Information Systems Security Manager (ISSM)

About The Position

Requirements

• Active Top Secret (TS) security clearance; SCI eligibility required or must be obtainable within 6 months of hire.
• Minimum of 10 years of progressive experience in information systems security within a DoD or Intelligence Community classified environment with 5 or more year’s direct experience as an ISSM, ISSP, Security Control Assessor (SCA), or equivalent position.
• Demonstrated ISSM or ISSO experience supporting DCSA-adjudicated classified IS programs under NISPOM/DAAPM.
• A minimum of 3 years of direct working knowledge of the NIST RMF process (NIST SP 800-37, 800-53, 800-171) and DoD Assessment Methodology (DAAPM).
• Experience preparing and managing ATOs, SSPs, SAPs, and POA&Ms for TS and SCI-level information systems.
• Proficiency with eMASS (Enterprise Mission Assurance Support Service) or equivalent GRC tool.
• Working knowledge of SIEM platforms, vulnerability scanners (e.g., ACAS/Nessus), and HBSS/endpoint security tools.
• IAM Level II or III certification required per DoD 8570.01-M / DoD 8140 (e.g., CISSP, CISM, GSLC, or equivalent).
• Master’s degree or Bachelor's degree with equivalent work experience and certifications in Cybersecurity, Information Technology, Computer Science, or a related technical discipline, OR equivalent verifiable experience.

Nice To Haves

• Current TS/SCI access with polygraph (CI or Full Scope).
• Experience supporting Special Access Programs (SAPs) or Sensitive Compartmented Information Facilities (SCIFs).
• Familiarity with Cross Domain Solutions (CDS), data transfer processes, and CDSE/NSA approval workflows.
• Experience with LINUX and Windows hardened STIG baseline implementation and validation.
• Knowledge of ICD 503, ICS 500-27, and CNSSI 1253 security control overlays.
• Prior DCSA inspection experience (NISP, SAP, or SCI programs).
• Additional certifications such as CASP+, CCSP, Security+, or CEH are a plus.
• Direct experience managing the system lifecycle of connected classified systems including Secret Defense Research and Engineering Network (SDREN), Secret Internet Protocol Router Network (SIPRNET), Non-classified Internet Protocol Router Network (NIPRNET, and Joint Worldwide Intelligence Communications System (JWICS) systems.

Responsibilities

• Lead the Assessment and Authorization (A&A) process for all classified IS under the Risk Management Framework (RMF) in accordance with NIST SP 800-37 and DAAPM.
• Prepare, maintain, and submit System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), and Authorization to Operate (ATO) packages.
• Serve as the primary liaison with DCSA and Government customer representatives during system assessments, inspections, and audits.
• Maintain and manage the System Security Authorization Agreement (SSAA) or equivalent documentation for all IS operating at the TS level or above.
• Ensure all classified information systems comply with 32 CFR Part 117 (NISPOM), applicable DoD and IC cybersecurity policies, Contract Data Requirements List (CDRLs), and Statement of Work (SOW) security requirements.
• Develop, implement, and maintain facility-level Information Systems Security policies, procedures, and Standard Operating Procedures (SOPs).
• Enforce configuration management (CM) controls and ensure all hardware/software changes to classified IS are reviewed and approved prior to implementation.
• Conduct periodic self-inspections of classified IS programs and remediate findings in coordination with the FSO and program leadership.
• Implement and manage a Continuous Monitoring (ConMon) program for all authorized classified information systems.
• Monitor audit logs, SIEM alerts, and vulnerability scan results; investigate anomalies and potential insider threats.
• Serve as the Facility Incident Response Manager for classified information system security incidents; coordinate reporting to DCSA and GCAs within required timeframes.
• Conduct or oversee technical vulnerability assessments and penetration testing as required by the CSA or contract requirements.
• Oversee ISSM-delegated Information System Security Officer (ISSO) personnel; provide mentorship, task delegation, and performance oversight.
• Develop and deliver annual IS security awareness training and role-based training for users of classified information systems.
• Maintain personnel access records and access control lists (ACLs) for all classified IS; ensure need-to-know verification prior to system access grants.
• Coordinate with the FSO to ensure the integration of personnel security and information security requirements.
• Coordinate with facilities and physical security teams to ensure IS are housed in appropriately accredited spaces (SCIFs, Closed Areas, SAPs) in accordance with ICD 705 and DCSA physical security standards.
• Manage and enforce media protection, sanitization, and destruction procedures for classified storage media in accordance with NSA/CSS EPL requirements.
• Oversee PKI, multi-factor authentication (MFA), and privileged access management (PAM) implementations across classified networks.

Benefits

• Competitive salaries
• Continuous learning and development
• Health and wellness care options
• Financial solutions for the future
• Optional legal services (US only)
• Paid holidays
• Paid time off