This is a hybrid position that requires someone based in Minneapolis/St. Paul OR Washington DC who can work in-office 3+ days per weekYour Impact:As our ISSO, you won't be maintaining compliance for its own sake - you'll be the person who keeps classified and CUI-adjacent systems authorized, hardened, and audit-ready so our engineers can do the work that matters. You'll own the RMF lifecycle end-to-end, interface directly with government AOs and SCA teams, and help build a security program that scales with a fast-moving defense tech company. If you want your ISSO work to feel consequential rather than administrative, this is the role.
What You'll Do:- Own end-to-end eMASS package lifecycle for one or more information systems - from initial system categorization through ATO maintenance and continuous monitoring
- Develop, maintain, and update all RMF Body of Evidence artifacts: SSPs, SARs, RAR, POA&Ms, ConMon plans, and control implementation statements aligned to NIST SP 800-53 Rev 5
- Coordinate with System Owners, ISSMs, SAs, and government stakeholders (AOs, SCAs, CORs) to ensure authorization packages remain current and accurate
- Execute continuous monitoring activities including vulnerability scan analysis (ACAS/Nessus), STIG review and validation via STIG Viewer/SCAP, and security log auditing
- Conduct and document security impact analyses (SIAs) for proposed system changes; represent security equities at Configuration Control Board (CCB) proceedings
- Track POA&M findings through remediation closure, providing fix actions and compensating controls where applicable
- Support JSIG, DCSA, and/or DoD SCA assessment activities including artifact readiness reviews, evidence collection, and assessor coordination
- Provide cybersecurity guidance to system administrators, developers, and program staff to promote compliant, secure operations throughout the system lifecycle
You Should Have:- Active Secret or TS/SCI clearance
- 4+ years of hands-on ISSO or IA experience in a DoD or IC environment
- Demonstrated eMASS proficiency - end-to-end package management including artifact upload, milestone tracking, control inheritance documentation, and ATO submission
- Deep working knowledge of NIST SP 800-53 Rev 5, DoDI 8510.01, and the seven-step RMF process
- Experience preparing and defending authorization packages through government assessment and authorization cycles
- Hands-on familiarity with ACAS (Tenable/Nessus), STIG Viewer, and SCAP Compliance Checker
- DoD 8570/8140 IAM Level II or III certification (CISSP, CISM, CASP+, or equivalent)
- Strong technical writing skills - you write SSP control implementation statements that satisfy assessors, not just fill boxes
Bonus if you have:- Experience with Air Force, Army, or SOCOM RMF programs including service-specific overlays and supplemental directives (AFI 17-101, AR 25-2, JSIG)
- Familiarity with cATO or Fast Track ATO processes
- Cloud security experience (AWS GovCloud, Azure Government) and FedRAMP control mapping
- Experience with CMMC Level 2/3 compliance in a DIB environment
- Working knowledge of Xacta, ServiceNow GRC, or other RMF automation platforms as eMASS adjacents
- Background as a sysadmin, network engineer, or security engineer - people who've touched the technical layer write better controls
- Offensive security background or familiarity with adversary TTPs (enhances risk-based thinking in control selection and POA&M prioritization)
