Information Assurance Systems Officer, Information Services

Job Type:

Regular

Information Assurance Systems Officer, Information Services

The Information Assurance Systems Officer (IASO), Information Services (IS) supports cybersecurity and risk management initiatives across enterprise unclassified systems. The IASO plays a central role in protecting information assets, ensuring compliance with federal, state and local cybersecurity requirements (e.g., NIST 800-171, CMMC), and maintaining a strong security posture through effective use of Governance, Risk, and Compliance (GRC) tools. This includes conducting audits, analyzing sensitive data, and collaborating with various teams to implement and maintain security measures. The IASO identifies vulnerabilities, recommends improvements, and provides expert guidance on cybersecurity matters while staying informed about emerging threats and trends.  This IASO role is responsible for CMMC practices (Cybersecurity Maturity Model Certification) as a member of the Information Services (IS) Information Security Cybersecurity Team.  

Responsibilities

Cybersecurity System Security and Compliance across the enterprise unclassified systems:

• Develop and maintain System Security Plans (SSPs) and supporting documentation aligned with NIST 800-171 and CMMC practices.
• Conduct regular security control assessments, perform gap analyses, and update Plans of Action and Milestones (POA&Ms).
• Coordinate security authorization and compliance activities across IT systems and applications.

Cybersecurity and Security Reviews & Continuous Improvement:

• Perform ongoing security reviews of applications, infrastructure, and business processes to verify compliance and identify improvements.
• Recommend remediation strategy, track remediation efforts, and collaborate closely with IT, DevOps, and business teams
• Conduct comprehensive cybersecurity audits to ensure compliance with CMMC, DFARS 7012, NIST 800-171, and other relevant regulations.
• Analyze and assess various data types, including Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Federal Contract Information (FCI), International Traffic in Arms Regulations (ITAR), and Export Administration Regulation (EAR99).
• Collaborate with system and network administrators to ensure audit features are configured and enabled correctly.
   

Third-Party IT Security Oversight:

• Conduct third-party/vendor security assessments as part of the procurement and onboarding process.
• Review supplier security documentation and manage risks associated with external data sharing and service providers.
   

Incident Support:

• Participate in incident response activities, including documentation, coordination, and lessons learned reviews.
• Help improve incident detection, containment, and prevention through policy, training, and technical improvements.

GRC & Risk Management Support:

• Utilize GRC tools to document and track risk assessments, policy compliance, and mitigation efforts.
• Identify and evaluate risks to information assets; assist in the development of risk treatment and remediation plans.
• Review policy exceptions to assess impact and risk, track approvals, and monitor mitigation within target remediation timeline
• Collaborate with internal stakeholders to ensure alignment of technical and administrative controls with risk management strategies.
   

IT Security Awareness & Training:

• Support the development and rollout of security awareness training to ensure users understand responsibilities and best practices.
• Ensure training completion and maintain accurate compliance records; other duties as assigned.

Qualifications

Required:

• Minimum 8 years of experience with a BS/BA degree in an IT information security or compliance role in a corporate or government contractor setting.  (Minimum 12 years’ experience without a BA/BS degree.)
• Strong understanding of NIST SP 800-171, CMMC Level 2, and basic DFARS cybersecurity clauses.
• Extensive knowledge of multiple federal government network security processes and procedures
• Technical background with understanding or hands-on experience in Information Technology environments and web technologies
• Excellent oral and written communications skills required for correspondence, reports, briefings, and procedures
• U.S. Citizenship (required for defense contractor compliance).
• Must have the ability to obtain and maintain a security clearance
• Cybersecurity Risk Management or Information Assurance related certifications.
• Proficient in MS Office Applications.
• Excellent written/verbal communication skills and judgement.
   

Preferred:

• Professional certifications such as Security+, CISSP, CISA, or CRISC.
• Familiarity with audit processes, internal controls, and security risk assessments.
• Knowledge of Microsoft office applications
• Working knowledge of Confluence and Jira for task management

Experience

With a BS/BA degree, at least 8 years’ experience in cybersecurity required.  Without a BS/BA degree, at least 12 years’ experience in cybersecurity security required.    

Education

High school diploma or GED is required. BS/BA degree is preferred.

Security Clearance

Must meet eligibility requirements for access to U.S. government classified information.

Location

·      Santa Monica, CA or

·      Washington D.C., or Pittsburgh. PA

This position is mainly onsite at a RAND U.S. location.

Positions Open

One

Salary Range: $120,900 - $180,300

RAND considers a variety of factors when formulating an offer, including but not limited to, the specific role and associated responsibilities; a candidate’s work experience, education/training, skills, expertise; and internal equity. The salary range includes base pay plus RAND’s sabbatic pay (which provides additional compensation above base pay when vacation is taken). In addition, RAND provides strong benefits including health insurance coverage, life and disability insurance, savings plan, paid time-off and more.

Equal Opportunity Employer