Skip to main content

Information Security Compliance – Virtual ISSM/ISSO Consulting

Overview

BAI’s Virtual ISSM/ISSO Program allows you to control the dollars spent on the engagement.  As BAI is a training and consulting organization specializing in the Risk Management Framework, we can provide subject matter expertise/training for your personnel in performing their respective tasks, we can perform the full list of responsibilities for the ISSM/ISSO, or a combination of of the two to meet the needs and the budget of your organization.

Experience

All BAI consultants meet the requirements of the DoD 8570 for IAT Level III and IAM Level III.  All BAI consultants both teach RMF as well as perform RMF consulting or have performed in official RMF capacities both as government employees or as a DoD contractor.

Consulting Services

Our list of services helps you implement lean practices, reduce errors and lag time and gain the benefit of standardizing and scaling the most effective practices with the necessary documentation.

Virtual Information System Manager (ISSM) Roles/Responsibilities

Information System Security Managers (ISSM) act as technical advisors to AOs, are primarily responsible for maintaining the overall security posture of the systems within their organization, and are accountable for the implementation of DoD 8510.01. The organization’s Cybersecurity program is developed by ISSMs that includes Cybersecurity architecture, requirements, objectives and policies, Cybersecurity personnel, and Cybersecurity processes and procedures. ISSMs are also in charge of the continuous monitoring of systems within their purview to ensure compliance with Cybersecurity policies. Moreover, ISSM responsibilities include (taken from DoDI 8500.01 and 8510.01):

  • Support implementation of the RMF.
  • Maintain and report IS and PIT systems assessment and authorization status and issues in accordance with DoD Component guidance.
  • Provide direction to the ISSO in accordance with DoDI 8500.01
  • Coordinate with the organization’s security manager to ensure issues affecting the organization’s overall security are addressed appropriately.
  • Ensure that IOs and stewards associated with DoD information received, processed, stored, displayed, or transmitted on each DoD IS and PIT system are identified in order to establish accountability, access approvals, and special handling requirements.
  • Maintain a repository for all organizational or system-level Cybersecurity-related documentation.
  • Ensure that ISSOs are appointed in writing and provide oversight to ensure they are following established Cybersecurity policies and procedures.
  • Monitor compliance with cybersecurity policy, as appropriate, and review the results of such monitoring.
  • Ensure that Cybersecurity inspections, tests, and reviews are synchronized and coordinated with affected parties and organizations.
  • Ensure implementation of IS security measures and procedures including reporting incidents to the AO and appropriate reporting chains, and coordinating system-level responses to unauthorized disclosures in accordance with DoD Manual 5200.01, Volume 3 for classified information or DoD Manual 5200.01, Volume 4 for Controlled Unclassified Information (CUI), respectively.
  • Ensure handling of possible or actual data spills of classified information resident in ISs, are conducted in accordance with DoD 5200.01, Volume 3.
  • Act as the primary cyber security technical advisor to the AO for DoD IS and PIT systems under their purview.
  • Ensure that Cybersecurity-related events or configuration changes that may impact DoD IS and PIT systems authorization or security posture are formally reported to the AO and other affected parties, such as IOs and stewards and AOs of interconnected DoD ISs.
  • Ensure the secure configuration and approval of IT below the system level (i.e., products and IT services) in accordance with applicable guidance prior to acceptance into or connection to a DoD IS or PIT system.

Virtual Information Security System Officer (ISSO) Roles/Responsibilities

In addition to the responsibilities established in DoDI 8500.01, the ISSO is responsible for ensuring the appropriate operational security posture is maintained for the component DoD IS or PIT system. This includes the following activities related to maintaining situational awareness and initiating actions to improve or restore cybersecurity posture. The role of ISSOs (formerly IA Officers), or the ISSM if no ISSO is appointed, is to:

  • Assist the ISSMs in meeting their duties and responsibilities.
  • Implement and enforce all DoD IS and PIT system cybersecurity policies and procedures, as defined by cybersecurity-related documentation.
  • Ensure that all users have the requisite security clearances and access authorization, and are aware of their cybersecurity responsibilities for DoD IS and PIT systems under their purview before being granted access to those systems.
  • In coordination with the ISSM, initiate protective or corrective measures when a cybersecurity incident or vulnerability is discovered and ensure process is in place for authorized users to report all cybersecurity-related events and potential threats and vulnerabilities to the ISSO.
  • Ensure that all DoD IS cybersecurity-related documentation is current and accessible to properly authorized individuals.
  • When circumstances warrant, a single individual may fulfill both the ISSM and the ISSO roles.
Close Menu