Senior Information System Security Officer
Role details
Job location
Tech stack
Job description
The Senior Information System Security Officer (Sr. ISSO) leads the enterprise-wide cybersecurity Governance, Risk, and Compliance (GRC) Risk Management Framework (RMF) and Assessment and Authorization (A&A) initiatives across high-security federal cloud and DoD environments. The Sr. ISSO oversees the Certification(s) and Authorization(s) process across multi-framework pipelines, including but not limited to FedRAMP, DoD Impact Levels (IL4/IL5), SOC 2 Type II, and CMMC Levels 1, 2, and 3.
The Sr. ISSO will lead compliance initiatives from planning through assessment, manage ongoing risk and Continuous Monitoring (ConMon) activities, support audit engagements, and help mature ARRO's GRC program. The Sr. ISSO combines deep knowledge of regulatory and cybersecurity frameworks with practical experience translating compliance requirements into operational security capabilities within cloud-based environments.
As a security documentation technical writer and compliance strategist, the Sr. ISSO translates complex cloud engineering architecture(s) into clear, audit-ready documentation, security artifacts, Standard Operating Procedures (SOPs), policies and procedures. The Sr. ISSO specializes in the deep interpretation of complex security controls (NIST SP 800-53, NIST SP 800-171, FedRAMP Ruleset(s) / Security Indicators, DoD Cloud Computing Security Requirements Guide (CC SRG), and SOC 2 Trust Services Criteria). This position oversees the authoring of robust security control implementation statements that accurately reflect the system's security posture while ensuring continuous audit readiness and Body-of-Evidence (BoE)., ATO Readiness & Compliance Leadership
-
Lead FedRAMP certification readiness and ongoing compliance activities, including security documentation, control validation, evidence collection, gap remediation, and assessment preparation.
-
Lead DoD authorization readiness and ongoing compliance activities, including security documentation, control validation, evidence collection, gap remediation, and assessment preparation.
-
Develop and maintain authorization artifacts (e.g., SSPs, POA&Ms, Control Implementation Statements, Continuous Monitoring deliverables) supporting FedRAMP, DoD, SOC 2, and CMMC programs.
-
Coordinate audits, readiness reviews, and third-party assessments while serving as the primary liaison among internal stakeholders, assessors, auditors, consultants, customers, and government representatives.
-
Track compliance objectives, remediation efforts, and regulatory changes to ensure organizational readiness and alignment.
-
Partner with Engineering and DevOps teams to implement and maintain compliant cloud environments as the application Cloud Service Provider (CSP) ISSO.
Governance, Policy, & Control Implementation
-
Develop, maintain, and enhance security policies, standards, procedures, and governance documentation aligned with regulatory, contractual, and business requirements.
-
Ensure security controls are effectively designed, implemented, documented, and monitored across cloud and corporate environments.
-
Translate compliance requirements into operational controls while optimizing control mappings across FedRAMP, DoD SRG, NIST SP 800-53, SOC 2, CMMC and related frameworks.
-
Maintain compliance evidence, control inventories, governance artifacts, and support third-party risk management activities.
Risk Management & Continuous Monitoring
-
Lead risk assessment, risk treatment, and risk reporting activities, including maintenance of organizational risk registers.
-
Manage vulnerability management, POA&M oversight, corrective action tracking, and remediation validation efforts.
-
Oversee continuous monitoring activities across the cloud environments as the Cloud Service Provider (CSP) ISSO, including security monitoring, logging, configuration compliance, vulnerability management, and incident response support.
-
Evaluate security exceptions, risk acceptance requests, and corrective actions to ensure effective risk management and compliance.
Cross-Functional Collaboration & Stakeholder Alignment
-
Collaborate with GRC Information System Security Engineers (ISSE), System Engineering, Product, DevOps, Cloud Operations, IT, Legal, and business stakeholders to integrate security and compliance requirements into organizational processes and technology solutions.
-
Facilitate governance forums, compliance working groups, and audit activities while providing guidance on security frameworks and control implementation.
-
Communicate compliance status, risks, remediation priorities, and program performance to leadership, customers, and external stakeholders.
Program Maturity & Process Improvement
-
Drive continuous improvement initiatives that enhance security governance, compliance operations, audit readiness, and organizational resilience.
-
Develop metrics, dashboards, and reporting capabilities to measure program effectiveness and support executive decision-making.
-
Identify opportunities to automate GRC, evidence collection, risk management, and continuous monitoring processes.
-
Establish scalable, repeatable processes supporting FedRAMP / DoD Continuous Monitoring, SOC 2 assessments, and CMMC sustainment.
-
Contribute to the strategic evolution of ARRO's security, risk, and compliance programs while serving as deputy to the Director of GRC when required., * A Program Owner: You take ownership, drive accountability, and deliver measurable outcomes across complex compliance and security initiatives.
-
A Builder: You create scalable processes, controls, and governance structures that work in real-world cloud and operational environments.
-
A Partner: You build trusted relationships across Engineering, Product, Operations, and Leadership, influencing outcomes without relying on formal authority.
-
A Translator: You turn regulatory and framework requirements into practical, actionable solutions that enable the business while reducing risk.
-
A Problem Solver: You view compliance as a strategic business capability, continuously improving programs rather than simply maintaining documentation.
-
A Leader: You lead through expertise, initiative, and collaboration, helping mature security programs and mentoring others along the way., As a Senior Information System Security Officer, you'll play a critical role in safeguarding the systems and data that support those missions. Your work will directly contribute to establishing and maintaining the trust of our customers, partners, and government stakeholders through the successful implementation of FedRAMP, SOC 2, and CMMC programs.
If you're passionate about building mature security programs, driving compliance excellence, and enabling technology that makes a real-world impact, ARRO offers the opportunity to help shape the future of a growing mission-focused organization.
Requirements
-
Bachelor's degree in Cybersecurity, Information Systems, Computer Science, Information Assurance, Risk Management, or a related field; equivalent experience may be substituted.
-
7+ years of experience in Information Security, Governance, Risk, and Compliance (GRC), Information Assurance, or related disciplines.
-
Direct experience supporting FedRAMP Ready, FedRAMP Moderate (Class C) /High (Class D) authorizations, Agency ATOs, and FedRAMP Continuous Monitoring programs.
-
Demonstrated experience supporting security and compliance programs based on FedRAMP, DOD SRG, NIST SP 800-53, NIST SP 800-171, SOC 2, CMMC, ISO 27001, or similar frameworks.
-
Demonstrated experience leading or materially contributing to a FedRAMP certifiaction, DoD / Agency ATO, SOC 2 Type II audit, CMMC certification, or comparable regulatory compliance initiative.
-
Experience developing and maintaining security documentation and authorization artifacts, including SSPs, POA&Ms, policies, procedures, risk assessments, and control implementation statements.
-
Strong knowledge of the NIST SP 800-37 Rev. 2.0 Risk Management Framework (RMF), security control implementation, continuous monitoring, vulnerability management, and risk assessment methodologies.
-
Experience supporting security and compliance programs within cloud environments as a Cloud Service Provider (CSP), preferably within Microsoft Azure, Azure Government, Microsoft 365 GCC/GCC High, AWS, or Google Cloud Platform.
-
Working knowledge of cloud security technologies and services, including identity and access management, logging and monitoring, security operations, configuration management, and cloud-native security controls (e.g., Microsoft Entra ID, Azure Policy, Microsoft Defender, Microsoft Sentinel, Key Vault, and Azure Monitor).
-
Proven ability to collaborate effectively with technical and non-technical stakeholders and communicate compliance, security, and risk-related information to executive leadership.
Preferred
-
Experience implementing and assessing security controls within SaaS, cloud-native, or hybrid-cloud environments.
-
Experience supporting SOC 2 Type II audits, CMMC Level 2 certification efforts, and other regulated compliance programs.
-
Experience with GRC and compliance automation platforms such as Drata, Vanta, Secureframe, AuditBoard, eMASS, or ServiceNow GRC.
-
Experience developing security metrics, executive dashboards, and compliance reporting.
-
Experience supporting penetration testing, remediation management, and vulnerability management programs.
-
Prior experience within a GovTech, federal contractor, defense contractor, federal agency, or highly regulated environment., * One or more of the following: Security+, CISSP, CISM, CGRC (formerly CAP), or CCSP.
Preferred certifications include:
-
FedRAMP-specific experience or training
-
AWS Certified Security - Specialty
-
Microsoft Azure Security Engineer Associate (AZ-500)
-
Certified Cloud Security Professional (CCSP)
-
Certified Internal Auditor (CIA)
-
Certified Information Systems Auditor (CISA)