Duties
Job Summary
The Office of the Chief Administrative Officer (CAO) provides operations support services and business solutions to the community of 10,000 House Members, Officers and staff. The CAO organization comprises more than 600 technical and administrative staff working in a variety of areas, including information technology, finance, budget management, human resources, payroll, childcare, food and vending, procurement, logistics and administrative counsel.
Cybersecurity is seeking an Information Assurance Risk Manager to provide leadership in the development and practical application of risk management governance, risk, and compliance efforts in direct support of the U.S. House of Representatives CAO’s Office of Cybersecurity.
This position has day to day supervisory/ managerial responsibilities.
Primary Duties/Responsibilities
- Risk Management Governance: Develop, implement and ensure the rigorous application of risk management focused information security policies, procedures and other governance artifacts. Create, promote, and adhere to standardized, repeatable processes for the delivery of risk management services to the CAO. Provide both generalized and specialized input concerning risk management security standards and policy for IT plans, roadmaps, and prioritization of projects.
- Assessment and Authorization (A&A) Expertise: Manage Information System Security Officers (ISSO) to support information technology (IT) security goals and objectives and reduce overall organizational risk. Advise ISSOs on all matters, technical and otherwise, involving the security of assigned IT systems. Provide role-based training for assigned ISSOs specific to their roles and responsibilities. Guide ISSOs in the development, and technical review of System Security Plans (SSP), which document all technical and procedural system security features. Lead the development and completion of security assessment packages that include the System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), system Plan of Actions and Milestones (POA&M) and appropriate authorization letters. Oversee independent assessors in the assessment of CAO authorization boundaries. Advise senior management (e.g., Information Assurance Director and Chief Information Security Officer [CISO]) on risk levels and security posture.) Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture.
- System Development Lifecycle Outreach: Engage with program offices in the development phase to recommend security capabilities, provide technical guidance, and identify existing security controls that can minimize risk for applications, infrastructure, and vendor/third parties. Review proposed new systems, networks, and software designs for potential security risks; recommend mitigation or countermeasures and resolve integration issues related to the implementation of new systems within the existing infrastructure. Work with House Information Security Compliance Program to ensure all software systems are implemented according to House information security policies and technical guidelines.
- Security Risk Management Reporting: Analyze, synthesize, and report on the security posture of the HIR using data maintained by stakeholders and recorded into the CAO’s security risk assessment tool. Work with senior leadership to help determine acceptable levels of risk for the enterprise. Conduct independent or coordinated studies to identify, evaluate or recommend solutions to significant systems management problems that are likely to be complex and sensitive in nature. Interface with technology leadership, Internal Controls, and Office of the Inspector General to communicate A&A status, collaborate on implementation of the RMF, and manage open audit and internal control findings. Provide technical support for responding to and implementing Office of Inspector General and Internal Controls/Internal Audit recommendations. Develop, conduct, and prepare reports for security audits, reviews and other actions, as appropriate.
- Risk Management Program Oversight: Lead the daily activities for risk management team. Research and recommend innovative, secure, and (where possible) automated solutions to improve risk management processes and activities. Establish, assign and review short and long-term security risk management projects. Establish and support professional goals and objectives; train new employees and evaluate work performance.
- Resource Management: Perform various aspects of federal staff and contract management related duties. Lead direct reports and cross-functional teams as one unit or team.
- Performs other official duties as assigned.