Own and maintain the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) for all CUI-scoped systems; always keep documentation audit-ready.
Assess all 110 NIST SP 800-171 practices for implementation and effectiveness; map existing controls (Wazuh, ThreatDown, Tenable, ManageEngine, AD GPOs, SnipeIT) to CMMC requirements, identify gaps, and drive remediation.
Maintain the organizational risk register; support ongoing Risk Management Framework (RMF) processes and report risk posture to the CISO.
Lead preparation for CMMC Level 2 assessments — build evidence packages, coordinate with the C3PAO, and manage assessor requests and findings.
Develop and maintain cybersecurity policies, procedures, and standards aligned to CMMC, DFARS, SOC 2, and GDPR; ensure version control and staff acknowledgment records are maintained.
Define, track, and report security metrics and KPIs to the CISO and non-technical stakeholders including legal, contracts, and business development teams.
Support contract teams with DFARS clause requirements, cybersecurity representations, and customer security questionnaires.
Conduct vendor and third-party risk assessments; maintain supplier risk documentation.
Manage the security awareness training program and phishing simulations; maintain completion records per CMMC requirements.
Monitor SIEM for security events and alerts relevant to CUI systems; write and tune detection rules; triage and escalate incidents; produce post-incident reports with compliance impact assessment. Leverage audit log aggregation to satisfy CMMC AU (Audit & Accountability) control evidence requirements.
Monitor EDR alerts for CUI-scoped endpoints; investigate detections and coordinate response with IT.
Work with IT to ensure vulnerability findings are remediated within CMMC-required timeframes, track and report on remediation status.
Leverage MDM and Active Directory to enforce device compliance, GPO-based security baselines, and access control policies across CUI-scoped endpoints.
Use asset inventory as the authoritative hardware/software asset register for CMMC system boundary documentation; keep it current and audit ready.
Conduct periodic access control audits; enforce least-privilege across AD, SSO, and SaaS tooling handling CUI.
Requirements
3–6 years in cybersecurity with a strong GRC or compliance focus; prior ISSO experience or equivalent accountability preferred.
Deep, working knowledge of NIST SP 800-171 and DFARS 7012. Able to assess, gap-analyze, and evidence all 110 controls independently.
Demonstrated experience authoring SSPs and POA&Ms for government-facing or regulated environments.
Familiarity with the CMMC Level 2 assessment process and C3PAO engagement.
Hands-on experience with EDR and vulnerability scanning tools in a compliance context. Mapping tool outputs to NIST controls and generating assessor evidence.
Working knowledge of SOC 2 Type II and GDPR compliance requirements.