conduct, and prepare reports for security audits, reviews and other actions, as appropriate. Risk Management Program Oversight: Lead the daily activities for risk management team. Research and recommend innovative, secure, and (where possible) automated solutions to improve risk management processes and activities. Establish, assign and review short and long-term security risk management projects. Establish and support professional goals and objectives; train new employees and evaluate work performance. Resource Management: Perform various aspects of federal staff and contract management related duties. Lead direct reports and cross-functional teams as one unit or team. Performs other official duties as assigned. Qualifications
Minimum of eight (8) years
of demonstrated work experience in cybersecurity risk management. Demonstrated experience managing small-scale teams. Demonstrated experience in systems security assessments, reviewing system security documentation for successful security authorization of such systems. Strong knowledge and expertise with cybersecurity guidelines such as NIST publications. Demonstrated experience developing and maintaining assessment and authorization packages. Proven technical acumen and understanding of common operating systems and network technologies, risk management frameworks, and common security tools and scanners. Demonstrated understanding of cloud service models, hybrid applications, and mobile security technologies and tools. Understanding of management, operational and technical cybersecurity principles. Experience with privacy principles and frameworks is preferred. Excellent written and oral communication skills. Bachelor's degree in computer science, information technology, cybersecurity, or a related technical discipline required. Current and maintained certification in one or more of the following IT Security disciplines: Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) or equivalent certification required. Continued employment is contingent upon satisfactorily completing a criminal history records check (or other applicable security clearance) and a pre-employment drug-test (pre-identified position only).