Information Systems Security Officer (Isso) Level 2-4

Company Profile:

Newport News Nuclear BWXT Los Alamos (N3B) manages the 10-year, $2.1 billion Los Alamos Legacy Cleanup Contract for the U.S. Department of Energy, Office of Environmental Management, Los Alamos Field Office.

N3B is a limited liability company owned by HII Nuclear Inc. and BWX Technologies, joined by our critical subcontractors Longenecker and Associates and Tech2 Solutions.

N3B brings operational discipline, proven approaches and predictable results to the Los Alamos Legacy Cleanup Contract.

Position Location:

This position is located in Los Alamos, New Mexico.

Los Alamos is a tight-knit mountain community that consistently ranks as one of Livability.com’s Best Small Towns in America. For two years in a row, Los Alamos County has ranked as the healthiest county in the nation according to a U.S. News report. The city is a top spot for outdoor enthusiasts as it has more than 120 hiking and biking trails, and residents enjoy easy access to the Pajarito Mountain Ski Area. Thanks to the University of New Mexico-Los Alamos’ presence in the area, Los Alamos also has a college-town vibe that’s a major draw for young professionals, families and retirees.

Position Summary

The Information Systems Security Officer (ISSO) will be responsible for ensuring development and proper implementation of the security controls documented in the Systems Security Plan (SSP) for all Information Systems for which the ISSO is responsible at N3B, including sensitive unclassified networks supporting business, special purpose, and security functions. The ISSO provides certification documentation to the N3B Information Systems Security Manager (ISSM) for all information system accreditations and performs other duties as required to implement the Cyber Security programs necessary to support U.S. Government regulatory requirements, (DOE/NNSA, NRC, etc.). In addition to the duties required to maintain SSPs, the ISSO is also responsible for security operations duties, including proactively monitoring event sources for anomalies, conducting vulnerability assessments, incident response activities, firewall administration, and being an all-star problem solver. The candidate will be responsible for the following scope of work duties:

Essential Duties/Responsibilities (may include, but are not limited to):

• Ensures implementation of protection measures documented in the SSP for each information system for which they are the ISSO. Maintain the SSP and associated artifacts, including risk assessments, Privacy Impact Assessments, vulnerability assessments, Plans of Action and Milestones (POA&Ms), etc.
• Ensures that security controls for information system resources are based on the least privilege principle and develops alternative solutions to mitigate risk when the most desirable security controls cannot be fully implemented.
• Identifies, in coordination with the ISSM, and documents in the SSP, unique threats to Information Systems for which they are responsible.
• Provides technical assistance with the initial set-up, secure deployment, and proper management of systems that support information security including virus detection, application whitelisting, centralized logging, data loss prevention, and intrusion detection systems.
• Performs risk assessments and tests of new technology platforms and leads the implementation of standard security configurations, (ex: DISA STIG, CIS Benchmarks, etc.), prior to production deployment.
• Utilizes vulnerability assessment software and related tools to immediately highlight errors in systems configuration, the need for the update of software with fixes and patches, and other security related changes.
• Ensures the implementation of procedures as defined in the Cyber Security Program Plan (CSPP) and the SSP for each information system for which they are the ISSO.
• Serves as an active member of the Cyber Security Incident Response Team (CSIRT) and participates in security incident response efforts by directing first responders to triage an event and performing advanced response actions for escalated events.
• Ensures that information access controls and cyber protection measures are implemented for each information system as described by the SSP.
• Ensures that users and System Administrators are properly trained in information system security by identifying cyber security training needs and the personnel who need to attend the cyber security training program. Supports awareness training of the workforce on information security standards, policies, and best practices.
• Conducts cyber security reviews and tests to ensure that cyber security features and controls are functioning and effective.
• Performs administration of the centralized logging platform, develops custom dashboards to monitor security status of the environment, and produces periodic reports of key performance indicators and key risk indicators to support Cyber Security metrics at the executive and operational levels
• Redesigns and reengineers internal information handling processes so that information is appropriately protected from a wide variety of problems including unauthorized disclosure, unauthorized use, inappropriate modification, premature deletion, and unavailability
• Develops technical documentation describing the deployment, configuration, and management of shared, networked, and multi-user information security systems
• Regularly attends conferences, professional association meetings, and technical symposia to remain aware of the latest information security technological developments

Minimum Qualifications (Knowledge, Skills, Abilities):

• Candidate must have prior experience performing risk assessments, developing security plans, implementing DISA STIGs, and developing Standard Security Configuration Guides or similar technical products
• Must have an understanding of open-source and other tools to assist in detection, prevention and analysis of security threats.
• Must have a working knowledge of system functions, firewall administration, cyber security policies, and cyber security protection requirements
• Must have experience in at least 2 of the following technology vendors: Cisco FirePower, CarbonBlack, Cylance, DataLocker, Entrust, FireEye/Trellix, PDQ Deploy, Varonis DLP, Tennable, Forescout, VMWare VSphere, Cisco Umbrella, Amazon AWS, KnowBe4, RSA Archer, Splunk.
• Must have excellent communications skills, especially technical report writing; candidates are encouraged to submit a sample of a technical report authored by the candidate
• Must have one or more of the following certifications: GSEC, CEH, CISSP, CCSP, CISA, GCIH, OSCP
• Must be able to maintain confidentiality when working with sensitive information.
• All qualified applicants will be considered; however, the successful candidate must be able to obtain and maintain a Q clearance from the United States Department of Energy.

Education and Experience Required:

Level 2: Bachelors' degree in Information Systems, Computer Science, Management Information Systems, or a related discipline combined with at least two(2) years of experience to include technical skills and experience. A combination of education and relevant experience wherein the knowledge, skills and abilities to perform the position’s duties and responsibilities have been adequately demonstrated is acceptable.

Level 3: Bachelors' degree in Information Systems, Computer Science, Management Information Systems, or a related discipline combined with at least five (5) years of experience to include technical skills and experience. A combination of education and relevant experience wherein the knowledge, skills and abilities to perform the position’s duties and responsibilities have been adequately demonstrated is acceptable.

Level 4: Bachelors' degree in Information Systems, Computer Science, Management Information Systems, or a related discipline combined with at least nine (9) years of experience to include technical skills and experience. A combination of education and relevant experience wherein the knowledge, skills and abilities to perform the position’s duties and responsibilities have been adequately demonstrated is acceptable.

Experience required for all levels: Splunk administration, network intrusion detection system (IDS) administration, Active Directory and Group Policy Objects, Anti-virus administration consoles, Data Loss Prevention (DLP) systems, Microsoft Windows operating systems, Linux operating systems and advanced cyber security toolkits, malware analysis, penetration testing, and digital forensics tools.

Education Equivalency: 2 years of relevant experience for 1 year of college.

Benefits and Salary:

N3B offers all full-time employees a comprehensive benefits package that includes 401(k) with employer matching, medical, dental, vision, paid PTO, and more. Starting salary will be commensurate with experience and education.

Business Associations:

Level 2: Primarily internal company contacts. Infrequent inter-organizational and outside customer contacts on routine matters.

Level 3: Frequent inter-organizational and outside customer contacts. Represents organization in providing solutions to difficult technical issues associated with specific projects.

Level 4: Represents organization as prime technical contact on contracts and projects. Interacts with senior external personnel on significant technical matters often requiring coordination between organizations.

Impact:

Level 2: Contributes to completion of milestones associated with specific projects. Failure to achieve results or erroneous decisions or recommendations may cause delays in program schedules and may result in allocation of additional resources.

Level 3: Contributes to completion of specific programs and projects. Failure to obtain results or erroneous decisions or recommendations would typically result in serious program delays and considerable expenditure of resources.

Level 4: Guides the successful completion of major programs and may function in a project leadership role. Erroneous decisions or recommendations would typically result in failure to achieve major organizational objectives.

Working Conditions and Physical Requirements:

Sedentary Work Category – The employee exerts up to 10 pounds of force occasionally and/or a negligible amount of force frequently or constantly to lift, carry, push pull or otherwise move objects, including the human body. While performing the duties of this job, the employee is regularly required to talk or hear. The employee is frequently required to stand, walk, sit, use hands to touch or feel, and reach with hands and arms. The employee is occasionally required to stoop, kneel, crouch, or crawl. Specific vision abilities required by this job include close vision and distance vision. The noise level in the work environment is usually quiet to moderate. This job description reflects management’s assignment of essential functions; and nothing in this herein restricts management’s right to assign or reassign duties and responsibilities to this job at any time.

Safety, Security, and Quality

While working to achieve N3B LLCC objectives, the Information Systems Security Officer (ISSO) will ensure all activities and operations are performed in a safe and deliberate manner to include protecting the confidentiality and integrity of Personally Identifiable Information (PII). This role will maintain required safety, security and operational training; assure procedural and regulatory compliance; and make safety, security and quality an integral part of every task; including taking the necessary steps to stop work if continuing the job is unsafe or compromises security. Ability to obtain an L level Department of Energy security clearance.

Diversity & Inclusiveness

N3B is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.

N3B will ensure no applicant for employment or employee is denied equal opportunity because of race, color, religion, sex, gender identity, sexual orientation, pregnancy, status as a parent, national origin, age, disability (physical or mental), family medical history or genetic information, political affiliation, military service, or other non-merit based factors. These protections extend to all management practices and decisions, including recruitment and hiring practices, appraisal systems, promotions, training, and career development programs.