2-13 Information Systems Security Officers

ISSOs are responsible for the following:

  1. Providing information security and C&A guidance.
  2. Facilitating initial briefings and subsequent meetings of the C&A core team.
  3. Coordinating the completion of a BIA for each information resource.
  4. Providing advice and consulting support to executive sponsors and Business Relationship Management portfolio managers during the BIA process regarding the baseline security requirements that apply to all information resources (including nonsensitive and noncritical) and the additional security requirements required to protect sensitive-enhanced, sensitive, and critical information resources.
  5. Working with the Privacy Office on privacy-related requirements.
  6. Recommending security requirements to executive sponsors and Business Relationship Management portfolio managers during the BIA process based on generally accepted industry practices, the operating environment [e.g., hosted in the de-militarized zone (DMZ)], and the risks associated with the information resource.
  7. Providing guidance on how information resources are vulnerable to threats, what controls and countermeasures may be appropriate, and the C&A process.
  8. Reviewing and evaluating C&A documentation, including the BIA, risk assessment, security plan, security test and evaluation (ST&E) plan and report, and independent reviews of the information resource.
  9. Preparing and signing the C&A evaluation report.
  10. Escalating security concerns or forwarding the C&A evaluation report and supporting C&A documentation package to the certifier.
  11. Working jointly with the Inspection Service, conducting site security reviews.