AOUSC - SOC Manager

cFocus Software seeks a SOC Manager to join our program supporting the Administrative Office of the United States Courts (AOUSC). This position is Hybrid with the onsite location being in Washington, DC. This position requires a Public Trust clearance., * Provide operational leadership and management oversight for 24x7x365 SOC operations supporting Judiciary cybersecurity activities.

• Manage cybersecurity triage, incident response, containment, remediation, recovery, and post-incident review activities.
• Ensure operational adherence to the Judiciary Security Operations Center Incident Response Plan (JSOCIRP), SOC Standard Operating Procedures (SOPs), and AO-defined escalation procedures.
• Oversee alert triage activities utilizing Splunk Enterprise Security, Microsoft Sentinel, ServiceNow, Jira, and other approved Government systems.
• Ensure timely acknowledgment, triage, escalation, and handling of cybersecurity alerts in accordance with SLA requirements and incident prioritization timelines.
• Lead operational coordination during Priority 1 and Priority 2 cybersecurity incidents and ensure timely government notification and escalation.
• Oversee development and maintenance of cybersecurity triage work instructions, incident handling SOPs, response action procedures, and operational documentation.
• Manage SOC analysts, incident responders, and forensic personnel to ensure staffing coverage, operational readiness, and quality performance.
• Review and validate cybersecurity incident reports, post-incident reviews (PIRs), forensic reports, malware analysis reports, and operational status reporting.
• Coordinate with AO leadership, federal staff, watch officers, branch chiefs, and stakeholders regarding cybersecurity incidents, operational risks, and emerging threats.
• Ensure accurate documentation of all cybersecurity activities, artifacts, timelines, and communications within ServiceNow and other authorized systems.
• Manage operational metrics including Mean Time to Acceptance (MTTA), Mean Time to Triage (MTTT), containment timelines, remediation timelines, and quality assurance metrics.
• Conduct weekly technical meetings and provide operational briefings, metrics, trends, risk assessments, and remediation recommendations.
• Develop and maintain Common Operational Picture (COP) awareness and cybersecurity operational reporting for AO stakeholders.
• Support continuous improvement initiatives by identifying detection gaps, process inefficiencies, workflow improvements, and operational enhancements.
• Coordinate cybersecurity forensics and malware analysis activities including evidence preservation, malware analysis, root cause analysis, and artifact review.
• Ensure operational compliance with NIST SP 800-53, NIST SP 800-61, NIST Cybersecurity Framework (CSF) 2.0, and ITIL v4 principles.
• Support transition-in and transition-out activities including onboarding, operational readiness, training, and knowledge transfer.
• Provide executive-level and technical-level cybersecurity briefings, reports, and presentations.
• Support enterprise security awareness reporting and development of operational KPIs.

• Active Public Trust clearance
• B.S. Computer Science, Information Technology, or a related field
• 7+ years' experience in an active incident responder position; two (2) years of recent (within the last five (5) years) experience providing technical direction to a SOC (over 5,000 endpoints).
• 2+ years of experience implementing IR in a federal environment in accordance with federal incident handling guidelines as specified in NIST CSWP-29: CSF, and NIST SP-800-61 Computer Security Incident Handling Guide.
• 2+ years of experience using Splunk SIEM to correlate cybersecurity alerts.
• 3+ years' experience in auditing using operating system (Linux and Windows) to perform cybersecurity services.
• Strong technical writing skills to effectively communicate complex analytical findings and produce clear, concise, well-structured reporting to include executive audience level reports,
• This role aligns to the NICE work role PD-WRL-001 (Defensive Cybersecurity).
• Active SANS GCIH or GCIA certification

Invitation for Job Applicants to Self-Identify as a U.S. Veteran

• A "disabled veteran" is one of the following:

• a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or
• a person who was discharged or released from active duty because of a service-connected disability.

• A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.
• An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.
• An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.