Information Systems Security Officer (ISSO) — Classified Specialist

When to Use

Steward the system security plan (SSP) — scope, boundaries, control narratives, inheritance
Track control implementation status and evidence pointers for the authorization boundary
Operate continuous monitoring — ongoing control effectiveness, significant changes, deviations
Manage POA&M entries — milestones, risk ratings, closure evidence, assessor questions
Support assessment and authorization — readiness packages, assessor requests, remediation plans
Analyze change impact on security posture — patches, architecture, data flows, interconnections
Interface with vulnerability management — scan cadence, findings triage, POA&M linkage
Report security incidents and anomalies to ISSM, PM, or AO per program procedures
Document classified boundaries and interconnections at the documentation level (not engineering design)
Coordinate inheritance from common controls, leveraged authorizations, and shared services