Information System Security Manager

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related discipline. Equivalent combination of education, certifications, and direct experience will be considered.
• 7+ years of progressive experience in information security, with at least 3 years in an ISSM or senior-level ISSO role.
• Demonstrated experience operating as a sole security practitioner or leading security functions with minimal oversight.
• Policy Development: Demonstrated ability to author clear, enforceable security policies and communicate them effectively to technical and non-technical audiences.
• NIST SP 800-53 (Rev. 5): Deep knowledge of control families; ability to select, implement, assess, and monitor controls for moderate-to-high baseline systems.
• NIST SP 800-171 / CMMC: Hands-on experience implementing the 110 CUI security requirements and preparing an organization for CMMC Level 2 assessment.
• DISA STIGs: Proficiency in applying, scanning for, and validating STIG compliance across Windows, Linux, network, and application platforms using STIG Viewer, SCAP tools, or equivalent.
• CIS Benchmarks: Experience applying CIS hardening standards and using CIS-CAT or equivalent assessment tooling to validate compliance.
• Risk Management Framework (RMF): End-to-end experience with NIST RMF (SP 800-37) system authorization lifecycle — categorize, select, implement, assess, authorize, monitor.
• CUI Program Management: Experience building or maturing a CUI protection program, including marking, handling, dissemination, storage, destruction, and incident reporting.
• ITAR / EAR: Working knowledge of export control regulations and their intersection with cybersecurity requirements (access control, data segregation, technology control plans).
• Security Tooling: Practical experience with SIEM platforms, vulnerability management tools (Tenable, Rapid7, or equivalent), endpoint detection and response (EDR), and data loss prevention (DLP).
• Incident Response: Experience developing and executing incident response plans, conducting preliminary investigations, and coordinating reporting to DISA, DC3, or sponsoring agency.

Nice To Haves

• Provide subject matter expertise in physical security controls in coordination with or in support of the Facility Security Officer (FSO).
• Advise on and oversee TEMPEST countermeasures, shielding requirements, and inspections for facilities processing sensitive or classified information.
• Support implementation of physical access controls, visitor management, alarm systems, and closed area / restricted area requirements.
• Participate in facility accreditation activities and self-inspections.
• The following certifications satisfy DoD 8140.03 requirements for DCWF Work Role 722 and are strongly preferred: CISSP — Certified Information Systems Security Professional CISM — Certified Information Security Manager
• This position may require U.S. Citizenship or Permanent Residency status in the future depending on federal requirements.

Responsibilities

• Serve as the single ISSM/ISSO for the organization; own system authorization, continuous monitoring, and Plan of Action & Milestones (POA&M) management across all information systems.
• Implement, assess, and maintain security controls aligned with NIST SP 800-53 (Rev. 5), NIST SP 800-171, and CMMC Level 2+ requirements.
• Harden endpoints, servers, and network infrastructure using DISA STIGs and CIS Benchmarks; manage deviation requests and document compensating controls.
• Conduct and coordinate vulnerability scanning, remediation tracking, audit log reviews, and incident response activities.
• Manage and maintain System Security Plans (SSPs), security assessment reports, risk assessments, and all authorization artifacts.
• Monitor security tooling (SIEM, vulnerability scanners, endpoint protection, DLP) and ensure operational effectiveness.
• Execute ongoing continuous monitoring activities consistent with NIST SP 800-137 and organizational CONMON strategies.
• Develop and drive the organization’s multi-year cybersecurity strategy and roadmap, including CMMC certification readiness, classified environment standup, and CUI protection program maturity.
• Author, review, and maintain cybersecurity policies, standards, and procedures aligned with federal regulations.
• Provide cybersecurity risk assessments and recommendations to senior leadership; translate technical risk into business impact.
• Lead the organization through CMMC assessment preparation and serve as the primary point of contact for C3PAO assessors and DIBCAC reviews.
• Plan and oversee the transition from CUI-only operations to classified processing capability, including infrastructure design and policy development.
• Develop and deliver cybersecurity awareness training for all 600+ employees, including role-based training for privileged users and executives.
• Manage relationships with external auditors, assessors, government customers, and regulatory bodies.

Benefits

• Includes health, dental, vision, disability and life insurance, 401(k) plan with company match, paid time off, annual bonus, and tuition reimbursement.