Information Systems Security Officer (ISSO)

Responsibilities:

• Own the FedRAMP/DoD RMF authorization lifecycle for assigned systems (strategy → authorization → continuous monitoring → ATO maintenance).
• Define and maintain the FedRAMP program governance model, roles & responsibilities (including Sponsor/Authorizing Official interactions).
• Create, own, maintain, and version-control the System Security Plan (SSP), Security Assessment Report (SAR), continuous monitoring (ConMon) artifacts, POA&Ms, SSP annexes, and all ATO package deliverables.
• Build and run the ConMon program: define telemetry requirements, dashboards, vulnerability ingestion, thresholds, incident feed, and reporting cadence.
• Triage vulnerabilities, manage POA&Ms (track remediation owners, dates, residual risk), and ensure POA&M closure meets customer and FedRAMP expectations.
• Lead the selection, engagement, and technical coordination with 3PAOs and any external assessors. Ensure assessments, testing, and SAR content are accurate and timely.
• Evaluate security impact for architectural or operational changes (Security Impact Analysis), own risk acceptance processes, and coordinate Risk Acceptance with Sponsors/Authorizing Officials.
• Integrate change control with the ConMon program to ensure authorized/approved changes are documented and do not break control baselines.
• Act as the primary internal liaison across Product, Engineering, DevOps, Security, Sales, Legal, and Marketing for anything impacting the FedRAMP posture and ATO timelines. Drive working groups and weekly syncs.
• Support pre-sales and customer conversations on FedRAMP posture and timelines alongside Sales; maintain the relationship with the government Sponsor/Authorizing Official and the FedRAMP PMO as required.
• Build and manage program timelines (Gantt), identify and mitigate schedule risk, report status to Management and stakeholders, and maintain an issues/risk register for the authorization lifecycle.
• Develop/update policies, control implementations, and procedures to ensure alignment with FedRAMP Rev (current guidance), NIST SP 800-53/800-37/800-137, and DoD RMF as applicable.
• Provide training for engineers, product managers, and GRC teams on FedRAMP requirements, evidence collection, secure configuration baselines, and artifacts expectations.
• Coordinate security incidents affecting FedRAMP-scope systems into the ConMon program and ensure incident reporting/lessons learned are reflected in POA&Ms and governance.
• Capture lessons learned from audits and assessments, refine processes, and drive automation of evidence collection and control attestations to scale the program.

Requirements:

• 8+ years of experience in information systems security, with a focus on compliance with NIST and DoD guidelines.
• In-depth knowledge of FedRAMP, NIST SP 800-37, NIST SP 800-53, and DoD 8510.01 policies and procedures.
• Strong technical writing skills for developing SOPs, work instructions, and senior-level briefs. Proficient in risk and vulnerability assessment, security infrastructure design, and continuous monitoring.
• Prior experience on obtaining FedRamp ATO