NIH - ISSM

cFocus Software IncorporatedBethesda, MD
Remote

About The Position

cFocus Software is seeking an Information Systems Security Manager (ISSM) to join our program supporting the National Institutes of Health (NIH). This position is fully remote and requires a Public Trust or the ability to obtain one. The ISSM will lead the enterprise implementation of the NIST Risk Management Framework (RMF) across NIH/OD information systems, manage the A&A lifecycle for Low and Moderate FISMA systems, and oversee continuous monitoring activities. This role involves directing the development and review of various security documentation, supervising ISSOs, and providing cybersecurity guidance. The ISSM will also manage enterprise cybersecurity risk assessments, coordinate with various stakeholders, and ensure compliance with federal cybersecurity requirements. Additionally, the role includes reviewing security architectures, managing POA&Ms, developing executive-level metrics, supporting audit activities, and providing technical leadership in areas like C-SCRM and enterprise security governance.

Requirements

  • Public Trust Clearance
  • B.S. Computer Science, Information Technology, or a related field
  • 7+ years of progressively responsible experience supporting Federal cybersecurity programs.
  • 5+ years serving as an ISSM, Senior ISSO, Security Manager, or equivalent cybersecurity leadership role.
  • Demonstrated experience managing multiple federal information systems through the RMF lifecycle.
  • Experience supporting FISMA High, Moderate, or Low systems.
  • Active CISSP, CISM, CAP, GSLC, or Security+

Responsibilities

  • Lead enterprise implementation of the NIST Risk Management Framework (RMF) across NIH/OD information systems.
  • Manage the complete Assessment & Authorization (A&A) lifecycle for Low and Moderate FISMA systems.
  • Direct the development, review, and approval of System Security Plans (SSPs), Security Assessment Plans (SAPs), Security Assessment Reports (SARs), Plans of Action & Milestones (POA&Ms), Security Control Traceability Matrices, and authorization packages.
  • Oversee continuous monitoring activities to ensure ongoing security authorization.
  • Supervise and mentor Information System Security Officers (ISSOs) supporting NIH/OD systems.
  • Provide cybersecurity guidance to System Owners regarding implementation of NIST SP 800-53 Rev. 5 security controls.
  • Manage enterprise cybersecurity risk assessments and recommend appropriate risk mitigation strategies.
  • Oversee Risk Mitigation Waiver documentation, approvals, compensating controls, and periodic reassessment of residual risk.
  • Coordinate with Security Control Assessors (SCAs), Authorizing Officials (AOs), System Owners, Privacy Officials, and executive leadership throughout the authorization process.
  • Ensure compliance with FISMA, HHS, NIH, NIST, OMB, and Federal cybersecurity requirements.
  • Review security architectures and proposed system changes for compliance with security requirements.
  • Direct enterprise POA&M management activities, remediation tracking, and corrective action reporting.
  • Review security assessment findings and validate remediation activities.
  • Develop executive-level cybersecurity metrics, dashboards, and risk briefings.
  • Support audit activities conducted by internal and external oversight organizations.
  • Coordinate continuous monitoring strategies, vulnerability remediation activities, and compliance reporting.
  • Provide technical leadership regarding Cybersecurity Supply Chain Risk Management (C-SCRM), common controls, and enterprise security governance.
  • Review security exceptions and risk acceptance packages for executive approval.
  • Ensure all RMF documentation remains current throughout the system lifecycle.
  • Support strategic cybersecurity planning and governance initiatives.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service