Chief Information Security Officer
Role summary
AIS is seeking a Chief Information Security Officer (CISO) to lead its compliance initiatives, focusing on achieving CMMC Level 2 certification and FedRAMP authorization for its commercial software products. The ideal candidate will have extensive experience with CMMC, FedRAMP, and NIST frameworks, including authoring SSPs and POA&Ms. This role involves defining long-term security strategy, policies, and risk management in collaboration with CIO/CTO, making tooling decisions, and reporting to executive leadership. Responsibilities also include subcontractor risk management and hands-on execution across various security tasks. Requires 8-10+ years in information security, with 3-5 in a leadership role, and a CISSP or CISM certification.
About This Role
AIS is searching for a Chief Information Security Officer (CISO) to lead our compliance efforts. Ideally, we are in search of an individual who has been through the CMMC and FedRAMP assessment processes firsthand. We have immediate need to complete CMMC LVL 2 certifications; this will be followed by an effort to complete the FedRAMP authorization of our commercial software products. We are looking for someone passionate about compliance and security who will assist in championing the broader cybersecurity posture of the company.
*What You’ll Be Doing*
CMMC Level 2 certification (immediate). Own the effort end-to-end: review and finalize the SSP and evidence packages, close remaining control gaps, manage our C3PAO relationship, and drive us to a successful assessment. Post-assessment, you will ensure ongoing process maintenance, staff engagement with the enclave, and execution of recurring tasks to sustain a CMMC-rated environment.
FedRAMP authorization (near-term). Lead the authorization of our commercial software product, in tandem with our development teams — strategy development (agency path, boundary scoping, timeline), 3PAO engagement, and coordination with product and engineering to ensure the security and compliance processes have been satisfied to FedRAMP levels.
Cyber security program ownership. In tandem with the CIO, CTO, and IT team, you will help define the long-term security strategy, policies, risk management framework, and cyber security operations. Make tooling decisions (GRC platform, SIEM, vulnerability management), set the roadmap and help build the team as we scale.
Executive communication. Report directly to executive leadership on security posture, compliance status, and risk. Translate technical security matters into business context that supports decision-making.
Subcontractor risk management. Champion the evaluation and oversight of subcontractor security posture, including flow down of CMMC, NIST 800-171, and DFARS requirements. Establish and maintain processes for assessing third-party compliance, managing risk across the supply chain, and ensuring subcontractors meet contractual and regulatory security obligations.
Hands-on execution. In a given week you may be reviewing a POA&M progress, evaluating a vendor, responding to an incident, coordinating a risk assessment, or working with IT to develop requirements on system hardening plans. This role requires someone who thrives in that breadth.
*What You Bring*
Required:
· 8-10+ years in information security, with at least 3-5 in a senior or leadership role, spanning both technical and compliance work.
· Significant experience with CMMC Level 2 (or equivalent NIST 800-171) assessment processes. You are prepared to jump in quickly and take ownership of the effort end-to-end and serve as the primary point of contact for assessors and partners in the process.
· Led or been a primary contributor to a FedRAMP authorization. You understand the full lifecycle: readiness, package development, 3PAO assessment, continuous monitoring, significant change management.
· Deep knowledge of NIST SP 800-171, NIST SP 800-53, FISMA, and CMMC. Strong command of control families and how they map across frameworks.
· Experience authoring and defending SSPs, POA&Ms, and authorization packages in front of assessors.
· CISSP or CISM (active, in good standing).
· Cloud security experience — scoping and securing environments (AWS, Azure, or GCP) in a compliance context.
· U.S. citizenship and ability to obtain/maintain a government security clearance.
· Familiarity with DFARS 252.204-7012, 7019, 7020, 7021 and FAR security requirements, including flow down to subcontractors.
Preferred:
· Experience enhancing and maturing a security program at a small or mid-size company, not just maintaining one.
· Awareness of the NIST SP 800-171 r3 transition and its implications.
· Experience with StateRAMP, IL4/IL5, or other government authorization frameworks.
· Literacy in ITAR and EAR export control regulations and their intersection with cybersecurity and data handling requirements.
· Additional certifications: CCISO, CISA, CRISC, or CGRC.
· Hands-on experience with GRC platforms (RegScale, eMASS, OSCAL-based tooling).
· Background at a government contractor, GovTech, or defense tech company.
Pay: $180,000.00 - $200,000.00 per year
Benefits:
- 401(k)
- 401(k) matching
- Dental insurance
- Health insurance
- Paid time off
- Retirement plan
- Vision insurance
Work Location: Remote
Similar roles
- Chief Information Security OfficerGlocomms · New York, New York, United States · Onsite
- Chief Information Security OfficerSiTime · Santa Clara, California, United States · Onsite
- Chief Information Security OfficerChildren's Wisconsin · Milwaukee, Wisconsin, United States · Onsite
Chief Information Security OfficerMultnomah County · Portland, Oregon, United States · Hybrid
Chief Information Security OfficerTexas Children's Hospital · Houston, Texas, United States · Onsite
