Information Security Officer
Description:
Job Description
Description:
About Us:
eSimplicity is a modern digital services company that partners with government agencies to improve the lives and protect the well-being of all Americans, from veterans and service members to children, families, and seniors. Our engineers, designers, and strategists cut through complexity to create intuitive products and services that equip federal agencies with solutions to courageously transform today for a better tomorrow.
Purpose of Scope:
We're seeking a Security Officer (SO) responsible for providing security support services while meeting security control compliance requirements for a portfolio of systems at various states of maturity and modernization. This role will provide support for continuously monitoring the cybersecurity posture of systems to secure against cyber threats. The SO's primary responsibility is to facilitate security tool implementation, security tool usage, ensuring tools remain compliant and configured properly, all the while ensuring a successful program Authorization to Operate (ATO). Additionally, the SO is expected to take ownership of communication and visualization of security issues especially where coordination between product teams, information owners, engineering and infrastructure staff is necessary for remediation. The SO owns coordination and response to the agency's security related inquiries, compliance with agency policy, security controls, maintenance of security documentation and artifacts. The SO will act as the primary liaison to provide timely and accurate responses to security related data calls (System Security & Compliance Status, Vulnerability and Compliance scanning issues). Provide subject matter expertise throughout all phases of the system development lifecycle. SO will interface with multiple stakeholders through multiple touchpoints weekly.
Responsibilities:
Work closely with the Product Owners, ISSOs, engineering and infrastructure staff to provide guidance on implementation if security policies, standards, and procedures
Analyze new or updated security requirements, collaborate with stakeholders, and develop responses that are clear and accurate
Support the review and update of ATO artifacts such as System Security Plans, Information System Contingency Plans, Configuration and Change Management Plans, Incident Response Plans, Privacy Impact Analysis, and more.
Interpret security risk assessment, review security scan results, assess security vulnerabilities and support the development and remediation of vulnerability and compliance issues via Plan of Action and Milestones (POA&Ms)
Support the development of implementation and design documentation relating to security feature implementation
Work with engineering and infrastructure personnel to document remediation for vulnerabilities and non-compliance issues
Analyze and interpret agency security requirements and provide governance communication to non-security personnel
Collaborate with product teams, ISSOs and other stakeholders in support of continuous monitoring and ATO efforts
Conducts vulnerability assessments and monitors systems, networks, databases and Web-based assets for potential system breaches. Recommends and takes the lead on implementing changes to enhance security systems, prevent unauthorized access, and help mitigate security vulnerabilities.
Responds to alerts from information security tools. Reports, investigates, and resolves higher level security incidents.
Responds to security tool outages, degradations in service, tune security rules and alerts, and setup/maintain security tool dashboards and reporting.
Research security trends, new methods, and techniques used in unauthorized access of data to preemptively eliminate the possibility of system breach. Ensures compliance with regulations and privacy laws. Conducts research to identify new attack vectors.
Educates and communicates security requirements and procedures to all users and new employees.
Recommend process improvements to the information system for risk mitigation.
Applies iterative security automation to all program aspects increasing overall security posture iteratively and never accepts the status quo.
Provide audit log review in Splunk, present any findings to ISSO, and plan for any investigation or remediation activities.
Periodic user and privileged access reviews.Requirements:
Required Qualifications:
Minimum of 8+ years of progressive experience in information security, cybersecurity engineering, or system security roles, with demonstrated technical depth and increasing responsibility.
A bachelor's degree in computer science, Information Systems, Engineering, Business, or other related scientific or technical discipline.
Significant hands-on experience supporting large Federal Government security programs, including operation within FISMA-regulated environments and direct alignment with CMS ARS 5.0+ requirements.
Proven experience owning and maintaining an Authorization to Operate (ATO), including authoring, updating, and defending security artifacts such as System Security Plans (SSPs), Plans of Action & Milestones (POA&Ms), Incident Response Plans, Configuration Management Plans, Privacy Impact Assessments, contingency plans, and related documentation.
Strong practical knowledge of NIST Risk Management Framework (RMF) and NIST 800-53 Rev. 5, with the ability to translate control requirements into actionable technical and operational security implementations.
Demonstrated hands-on experience managing vulnerability and compliance scanning programs, including configuration, operation, interpretation of results, and remediation tracking using tools such as Tenable, AWS Security Hub, and Snyk.
Ability to assess security findings, determine risk severity, prioritize remediation, and drive closure in close collaboration with engineering, infrastructure, and DevSecOps teams.
Strong hands-on experience securing cloud-based environments, with a focus on AWS (IAM, GuardDuty, CloudTrail, Security Hub) and SaaS platforms.
Demonstrated ability to embed security into DevSecOps and CI/CD pipelines, including defining security decision gates and integrating automated security testing and continuous monitoring.
Experience performing Security Impact Analyses (SIAs), access reviews, and least-privilege enforcement across cloud, application, and CI/CD environments.
Proven ability to configure, operate, and tune security tools, respond to alerts, and maintain dashboards and reporting for visibility into vulnerability, compliance, and overall security posture.
Experience operating within Agile / SAFe delivery models, participating in sprint planning, PI planning, backlog refinement, and cross-team coordination to ensure security is embedded in delivery.
Strong written and verbal communication skills, with the ability to clearly articulate security risks, requirements, and remediation strategies to technical teams, leadership, and government stakeholders.
Ability to work independently and as part of a cross-functional team, managing multiple priorities in a fast-paced, highly regulated environment.
Ability to obtain and maintain a Public Trust clearance and have resided in the United States for at least 3 of the last 5 years.
Desired Qualifications:
Federal government contracting experience supporting complex, multi-system environments, preferably within health, civilian, or defense agencies.
Advanced or senior-level industry security certifications, such as: CISSP, CISM, CRISC, or GIAC (GSEC, GCSA, GPEN).
Cloud security and architecture certifications, including: AWS Certified Security – Specialty, AWS Solutions Architect, CCSP or CCSK.
DevSecOps, automation, or platform security certifications, such as: Kubernetes Security (CKS), GitHub Advanced Security or equivalent.
Offensive or advanced technical security certifications, including: OSCP, CEH, GPEN, GWAPT, or similar.
Experience securing SaaS platforms, with preference for Salesforce GovCloud, including roles, profiles, permission sets, MFA, OAuth, and third-party monitoring tools.
Hands-on scripting or automation experience using Python, Bash, PowerShell, or APIs to improve security operations, onboarding/offboarding workflows, or compliance validation.
Experience designing or maintaining security dashboards and executive-level metrics for visibility into vulnerabilities, compliance posture, access reviews, and risk trends.
Experience facilitating incident response activities, tabletop exercises, and driving lessons learned into measurable, continuous improvement.
Demonstrated ability to mentor engineers and product teams on secure development practices, threat modeling, and evolving security risks.
Working Environment:
eSimplicity supports a remote (or hybrid depending on the role and program) work environment operating within the Eastern time zone so we can work with and respond to our government clients. Expected hours are 9:00 AM to 5:00 PM Eastern unless otherwise directed by manager. Occasional travel for training and project meetings. It is estimated to be less than 5% per year.
Benefits:
We offer a highly competitive salary and full healthcare benefits.
Equal Employment Opportunity:
eSimplicity is an equal-opportunity employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, gender, age, status as a protected veteran, sexual orientation, gender identity, or status as a qualified individual with a disability.
Full-time