Lead ISSO (Information System Security Officer)/Project Manager [2021-72]

Library of Congress OCIO Support

The ISSO shall support initial Security Assessment and Authorization (SAA), re-authorization, and continuous monitoring activities for the IT systems which they support.

The contractor shall provide ISSO support for IT systems within the

Library’s IT system inventory. These systems are a combination of General Support Systems, Major Applications, Low Impact Externally

Hosted Systems, Sites, and Subsystems at the Moderate and Low impact ratings.

• Developing a detailed project schedule, listing each Security Assessment & Authorization (SAA) task and milestone and task dependencies.

• Conducting an initial Security Assessment and obtain Authorization to Operate, in line with current NIST SP 800-37 Rev. 1, the LC Security Assessment and Authorization Guidance, and Information Technology Security Directive 5-410.1

• Determining the baseline IT Security Requirements for IT Systems by identifying the system boundary, determining the information categorization, and assisting in completing the FIPS 199.

• Reviewing IT system project documentation.

• Selecting the baseline security controls for the IT system, using Archer, and tailoring where appropriate.

• Implementing security controls, where appropriate, based on the IT System FIPS categorization.

• Documenting security control implementation in the system’s Security Plan using the Library’s Information Assurance tool, Archer.

• Documenting all supporting Security Assessment and Authorization artifacts from FEDRAMP or other sources, as applicable. For example:

- Privacy Threshold Assessment/Privacy Impact Analysis

- IT Contingency Plan/ Business Impact Assessment

- Configuration Management Plan

- System Security Plan

- Security Assessment Plan (as appropriate)

- Security Assessment Report (SAR) from the testing results

• Generating Security Plan for security tester to evaluate implementation of security controls and working with the security tester to document the Security Assessment Plan (SAP). For systems under re-authorization, the ISSO shall test their system.

• Creating Plan of Action and Milestones (POAM) with remediation activities.

• Producing Security Authorization package for Authorizing Official (AO) signature including Authorization to Operate

(ATO) letter, ATO Transmittal memo, and the SAR Briefing.

• Participating in the Authorization to Operate (ATO) meeting with the Information System Business Owner (ISBO) and the LC’s Authorizing Official and provide guidance as to what needs to be done and on what timeline to achieve ATO.

• Testing and updating the security assessment detail on the intervals defined within the LC Information Security Continuous Monitoring Guidance and tailored CM Plan for the system. Testing is based on NIST SP 800-53a guidance. This includes ongoing Audit Log review, monitoring system changes for security impacts, account reviews, and annual Privileged access review.

• Identifying needed updates to security control implementation detail and perform the required updates for the security control implementation detail on assigned systems.

• Continuously review POAMs by updating milestones through to POAM closure.

• Reviewing continuous monitoring scan data while working with applicable IT support teams to remediate findings, based on timeframes for risk as defined in Information Technology Security Directive 5-410.1.

• Continuously review all security authorization artifacts applicable to the system, as defined within LC Information Security Continuous Monitoring Guidance & Information Technology Security Directive 5-410.1.

• Attending project team meetings and working with project team members to securely operate system in LC environment(s).

• Monitoring Waivers associated with systems for appropriate risk and reporting any need for renewal or expiration.

• Documenting and maintaining, as appropriate, security policies and procedures specific to the system operating environment.

• Ensuring ATO Letters are signed by the AO.

• Following decommission procedures.

• Following IT system inventory management procedures.

Required Skills:

• The Project Manager must have at least 10 years of experience managing Information Technology Security programs and experience managing programs with ISSOs.

• Shall have the ability to effectively communicate both orally (in common English narration) and in writing (to include technical documentation).

• Shall have the ability to manage multiple projects, work under pressure and tight deadlines, work independently, and work in a team environment.

• Shall be proficient in Microsoft® Office 2016 or later with particular emphasis on Microsoft® Word®, Excel®, PowerPoint®, and Project®, and other applicable database and office automation products.

• Shall be able to obtain a favorable determination from the LOC Background Investigation.

• Shall be a United States citizen.

• Shall possess at least one IT Security certification. (Refer to the Department of Defense Approved 8570 Baseline Certification list)



Library of Congress, Washington DC




U.S. Citizenship Required. An Equal Employment Opportunity employer. Please visit Equal Employment Opportunity link below for further information.
Equal Employment Opportunity Information