Information System Security Officer (ISSO) / Information Assurance (IA) Support

Information System Security Officer (ISSO) / Information Assurance (IA) Support

Work Location: Okinawa, Japan (This is not a remote position: must relocate to Okinawa, Japan)

Discipline: Information Security (INFOSEC) / Information Assurance (IA) Focus: Risk Management Framework (RMF) execution and risk mitigation Coordinates with: Chief Information Officer (CIO), Information Systems Security Manager (ISSM), Clinical Information Systems (CIS) Team, Networking Team, Desktop Support Team, and organizational leadership

Living in Okinawa, Japan

This position offers the rare opportunity to live and work in Okinawa, one of the most rewarding overseas assignments available. Okinawa pairs a relaxed island pace with a high quality of life: turquoise water and white-sand beaches, year-round subtropical weather, world-class diving and snorkeling, and some of the friendliest communities you will find anywhere. The local culture is rich and welcoming, the food scene is exceptional, and Okinawa's central location makes weekend travel across Japan and the wider Asia-Pacific region easy and affordable. For professionals and families alike, it is a chance to build meaningful experience while enjoying a genuinely memorable place to call home.

Position Summary

The ISSO serves as the on-site Information System Security Officer, providing day-to-day Information Assurance support across the supported enterprise and its subordinate sites. The role is responsible for executing the Risk Management Framework, sustaining authorization to operate (ATO) for assigned information systems, and driving risk mitigation in accordance with DoD policy. The ISSO works directly under the ISSM to maintain the security posture of mainframes, workstations, servers, and remote access systems.

Key Responsibilities

RMF and Risk Management

• Execute RMF activities (NIST SP 800-37) across the system life cycle: categorization, control selection and implementation, assessment, authorization, and continuous monitoring.
• Maintain authorization packages and artifacts in eMASS, including System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), and supporting evidence.
• Apply applicable security control baselines (NIST SP 800-53) and DISA Security Technical Implementation Guides (STIGs) to assigned systems.
• Identify, document, and track risk; recommend and implement mitigations to bring residual risk to acceptable levels and support authorization decisions.
• Support continuous monitoring, including vulnerability scanning (e.g., ACAS), STIG compliance review, and reporting of system security status.

Security Requirements and Engineering

• Analyze and define security requirements for mainframes, workstations, servers, and remote access systems.
• Perform analysis, design, and development of security features within system architectures.
• Provide integration and implementation of computer system security solutions.
• Establish and satisfy complex, system-wide information security requirements derived from user, policy, regulatory, and resource demands per DoD guidance.
• Develop and recommend solutions for the implementation of IA and security standards and procedures.

Operations and System Support

• Detect, diagnose, and report operating system (Windows, UNIX, and similar) issues on server and desktop systems.
• Install, configure, and maintain operating systems; analyze and resolve problems with server hardware, operating systems, services, permissions, and application software.
• Ensure that all supported information systems remain functional and secure.

Incident Response and Vulnerability Management

• Identify, report, and resolve security violations and incidents.
• Notify the ISSM of all cybersecurity incidents as soon as reasonably possible.
• Coordinate vulnerability assessments and penetration tests, applying techniques and countermeasures appropriate to current trends in vulnerabilities, data hiding, and encryption.

Reporting and Metrics

• Create and aggregate biweekly vulnerability reports, consolidating scan results (e.g., ACAS), STIG compliance status, and open findings into a single, leadership-ready summary with trend analysis and prioritized remediation actions.
• Create and aggregate monthly activity reports summarizing security posture, RMF and continuous monitoring progress, POA&M status, incidents, and key metrics for the ISSM and leadership.
• Ensure reports are accurate, consistent, and delivered on schedule, and tailor content for both technical and executive audiences.

Programs, Policy, and Collaboration

• Coordinate, develop, and evaluate security programs for the supported organization and recommend IA/security solutions that support customer requirements.
• Provide input and recommendations supporting development and implementation of high-level IA and security doctrine and policy.
• Participate in cybersecurity collaboration activities (Teams, conference calls, web meetings, chat) supporting cyber maturity, inspections, accreditation, threat and attack vector analysis, and overall cyber hygiene.
• Meet regularly with the CIO, ISSM, IT teams, and leadership to ensure satisfaction with services provided.

Minimum Qualifications

• Bachelor's degree in an appropriate IA, computer science, or engineering science field.
• Six (6) years of information security, IA, or management experience in a DoD or medical environment.
• Four (4) years of recent, hands-on practical experience.
• Demonstrated RMF experience, including authorization package development and continuous monitoring.
• Experience producing recurring security reporting, including aggregated vulnerability reports and activity/status reports for technical and leadership audiences.
• CompTIA Security+ CE.
• Microsoft Server certification (MCSE, MCSA, or MCSD) or an equivalent Microsoft Azure role-based certification (e.g., Azure Core, Productivity, or Data Management).
• Meets IAT Level III and IAM Level II baseline standards in accordance with DoDD 8570.01-M and DoDD 8140 (current standards at time of performance apply).
• Ability to obtain and maintain the background investigation / position of trust required for access to DoD information systems: T3 Background Investigation – Adjudicated for SECRET.

Preferred Qualifications

• Direct experience with eMASS, ACAS, and DISA STIG implementation.
• Familiarity with DoD RMF processes, Risk Management Framework Knowledge Service (RMF KS), and system accreditation workflows.
• Working knowledge of NIST SP 800-37, 800-53, and 800-171, plus ISO/IEC 27001 risk management practices.
• Additional IA certifications (e.g., CISSP, CySA+, CASP+) supporting IAT III / IAM II progression.
• Experience supporting information systems in an OCONUS environment.

Compliance Standards

All services and deliverables shall align with applicable DoD regulations and guidance, NIST Risk Management Framework publications, DISA STIGs, and recognized industry and ISO/IEC security standards. Standards referenced herein are current as of the time of writing and are subject to update under prevailing policy.