Senior Information Security and Privacy Officer

About the position Tyto Athene is hiring a Senior Information Security and Privacy Officer (ISPO) to support a law enforcement customer in Washington, DC. The successful candidate will ensure information systems meet security requirements and will lead and support ongoing privacy-related activities, including the development, implementation, maintenance, and enforcement of federal and organizational policies and procedures governing the protection of Personally Identifiable Information (PII) and other sensitive data. The ISPO will bring strong knowledge of federal privacy laws and regulations and will support the program’s compliance with federally mandated privacy requirements, policies, and procedures. Responsibilities • Lead and support information system security responsibilities utilizing the Risk Management Framework (RMF) lifecycle, including system Authorization to Operate (ATO) and continuous monitoring, while ensuring privacy and legal requirements are fully integrated. • Develop, update, and maintain security authorization packages in accordance with client requirements and NIST SP 800-53, including System Security Plans (SSPs), Risk Assessment Reports (RARs), Security Assessment Plans and Reports (SAP/SAR), Contingency Plans, Incident Response Plans, Standard Operating Procedures (SOPs), Plans of Action and Milestones (POA&Ms), Remediation Plans, Configuration Management Plans, Security Impact Assessments, and related artifacts. • Maintain, manage and support POA&M and remediation activities, including validation of corrective actions and participation in the continuous monitoring process. • Perform security and privacy risk analyses and technical assessments to identify weaknesses, deficiencies, and gaps, and recommend cost-effective and compliant safeguards. • Provide continuous monitoring oversight, including review of vulnerability scan results for applications, networks, and databases, ensuring findings are addressed in accordance with security and privacy policies. • Maintain an inventory of hardware and software within the system security boundary and coordinate with system owners, records management, and enterprise architecture stakeholders. • Develop, coordinate, test, and train on Contingency Plans and Incident Response Plans, and support incident response and continuity activities. • Conduct and oversee Privacy Threshold Analyses (PTAs) and Privacy Impact Assessments (PIAs), and remain current with evolving OMB policies, NIST guidance, and federal privacy laws. • Apply and interpret law enforcement and federal privacy requirements, including Criminal Justice Information Services (CJIS) Security and Privacy Policy, and support compliance within a Legislative Branch environment. • Support High Value Asset (HVA) identification and categorization using privacy, legal, and risk-based frameworks. • Develop, update, and maintain privacy directives, policies, and SOPs, including translating approved privacy policy into actionable operational procedures. • Integrate privacy-by-design principles into the System Development Life Cycle (SDLC), ensuring privacy requirements are addressed throughout system planning, development, testing, deployment, and maintenance. • Review, update, and deliver enterprise privacy training programs, including privacy awareness, advanced privacy training, records management, data collection practices, and role-based training models tailored to Legislative Branch versus DoD applicability. • Coordinate with internal and external stakeholders to complete mandatory agency data calls, audits, and reporting requirements in a timely manner. Requirements • 8+ years of professional experience with at least 5 years supporting ISSO RMF activities. • Bachelor’s Degree or 4 years of additional experience in lieu of a degree. • Knowledge of and proficiency in federal government privacy programs, with working knowledge of privacy laws and regulations and their relationship to the Privacy Act of 1974 and the E-Government Act of 2002. • A demonstrated understanding of information privacy, including information access, the release of information, and implementation of control technologies as they apply to privacy information contained in electronic and non-electronic media. • Experience with Cybersecurity Awareness Training (CSAT) related privacy initiatives, including evaluation of training effectiveness, data collection practices, and selection of appropriate privacy training models. • Experience with HR privacy and behavioral privacy considerations related to workforce data and monitoring activities. • Thorough understanding and knowledge of FISMA, NIST RMF and Security and Privacy Assessment and Authorization (SPA&A) processes. • Experience with NIST publications, OMB circulars and memoranda, and CNSS publications and their requirements and impact on system security. • Proficiency in writing technical analysis reports with strong written and oral communication skills • Ability to work quickly, efficiently, and accurately in a dynamic and fluid environment • Good relationship management, business acumen, judgment, and ability to think critically • US Citizen with Public Trust eligibility required Nice-to-haves • Preferred certifications: CRISC, CAP, CISSP, or equivalent • Experience with FedRAMP and cloud service providers • Experience with CSAM and ServiceNow • Experience with vulnerability assessments tools such as Nessus and/or Qualys • Experience in administrating BSD/UNIX, Windows, Windows NT, Linux, or other open-source compliant systems • Policy writing background is highly preferred • CIPP/G/US Certification is a PLUS. Benefits • Health/Dental/Vision • 401(k) match • Paid Time Off • STD/LTD/Life Insurance • Referral Bonuses • professional development reimbursement • parental leave Apply tot his job