WHAT DOES AN INFORMATION SYSTEMS SECURITY MANAGER DO?

Published: Sep 16, 2025 - The Information Systems Security Manager manages the development, implementation, and sustainment of the organization’s Information Systems Security program in compliance with NISPOM, DAAPM, and RMF requirements. This role involves developing and reviewing security documentation, conducting inspections and risk assessments, overseeing incident response, and ensuring proper system operation, maintenance, and disposal in line with security policies. The Manager also leads security training and awareness programs, supports subcontractor programs, and ensures corrective actions are implemented to address vulnerabilities and compliance findings.

A Review of Professional Skills and Functions for Information Systems Security Manager

1. Information Systems Security Manager Functions

  • Accreditation: Ensure the AIS is properly accredited by meeting confidentiality, integrity, and availability requirements established by the government.
  • Policy Enforcement: Enforce security policies and safeguards for the AIS.
  • User Support: Provide training and support to AIS users.
  • System Maintenance: Perform required audits, backups, and other maintenance and monitoring actions.
  • Documentation: Draft and implement System Security Plans.
  • Incident Response: Perform spill mitigation and provide reports to the government.
  • User Training: Establish and conduct training for personnel accessing the AIS.
  • Monitoring: Conduct continuous monitoring activities and implement improvements.
  • COMSEC Management: Serve as the alternate COMSEC custodian.
  • Information Security: Assist in information security tasks for the organization.

2. Information Systems Security Manager Accountabilities

  • IA Requirements: Interpret DoD Implementation Guides to determine IA requirements and ensure the Risk Management Framework (RMF) is implemented securely.
  • Problem Solving: Independently devise approaches to solving information assurance challenges.
  • Documentation: Create system documentation for security authorization, management, and continuous monitoring of classified systems.
  • Auditing: Conduct auditing, risk assessments, configuration management, and investigations into IA-related security incidents.
  • Data Integrity: Ensure assured file transfers and maintain data integrity through containment and response strategies.
  • Cybersecurity Training: Provide cybersecurity training to users and promote awareness of risk mitigation practices.
  • Stakeholder Collaboration: Work with internal and external stakeholders to gather requirements and resolve security-related issues.
  • Policy Education: Educate teams on security policies, identify trends, and recommend policy improvements.
  • Advisory Support: Advise teams on topics like confidentiality, clearances, and federal security requirements.
  • Operational Security: Develop and enforce operational security policies and training to ensure compliance during all project phases, including design and operations.

3. Information Systems Security Manager Job Summary

  • Program Management: Establish and enforce the Information System Security Program, including System Security Plans and supporting procedures.
  • Documentation: Maintain current documentation for Assessment & Authorization activities in line with the Risk Management Framework.
  • Security Assessment: Perform security control assessments to support continuous monitoring efforts.
  • Configuration Management: Oversee configuration management and validate audit activities conducted by the ISSO.
  • Inventory Management: Conduct hardware and software inventory assessments regularly.
  • Risk Mitigation: Identify weaknesses in system security controls and lead remediation initiatives.
  • Incident Investigation: Investigate security incidents involving data breaches, integrity issues, or malicious actions.
  • Cybersecurity Training: Provide cybersecurity training and awareness to all employees.
  • Collaboration: Collaborate with the Head of Information Security to ensure proper guidance supports technology initiatives.
  • Standards Evaluation: Evaluate the design and implementation of standards, policies, and architectures to align with cybersecurity goals.

4. Information Systems Security Manager Responsibilities

  • RMF Management: Responsible for developing and maintaining the Risk Management Framework (RMF) security, accreditation, and Authorization to Operate (ATO) approval.
  • Information Security: Manage the security of information systems assets and the protection of systems from intentional or inadvertent access or destruction.
  • Intrusion Detection: Recognize potential, successful, and unsuccessful intrusion attempts and compromises through reviews and analyses of relevant event detail and summary information.
  • Forensic Analysis: Perform preliminary forensic evaluations of internal systems.
  • Client Engagement: Interface with clients to understand their security needs and oversee the development and implementation of procedures to accommodate them.
  • User Compliance: Ensure that the user community understands and adheres to the necessary procedures to maintain security.
  • Risk Communication: Weigh business needs against security concerns and articulate issues to management and/or customers.
  • Technology Awareness: Maintain current knowledge of relevant technology.
  • Procedure Development: Guide the creation and maintenance of Standard Operating Procedures and other similar documentation.
  • Technology Awareness: Maintain current knowledge of relevant technology.

5. Information Systems Security Manager Details

  • Risk Assessment: Conduct risk assessments on systems intended for use by a program to determine the proper security compliance.
  • Security Controls: Design and implement Cybersecurity, physical, procedural, and technical security controls.
  • Policy Communication: Lead meetings to communicate information systems security implementation policies and guidelines.
  • Stakeholder Collaboration: Partner with appropriate stakeholders to evaluate cybersecurity risks and vulnerabilities.
  • Threat Mitigation: Assess and mitigate system security threats and risks.
  • Documentation: Define and document security artifacts for the system.
  • Auditing: Conduct regular audits to ensure proper security policy implementation, safeguard classified materials, and provide guidance to program personnel.
  • Project Management: Be in charge of special projects.
  • User Communication: Communicate clearly to all users, including security personnel, IT staff, and managers, the proper procedures for protecting classified information and the systems that process it.
  • Training: Ensure training is provided before initial system access and conduct periodic refreshers on system usage, physical security, data transfers, and media protection.

6. Information Systems Security Manager Duties

  • Security Implementation: Implement information systems security tasks required for the safeguarding, handling, and controlling of classified information for a U.S. Government program.
  • Regulatory Compliance: Apply knowledge of information systems security to ensure enforcement of customer and government regulations.
  • Team Support: Provide daily support to the team and system users, interact with program management, and occasionally interface with Government personnel.
  • System Management: Manage system security, testing, and accreditation activities.
  • Documentation: Develop and maintain cybersecurity RMF and ATO-related documentation.
  • Corrective Actions: Develop corrective action plans, obtain approval, and track implementation of corrective actions in designated tools.
  • Process Development: Develop new documents and processes to support the development and deployment of new architectures on the enterprise platform, ensuring compliance with government directives.
  • Accreditation Preparation: Prepare accreditation documents for review by the Authorizing Official.
  • System Administration: Work with system administrators to ensure all information systems are operated, maintained, and disposed of in accordance with established security policies and practices.
  • Certification Leadership: Lead system certification and accreditation activities to ensure secure system operations and maintenance with approved controls in place.
  • Technical Support: Perform technical engineering, administrative processing, compliance reporting, training, and document creation.

7. Information Systems Security Manager Job Description

  • Team Collaboration: Collaborate with Program Engineering and IT teams to innovate and implement cutting-edge technology.
  • Technical Integration: Assess and integrate relevant technical concepts to create functional, secure solutions for U.S. Government use.
  • Security Oversight: Oversee the development and execution of information security protocols for designated systems in line with enterprise and program standards.
  • RMF Application: Lead the application of the Risk Management Framework (RMF) throughout the system lifecycle, including development and maintenance.
  • Compliance Monitoring: Conduct ongoing security compliance monitoring to ensure systems remain within acceptable risk thresholds.
  • Strategic Guidance: Advise Program Managers by providing mentorship and strategic technical guidance to the security team.
  • Industry Research: Investigate industry trends and best practices to stay current with evolving cybersecurity methodologies.
  • Policy Development: Author and maintain organization-wide security policies, procedures, and guidelines that span across multiple teams.
  • Cybersecurity Advocacy: Ensure cybersecurity initiatives remain a high priority and clearly communicate their value to the broader organization.
  • Continuous Improvement: Champion continuous security improvement efforts with minimal disruption to operational teams.
  • Defense Enhancement: Identify and act on opportunities to strengthen system defenses while balancing usability and performance.

8. Information Systems Security Manager Overview

  • Documentation: Create and maintain A&A packages, System Security Plans (SSPs), Risk Assessment Reports (RARs), Security Controls Traceability Matrices (SCTMs), and Plans of Action & Milestones (POA&Ms) for all classified systems.
  • Policy Administration: Establish and administer appropriate security systems, policies, standards, and procedures in compliance with applicable government and corporate directives, guidelines, and contractual obligations.
  • Assessment Analysis: Conduct analysis and assessment of security control assessment guidance, procedures, and templates to ensure correct and uniform implementation of RMF-based assessment processes.
  • System Configuration: Configure and validate information system compliance using DISA STIGs, SCAP Compliance Checker (SCC), and STIG Viewer.
  • Auditing: Conduct regular audits and configuration management in accordance with government customer requirements.
  • Leadership: Provide technical and professional leadership to support personnel, oversee classified system compliance, and conduct self-assessments across multiple offices.
  • Configuration Management: Provide configuration management for security-relevant information system software, hardware, and firmware.
  • Security Training: Develop, implement, and deliver applicable Information Security training to all employees in accordance with NISPOM Chapter 8, cyber threat intelligence data, and current cybersecurity trends.
  • Incident Investigation: Investigate information system security violations and prepare reports with corrective actions and preventative measures.
  • Recommendations: Make recommendations regarding tools, trend analysis, and applicable network countermeasures.

9. Information Systems Security Manager Details and Accountabilities

  • Program Management: Manage overall development, implementation, and sustainment of the Information Systems Security program.
  • Subject Expertise: Perform duties as subject matter expert to address requirements listed in the National Industrial Security Program Operating Manual (NISPOM), Intelligence and NISP Authorization Office Assessment and Authorization Process Manual (DAAPM).
  • Documentation: Develop and review System Security Plans (SSP), all required supporting documentation (POA&M, NSP, etc.), and local policies in accordance with the NISPOM and DAAPM.
  • System Operations: Operate, maintain, and dispose of systems in accordance with security policies and procedures.
  • Control Testing: Develop and conduct test procedures for verification of Risk Management Framework (RMF) controls to meet customer requirements.
  • Self-Inspection: Perform periodic self-inspections, tests, and reviews of the Information Security program to ensure that systems are operating as authorized/accredited and implement corrective actions for identified findings and vulnerabilities.
  • Security Training: Ensure development and implementation of an information security education, training, and awareness program, including attending, monitoring, and presenting local IS security training.
  • Log Review: Review security logs and audit trails in accordance with established schedules.
  • Incident Response: Ensure proper protection or corrective measures are taken when an incident or vulnerability is discovered within a system.
  • AIS Support: Provide AIS support for subcontract programs and vendors.
  • Vulnerability Management: Ensure proper measures are taken when a system incident or vulnerability affecting classified systems or information is discovered.

10. Information Systems Security Manager Tasks

  • Monitoring: Perform continuous monitoring in accordance with the RMF.
  • Documentation: Process and maintain System Security Plans (SSPs).
  • System Controls: Maintain knowledge of system controls for system accreditations.
  • Secure Area Management: Be in charge of managing secure areas.
  • Engineering Compliance: Understand engineering requirements to apply controls in compliance with the NIST Risk Management Framework (RMF).
  • Testing: Conduct continuous monitoring, test development, and validation testing to enable communication with DoD and IC customers.
  • Audit Artifacts: Develop audit trail artifacts and Information System (IS) self-assessment checklists.
  • Investigations: Execute investigations to meet Federal requirements.
  • OpSec Policies: Develop, create, implement, and support physical and operations security (OpSec) policies, plans, processes, and training materials.
  • Standards Compliance: Ensure compliance with government and other unique environmental security standards for highly confidential and regulated projects.

11. Information Systems Security Manager Roles

  • Procedure Development: Document and enhance procedures to ensure confidentiality, security, and compliance with government standards.
  • Auditing: Conduct audits and site visits to assess the security posture of field sites and suppliers.
  • Incident Response: Respond to incidents by analyzing root causes and implementing corrective actions.
  • Collaboration: Work closely with internal teams, external suppliers, and customers on security-related matters.
  • Advisory Support: Advise internal teams on federal security protocols, including clearances and information-sharing rules.
  • Confidentiality: Uphold strict confidentiality in handling sensitive materials and private information.
  • Representation: Represent the organization during interactions with external stakeholders and government bodies.
  • ISSO Duties: Take on Information Systems Security Officer (ISSO) responsibilities.
  • Field Support: Travel locally to support system security and maintain required accreditations.
  • Documentation: Ensure cybersecurity documentation is accurate, current, and accessible to authorized personnel.
  • Configuration Compliance: Verify that all system components meet established security configuration guidelines.

12. Information Systems Security Manager Additional Details

  • Strategic Direction: Provide strategic direction to related governance functions (such as Physical Security/Facilities, HR, and Legal) and leaders throughout the organization on information security matters, plus emerging security risks and control technologies.
  • Contract Review: Participate in contract review to ensure appropriate security controls are in place.
  • Awareness Oversight: Oversee the general level of security awareness within the organization and the IT team.
  • Security Training: Conduct organization-wide security awareness training.
  • User Engagement: Interface effectively with users at all levels.
  • Policy Development: Lead the development, implementation, testing, and management of security policies and standards organization-wide.
  • Data Protection: Ensure the protection of corporate data against unauthorized use, access, modification, disclosure, and deliberate or inadvertent destruction.
  • Standards Development: Develop security criteria/standards for evaluating existing and proposed applications, providing an assessment of vulnerability and risk.
  • Risk Assessment: Perform annual Technology Risk assessment and Incident Response reviews.
  • Compliance Testing: Periodically test security practices for compliance with established policy/practices.

13. Information Systems Security Manager Essential Functions

  • Incident Investigation: Investigate security breaches, fully documenting events, effectively retaining evidence, and recommending realistic preventative measures.
  • Security Tools Management: Own and operate security tools to monitor changes in the security landscape, including new vulnerabilities, viruses, intrusions, fraud scams, etc., per industry best practices.
  • Logging Operations: Operate solutions for system/network logging and analysis.
  • Regulatory Compliance: Ensure TOMS policies and practices fully comply with all applicable audit and regulatory requirements.
  • Risk Mitigation: Develop appropriate plans to proactively mitigate potential security weaknesses.
  • Vulnerability Management: Work with internal teams to identify and resolve vulnerabilities on a continuous basis.
  • PCI Compliance: Manage annual PCI audit/attestation program and filing process, including periodic check-ins and preparation efforts.
  • Security Training: Develop and deliver ongoing training/awareness programs throughout the company.
  • Stakeholder Collaboration: Interface with government customers, suppliers, and company personnel to implement protective mechanisms and ensure understanding of and compliance with cybersecurity requirements.

14. Information Systems Security Manager Role Purpose

  • Regulatory Compliance: Adhere to all requirements as stated in the National Industrial Security Program Operating Manual (NISPOM, DoD 22-M, Chapter 8) and the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM), CMMC, and NIST 800-171.
  • Government Liaison: Liaise directly with the assigned DCSA ISSP to ensure full and timely compliance with government directives and regulations.
  • Program Support: Assist the Senior Manager, Network Systems and Information Assurance, and Facility Security Officer in the effective implementation, assessment, and management of the Security Program.
  • Documentation: Evaluate configurations, create System Security Plans, Disaster Recovery Plans, Incident Response Plans, and other artifacts to facilitate certification and accreditation of systems.
  • Project Management: Manage timelines, processes, and taskings to achieve success in developing quality products.
  • Vulnerability Management: Assist system engineers and system administrators in complying with the vulnerability management program and securing systems, networks, and applications.
  • ATO Preparation: Prepare, submit, and coordinate Authority to Operate packages based on DoD Risk Management Framework (RMF) in eMASS, Assurant, or other customer-designated systems.
  • CMMC Compliance: Prepare, submit, and coordinate CMMC and NIST 800-171 requirements packages for all assigned systems.
  • Program Coordination: Coordinate the IS security program with other facility security programs, including cooperation and support of contract-designated ISSMs and ISSOs.
  • Security Oversight: Prepare and implement security documentation and monitor the IS Security Program and related procedures to ensure facility compliance.

15. Information Systems Security Manager General Responsibilities

  • Threat Management: Identify and document unique local threats and vulnerabilities, and make recommendations to address risk management status.
  • Self-Inspection: Ensure periodic self-inspections of the facility's IS Program and accredited systems are conducted as part of the overall facility self-inspection program.
  • Corrective Actions: Ensure corrective action is taken for all identified findings.
  • System Inspection: Conduct self-inspections to ensure the accredited system is operating as accredited and that accreditation conditions have not changed.
  • Auditing: Ensure all system auditing is completed within the specified timeframe.
  • ISSO Oversight: Designate and manage the training, certification, and oversight responsibilities of assigned Information System Security Officers (ISSOs).
  • Change Management: Advise and assist change managers with Configuration Change Board (CCB) documentation necessary for the approval of new hardware or software for assigned systems.
  • Incident Oversight: Provide oversight and guidance during security incidents and investigations, and ensure root cause analysis is undertaken.
  • System Security Engineering: Support the overall System Security Engineering process, including development of Program Protection Implementation Plans (PPIP), Security Test and Evaluation Plans (ST&E), Risk Management Assessment Packages, and Supply Chain Risk Management (SCRM) Assessment Reports.
Relevant Information
What Does A Cybersecurity Manager Do?
What Does An Information Security Manager Do?
What Does An Information Security Risk Manager Do?