Full-time • Chevy Chase, MD(Hybrid)• US-based • Senior level • Reports to CISOUS citizenship or Lawful Permanent Resident status required. This role involves access to Controlled Unclassified Information (CUI); no security clearance required.Role Overview:Reporting directly to the CISO, you'll own Lynk's cybersecurity compliance program across CMMC Level 2 / NIST SP 800-171, DFARS 7012, SOC 2 Type II, and GDPR. You'll be ISSO for CUI-scoped systems: authoring SSPs, maintaining POA&Ms, running control assessments, and leading C3PAO engagement. Lynk has a functioning security toolset in place including SIEM/log management, EDR, MDM, vulnerability management and IT asset management; your job is to mature and align that stack to CMMC requirements, not start from zero.
Responsibilities:GRC & Compliance (primary)- Own and maintain the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) for all CUI-scoped systems; always keep documentation audit-ready.
- Assess all 110 NIST SP 800-171 practices for implementation and effectiveness; map existing controls (Wazuh, ThreatDown, Tenable, ManageEngine, AD GPOs, SnipeIT) to CMMC requirements, identify gaps, and drive remediation.
- Maintain the organizational risk register; support ongoing Risk Management Framework (RMF) processes and report risk posture to the CISO.
- Lead preparation for CMMC Level 2 assessments - build evidence packages, coordinate with the C3PAO, and manage assessor requests and findings.
- Develop and maintain cybersecurity policies, procedures, and standards aligned to CMMC, DFARS, SOC 2, and GDPR; ensure version control and staff acknowledgment records are maintained.
- Define, track, and report security metrics and KPIs to the CISO and non-technical stakeholders including legal, contracts, and business development teams.
- Support contract teams with DFARS clause requirements, cybersecurity representations, and customer security questionnaires.
- Conduct vendor and third-party risk assessments; maintain supplier risk documentation.
- Manage the security awareness training program and phishing simulations; maintain completion records per CMMC requirements.
Security Operations (secondary)- Monitor SIEM for security events and alerts relevant to CUI systems; write and tune detection rules; triage and escalate incidents; produce post-incident reports with compliance impact assessment. Leverage audit log aggregation to satisfy CMMC AU (Audit & Accountability) control evidence requirements.
- Monitor EDR alerts for CUI-scoped endpoints; investigate detections and coordinate response with IT.
- Work with IT to ensure vulnerability findings are remediated within CMMC-required timeframes, track and report on remediation status.
- Leverage MDM and Active Directory to enforce device compliance, GPO-based security baselines, and access control policies across CUI-scoped endpoints.
- Use asset inventory as the authoritative hardware/software asset register for CMMC system boundary documentation; keep it current and audit ready.
- Conduct periodic access control audits; enforce least-privilege across AD, SSO, and SaaS tooling handling CUI.
Required Skills and Experience:- 3-6 years in cybersecurity with a strong GRC or compliance focus; prior ISSO experience or equivalent accountability preferred.
- Deep, working knowledge of NIST SP 800-171 and DFARS 7012. Able to assess, gap-analyze, and evidence all 110 controls independently.
- Demonstrated experience authoring SSPs and POA&Ms for government-facing or regulated environments.
- Familiarity with the CMMC Level 2 assessment process and C3PAO engagement.
- Hands-on SIEM experience: writing detection rules, querying logs, and generating compliance-grade audit evidence.
- Hands-on experience with EDR and vulnerability scanning tools in a compliance context. Mapping tool outputs to NIST controls and generating assessor evidence.
- Working knowledge of SOC 2 Type II and GDPR compliance requirements.
- Some cloud security fundamentals (AWS preferred). IAM, CloudTrail, GuardDuty, access policies.
- Clear, structured communicator. Equally comfortable writing formal policy documentation and briefing non-technical executives.
- US citizenship or Lawful Permanent Resident status.
Nice to Have:- CMMC Registered Practitioner (RP) or Professional (CCP)
- CISSP / CISM / Security+
- RMF / ATO experience
- FedRAMP familiarity
- Space / satellite industry background
- Telecom or critical infrastructure security
- Prior C3PAO assessment experience
- GRC platform experience (Vanta, Drata, Archer, ServiceNow)
- Scripting in Python or Bash for evidence collection automation
- Zero-trust architecture
What Lynk Offers:- Competitive salary and equity in a company building genuinely novel global infrastructure.
- Remote-first, US-based role.
- Direct line to the CISO; your work defines Lynk's compliance posture at a critical growth stage.
- A functioning security toolset already in place. Your focus is maturing and aligning it, not standing it up from scratch.
- Learning and certification budget.
ITAR RequirementsTo comply with U.S. Government export control regulations (ITAR), applicants must be one of the following: (i) a U.S. citizen or national, (ii) a lawful permanent resident (green card holder), (iii) a refugee under 8 U.S.C. a7 1157, or (iv) an asylee under 8 U.S.C. a7 1158. Individuals who do not meet these criteria must be eligible to obtain the necessary authorizations from the U.S. Department of State. For more information, please refer to the ITAR guidelines.
Learn about ITAR here.
