Information System Security Manager

Position Summary

We are seeking a highly skilled and self-directed Information System Security Manager (ISSM) to serve as the cybersecurity authority for an organization of approximately 600 employees. This individual will function as the ISSM/ISSO, collaborating with respective teams on the full lifecycle of information system security - from daily operational execution to long-term strategic planning and enterprise risk management.

The organization handles Controlled Unclassified Information (CUI) as its primary data classification, with additional responsibilities for ITAR and EAR regulated data, and a long-term trajectory to extend operations into classified environments. The successful candidate will build, maintain, and mature the cybersecurity program across all of these domains.

This is a leadership-level individual contributor role with significant organizational visibility and autonomy.

DoD 8140 / DCWF Alignment
This position maps to the DCWF Work Role 722 - Information Systems Security Manager within the Oversee and Govern (OV) category, Cybersecurity Management specialty area. Candidates must meet or be prepared to meet the following DoD 8140.03 qualification requirements.

Key Responsibilities

Operational Security

• Serve as the single ISSM/ISSO for the organization; own system authorization, continuous monitoring, and Plan of Action & Milestones (POA&M) management across all information systems.

• Implement, assess, and maintain security controls aligned with NIST SP 800-53 (Rev.5), NIST SP 800-171, and CMMC Level 2+ requirements.

• Harden endpoints, servers, and network infrastructure using DISA STIGs and CIS Benchmarks; manage deviation requests and document compensating controls.

• Conduct and coordinate vulnerability scanning, remediation tracking, audit log reviews, and incident response activities.

• Manage and maintain System Security Plans (SSPs), security assessment reports, risk assessments, and all authorization artifacts.

• Monitor security tooling (SIEM, vulnerability scanners, endpoint protection, DLP) and ensure operational effectiveness.

• Execute ongoing continuous monitoring activities consistent with NIST SP 800-137 and organizational CONMON strategies.

Strategic & Program-Level

• Develop and drive the organization's multi-year cybersecurity strategy and roadmap, including CMMC certification readiness, classified environment standup, and CUI protection program maturity.

• Author, review, and maintain cybersecurity policies, standards, and procedures aligned with federal regulations.

• Provide cybersecurity risk assessments and recommendations to senior leadership; translate technical risk into business impact.

• Lead the organization through CMMC assessment preparation and serve as the primary point of contact for C3PAO assessors and DIBCAC reviews.

• Plan and oversee the transition from CUI-only operations to classified processing capability, including infrastructure design and policy development.

• Develop and deliver cybersecurity awareness training for all 600+ employees, including role-based training for privileged users and executives.

• Manage relationships with external auditors, assessors, government customers, and regulatory bodies.

Required Qualifications

Education & Experience

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related discipline. Equivalent combination of education, certifications, and direct experience will be considered.

• 7+ years of progressive experience in information security, with at least 3 years in an ISSM or senior-level ISSO role.

• Demonstrated experience operating as a sole security practitioner or leading security functions with minimal oversight.

Technical Knowledge - Required

• Policy Development: Demonstrated ability to author clear, enforceable security policies and communicate them effectively to technical and non-technical audiences.

• NIST SP 800-53 (Rev.5): Deep knowledge of control families; ability to select, implement, assess, and monitor controls for moderate-to-high baseline systems.

• NIST SP 800-171 / CMMC: Hands-on experience implementing the 110 CUI security requirements and preparing an organization for CMMC Level 2 assessment.

• DISA STIGs: Proficiency in applying, scanning for, and validating STIG compliance across Windows, Linux, network, and application platforms using STIG Viewer, SCAP tools, or equivalent.

• CIS Benchmarks: Experience applying CIS hardening standards and using CIS-CAT or equivalent assessment tooling to validate compliance.

• Risk Management Framework (RMF): End-to-end experience with NIST RMF (SP 800-37) system authorization lifecycle - categorize, select, implement, assess, authorize, monitor.

• CUI Program Management: Experience building or maturing a CUI protection program, including marking, handling, dissemination, storage, destruction, and incident reporting.

• ITAR / EAR: Working knowledge of export control regulations and their intersection with cybersecurity requirements (access control, data segregation, technology control plans).

• Security Tooling: Practical experience with SIEM platforms, vulnerability management tools (Tenable, Rapid7, or equivalent), endpoint detection and response (EDR), and data loss prevention (DLP).

• Incident Response: Experience developing and executing incident response plans, conducting preliminary investigations, and coordinating reporting to DISA, DC3, or sponsoring agency.

Preferred Qualifications

• Provide subject matter expertise in physical security controls in coordination with or in support of the Facility Security Officer (FSO).

• Advise on and oversee TEMPEST countermeasures, shielding requirements, and inspections for facilities processing sensitive or classified information.

• Support implementation of physical access controls, visitor management, alarm systems, and closed area / restricted area requirements.

• Participate in facility accreditation activities and self-inspections.

Preferred Certifications

The following certifications satisfy DoD 8140.03 requirements for DCWF Work Role 722 and are strongly preferred:

CISSP - Certified Information Systems Security Professional

CISM - Certified Information Security Manager

*This position may require U.S. Citizenship or Permanent Residency status in the future depending on federal requirements.*