Security & Compliance Manager (ISSO / FSO)

About The Position

Requirements

• Successful track record taking an organization, preferably a small company, through the entire process of building and achieving CMMC Level 2 certification. This means having built the certification framework, not just supported, or inherited, an existing one.
• 4+ years of hands-on experience in DoD or defense contractor security and compliance, with direct ISSO experience on CUI or classified systems.
• Deep working knowledge of CMMC Level 1 and Level 2, NIST SP 800-171, DFARS 252.204-7012 / 7019 / 7020, and the Risk Management Framework (RMF).
• Demonstrated experience authoring and owning SSPs, POA&Ms, and SARs.
• Familiarity with FedRAMP / ATO authorization processes and experience operating in or supporting IL4 / IL5 environments.
• FSO experience or clear readiness to obtain FSO certification, with working knowledge of NISPOM (DoD 5220.22-M) and DCSA compliance requirements.
• Ability to manage external compliance vendors by setting agendas, holding timelines, and translating their outputs into internal action.
• A strong writer who can produce documentation external auditors depend on and executive briefings non-technical leadership can act on.
• Comfortable with ambiguity. There is no playbook here; this role requires writing it.

Nice To Haves

• Active security clearance
• Previous experience leading an FCL application or serving as an FSO
• Experience working in AWS GovCloud environments
• Direct experience supporting ATO or FedRAMP authorizations
• Experience building security and compliance programs in a startup or other fast-moving small company environment

Responsibilities

• Build and mature Tagup’s security and compliance program, strengthening policies, procedures, and controls across the organization.
• Own and drive Tagup’s CMMC Level 2 program end to end, building on work already underway by managing the full set of NIST SP 800-171 controls, preparing for third-party assessments with our C3PAO, and carrying the effort through compliance and certification.
• Serve as Tagup’s Information System Security Officer (ISSO), owning the System Security Plan (SSP), managing POA&Ms and Security Assessment Reports (SARs), overseeing continuous monitoring, and ensuring CUI handling meets DFARS 252.204-7012 requirements.
• Lead Tagup’s ATO and FedRAMP authorization efforts, managing documentation, evidence packages, and ongoing engagement with government authorizing officials.
• Manage Tagup’s Facility Clearance License (FCL) application and, once issued, serve as Facility Security Officer (FSO) by administering personnel security clearances, SF-86 submissions, visit certifications, and all NISPOM compliance requirements.
• Manage day-to-day relationships with supporting vendors, holding them accountable to timelines, deliverables, and scope.
• Collaborate with engineering to ensure controls are properly implemented and maintained, including IL4/IL5 compliance policies, secrets management, access controls, and vulnerability management workflows.
• Build and run internal security awareness training, policies, and procedures for all Tagup staff handling CUI or operating in controlled environments.
• Monitor evolving DoD cybersecurity requirements including CMMC, DFARS, RMF, and DCSA, and translate their implications into concrete recommendations for leadership.

Benefits

• competitive salary and benefits package
• part-ownership to all team members through an Employee Stock Option Plan
• comprehensive health insurance benefits
• access to the company’s 401K plan
• team-oriented work environment with regular company outings