Information System Security Manager (ISSM) in Bath, Maine at Bath Iron Works

The Information System Security Manager (ISSM) is the primary cybersecurity authority for the assigned classified information system. This role is responsible for the end-to-end security oversight, from system authorization to continuous monitoring, ensuring 100% compliance with DoD 8510.01 (RMF) and 32 CFR Part 117 (NISPOM). You will serve as the strategic advisor to the Facility Security Officer (FSO) and government partners, bridging the gap between technical IT operations and overarching industrial security goals. Beyond standard oversight, this role serves as the Lead Coordinator for the architecture, build-out, and certification of the classified information system. You will be responsible for synchronizing technical engineering, physical security requirements, and government accreditation to ensure the system reaches Full Operational Capability (FOC)

This position requires you to be able to obtain a government security clearance. You must be a US Citizen for consideration and you must be able to obtain an interim security clearance and start employment within 45 days of the interim security clearance being granted. For more information regarding the security clearance process, please visit: Investigations & Clearance Process

All offers are conditional until interim security clearance is granted by DCSA (Defense Counter Intelligence Security Agency).

Key Responsibilities

Safety Leadership:

• Ensure consistent departmental safety standards and procedures across facilities.
• Address systemic safety concerns and implement standardized solutions.

Project Execution:

• Perform Security Impact Analysis for all proposed system modifications to ensure they do not negatively affect the authorized security posture.
• Develop and maintain comprehensive System Security Plans (SSP), Risk Assessment Reports (RAR), and Security Control Traceability Matrices (SCTM) within eMASS.

Information System Security Management:

• Oversee technical security scans using ACAS[CG1.1]/Nessus [CG2.1]and ensure all hardware and software adhere to DISA STIGs (Security Technical Implementation Guides).
• Provide technical and administrative support to the FSO during investigations of classified system security incidents, including malicious activity and data spills, in coordination with government authorities.
• Orchestrate the Assessment and Authorization (A&A) lifecycle for a classified information system, serving as the primary technical advisor to the Authorizing Official (AO).
• Manage the lifecycle of Plans of Actions and Milestones (POA&Ms), ensuring all findings are tracked, mitigated, and reported through official government channels.

Training and Development:

• Develop and deliver annual security awareness training and specialized briefings for privileged and general users.

Team Collaboration and Communication:

• Partner with the Facility Security Officer (FSO) to provide guidance on general security issues.
• Maintain audit-ready records and lead preparations for government security reviews.
• Facilitate cross-functional security coordination among information security officers and system owners, ensuring all activities align with senior security leadership directives and organizational goals.
• Other assigned duties by the FSO related to any responsibility of BIW’s Industrial Security program.

Continuous Improvement:

• Implement a robust Continuous Monitoring (CONMON) strategy to detect unauthorized changes or anomalies in the authorized security baseline.

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related technical field. (Equivalent professional experience may be considered in lieu of a degree).
• Minimum of 5–7 years of experience in Information Assurance (IA) or Cybersecurity, with specific experience managing systems under the Risk Management Framework (RMF)
• Demonstrated expertise in NIST SP 800-53, 32 CFR Part 117 (NISPOM), and Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Guide (DAAG).
• IAM Level II or III: Must possess a current, baseline certification in good standing. Valid certifications include: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CGRC / CAP (Certified in Governance, Risk, and Compliance), CASP+ (CompTIA Advanced Security Practitioner)

Required:

• Ability to obtain a secret clearance or higher.
• RMF Lifecycle Management: Minimum of 5–7 years of direct experience performing Information System Security Manager (ISSM) or Officer (ISSO) duties, specifically navigating the Risk Management Framework (RMF) steps 1–6.
• Technical System Architecture & Build: Proven experience building and configuring secure information systems from the ground up. The candidate must possess the technical expertise to install, harden, and integrate hardware and software components within a classified environment.
• Regulatory Expertise: Proven track record of managing classified systems in compliance with 32 CFR Part 117 (NISPOM), DAAG, and NIST SP 800-53 security controls.
• Vulnerability Management: Hands-on experience performing technical security assessments, including the use of ACAS/Nessus scanners and the implementation of DISA STIGs.
• Artifact Development: Experience authoring and maintaining critical security documentation, including System Security Plans (SSP), Plans of Action and Milestones (POA&M), and Security Assessment Reports (SAR).
• Privileged User Oversight: Experience managing and auditing privileged users and ensuring the integrity of automated audit logs and system accounting.

Preferred:

• Construction & Certification: Prior experience as a lead or coordinator for the physical build-out and government accreditation of a classified information system.
• Government Tools: Advanced proficiency with the Enterprise Mission Assurance Support Service (eMASS) or Xacta for system authorization tracking.
• Audit Leadership: Previous experience leading a facility through a DCSA Security Review or a government Command Cyber Readiness Inspection (CCRI).
• Cryptographic Hardware: Experience configuring and maintaining TACLANE or other HAIPE encryption devices.
• Project Management: Experience managing cross-functional teams (IT, Facilities, and Security) to meet strict project deadlines for system activation.