Tobias Essuah Mensah
Elkridge, MD 21075
Summary
• Accomplished Senior Information System Security Officer (ISSO) and Compliance Specialist with over nine years of progressive experience safeguarding federal information systems. A certified and experienced Senior Information System Security Officer (ISSO) with over 9 years of expertise in the implementation of cybersecurity frameworks, particularly the NIST Risk Management Framework (RMF). Adept in FISMA and FedRAMP compliance, risk assessments, and the development of security documentation to ensure the integrity and security of IT systems. Proven ability to lead teams, secure Authorization to Operate (ATO), and maintain compliance through effective monitoring and security controls. Recognized for attention to detail, strong leadership, and collaborative problem-solving in high-pressure environments.
• Led the Authorization to Operate (ATO) process for the Collibra System, bringing it online within sixty days by ensuring compliance with federal security standards.
• Drove change management and documentation efforts, efficiently managing the tracking of over five hundred Change Requests and CIMs, ensuring accurate uploads into CSAM and FootPrints.
• Provided monthly security reports on system risk levels and POA&Ms, supporting critical decision-making for CFTC stakeholders.
Skills
• Cybersecurity Leadership
• Risk Management & Assessment
• FISMA & FedRAMP Compliance
• Vulnerability
• MS Office Suite (Word, Excel, PowerPoint, Access, Visio, Teams, SharePoint)
• Security Tools: Risk Vision, eMass, Archer GRC, Splunk, CSAM
• Cybersecurity Frameworks: Risk Management Framework (RMF), COSO, COBIT, ISO 27002, PCI-DSS, HIPAA, HiTRUST
• Vendor Risk Management, FedRAMP, FIPS 199 & FIPS 200, SORN, E-Authentication
• Security Documentation: Business Impact Analysis (BIA), Contingency Planning (CP), Incident Response Planning (IRP), Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), Risk Assessment (RA), Security Assessment Reports (SAR), Plans of Action & Milestones (POA&M)
• Compliance Standards: NIST SP 800 family, FedRAMP, FISMA
Education
Master of Science in Information Technology/Informatics Administration
University of Maryland Global Campus – Adelphi, MD
Bachelor of Science in Media & Communications Studies
University of Maryland Baltimore County – Baltimore, MD
Associate of Arts in General Studies/Business Technology Administration
Howard Community College – Columbia, MD
Certifications and Licenses
• AWS Certified Developer Associate – Amazon 2018
• Certificate of Cloud Security Knowledge (CCSK) – Cloud Security Alliance 2017
• CompTIA Security+
• Certified Information Security Manager (CISM)
• Certificate in Information Assurance – University of Maryland Global Campus 2020
• Senior Information System Security Officer
• Driver’s License
Professional Experience
Information System Security Officer (ISSO)/Compliance Specialist
Omnia Cyber Solutions - Elkridge, Maryland Jun 2024 to Present
• Develop, implement, and maintain information system security policies, procedures, and controls in compliance with NIST, RMF, and other applicable federal regulations.
• Ensured compliance with relevant regulations and standards.
• Implemented and enforced security policies and procedures.
• Conducted risk assessments to identify vulnerabilities and potential threats. Developed and implemented risk mitigation plans.
• Coordinate with system owners, engineers, and stakeholders to implement security controls and remediate findings.
• Manage and document incident response activities, ensuring timely resolution and reporting.
• Provide guidance and training to staff on cybersecurity best practices and compliance requirements.
• Support audits and inspections, ensuring readiness and accurate evidence submission.
• Managed emerging and defined risks associated with information systems.
• Prepared and reviewed documentation, such as Systems Security Plans (SSPs), Risk Assessment Reports, and Certification and Accreditation (C&A) packages.
• Supported security authorization activities in compliance with relevant frameworks.
• Ensured audit records are collected, reviewed, and documented.
Information System Security Officer (ISSO)/Compliance Specialist
XOR Security – CFTC, Washington D.C. Apr 2022 to Jun 2024
• Spearheaded the review and analysis of all system artifacts to ensure compliance and accuracy, supporting Authorization to Operate (ATO) requests.
• Served as ISSO for multiple CFTC information systems, ensuring compliance with NIST 800-53, FISMA, and agency security policies.
• Developed, updated, and maintained System Security Plans (SSPs), POA&Ms, Continuous Monitoring (ConMon) reports, and other required security documentation.
• Led the continuous monitoring activities using CFTC's Governance Risk and Compliance (GRC) tools, safeguarding network security through operational and technical controls.
• Provided security awareness and compliance guidance to system stakeholders to ensure adherence to federal cybersecurity standards.
• Directed the drafting and review of security documents, applying extensive expertise in the NIST SP 800 family of publications and FedRAMP standards to ensure full system compliance.
• Produced monthly risk assessment reports for senior stakeholders, effectively communicating Plan of Action and Milestones (POA&Ms) and security scan results.
• Enhanced the organization's security posture by implementing robust controls and ensuring the accuracy of audit and compliance reports in the Compliance and Security Assessment Management (CSAM) tool.
• Ensured information systems meet security requirements before they go live (FISMA).
• Regularly monitor, test, and evaluate the effectiveness of security controls (FISMA).
IT Security Control Assessor
Grey Tier Technologies - Alexandria, VA Mar 2020 to Apr 2022
• Conducted thorough risk compliance and assurance efforts aligned with NIST SP 800-53A to strengthen organizational cybersecurity resilience.
• Performed Security Control Assessments (SCA) in alignment with NIST 800-53 and Risk Management Framework (RMF) requirements for federal information systems.
• Reviewed and evaluated System Security Plans (SSPs), Security Assessment Reports (SARs), and other compliance documentation for completeness and accuracy.
• Conducted interviews, evidence reviews, and technical testing to validate the implementation of security controls.
• Identified security gaps through detailed reviews and assessments, offering actionable recommendations for security risk mitigation strategies.
• Developed and maintained system assurance and accreditation materials, leading the verification of security postures for applications and network systems.
• Led security authorization reviews, ensuring major system changes met regulatory requirements through comprehensive risk analyses and control testing.
• Collaborated cross-functionally to ensure security controls were integrated throughout the system’s lifecycle,
• driving compliance with IT resilience and dependability standards.
IT Security Control Assessor
Jacobs - Washington D.C. Jan 2017 to Mar 2020
• Executed structured security Certification & Accreditation (C&A) activities under the Risk Management Framework (RMF), ensuring compliance with FISMA requirements.
• Enhanced IT security controls by updating Security Test & Evaluation (ST&E) reports and Security Assessment Reports (SAR), contributing to continuous system monitoring and improvement.
• Led system testing and validation efforts, ensuring the accuracy of security controls and compliance with NIST standards. Stay current with evolving federal cybersecurity regulations, standards, and best practices to ensure ongoing compliance.
• Perform in-depth assessments of implemented security controls, documenting evidence of compliance and identifying any gaps or weaknesses.
• Coordinate with system owners, engineers, and ISSOs to clarify system architectures, control implementations, and security documentation.
• Developed test plans and scripts, coordinating with technical teams to execute comprehensive security reviews and vulnerability assessments.
• Communicated technical security information to non-technical stakeholders, ensuring clear understanding of risk levels and security strategies.
Information Assurance Analyst
Robert Half - Washington D.C. Jun 2015 to Jan 2017
• Validated system security compliance, ensuring adherence to organizational policies and regulatory standards for data protection.
• Conducted IT risk assessments to verify the confidentiality, integrity, and availability of critical systems, protecting sensitive information from potential threats.
• Reported security control violations, working with risk management teams to implement corrective actions and maintain system integrity.
• Assessed the effectiveness of operating systems and hardware configurations, ensuring compliance with federal security standards.
IT Specialist / Security Control Assessor
Lash Group - Columbia, MD Sep 2013 to Jun 2015
• Performed comprehensive IT risk assessments and security control evaluations following NIST standards.
• Conducted security tests and evaluations, identifying vulnerabilities and recommending solutions to mitigate security risks. Monitor regulatory and threat developments, staying current with cybersecurity trends and evolving compliance requirements.
• Guided the organization in adopting cybersecurity best practices and regulatory requirements, ensuring compliance across all IT systems.
IT Help Desk Support
Real News Network - Baltimore, MD Aug 2010 to Sep 2013
• Provided technical support by managing twenty-five help desk tickets per day and troubleshooting workstation configurations, improving operational efficiency.
• Developed Standard Operating Procedures (SOPs) and process flows to streamline onboarding for help desk colleagues.
• Installed and configured new workstations and peripheral devices, ensuring optimal performance and system security.
