• Engineer technical vulnerability risk solutions that reduce operational, cyber, and resilience risk through architecture, automation, and control design. • Translate vulnerability risk requirements, policies, and standards into implementable technical patterns, guardrails, and reference architectures. • Prioritize and influence solution design decisions based on risk impact, blast radius, and recovery dependencies. • Partner with platform, cloud, security, and SRE teams to embed risk controls directly into infrastructure and pipelines. • Evaluate control effectiveness using technical signals and evidence, not just procedural compliance. • Support initiatives such as vulnerability discovery, exposure analysis, remediation workflow design, secure cloud architectures, isolated recovery environments, identity and access hardening, and infrastructure resilience. • Provide technical guidance on risk tradeoffs, recovery sequencing, and dependency-aware system design. • Work across broad vulnerability management capabilities, including scanners, asset and exposure data sources, prioritization models, remediation tracking platforms, exception workflows, and executive risk reporting.

• Foster information security practices and procedures across the organization • Research, analyze, and formulate recommendations for technologies, products, and solutions to enable business • Provide technical inputs, system security controls, evaluate and recommend new and emerging security products and technologies • Work with engineering teams to threat model technical designs and implementation of solutions • Act as a subject matter expert and partner with other engineers to select appropriate security controls • Further mature and maintain vulnerability management processes and metrics • Assist with a variety of risk assessments • Assist with vendor risk assessments, and provide customer assurance • Other duties as assigned

• Own and drive the compliance roadmap inside the Secfix platform across different compliance frameworks (ISO 27001, TISAX, SOC 2, GDPR, NIS 2, DORA, ISO 27017/27018, ISO 42001, C5, and more as we expand) • Implement ISO 27001 and adjacent frameworks end-to-end for customers • Mentor and upskill the compliance team: sharing expertise, reviewing work, and helping drive consistency in audits and customer deliverables • Conduct internal audits directly for strategic and complex customers, and review the internal audits performed by junior team members to drive quality and consistency • Act as a compliance partner to CSMs and sales reps: fast, reliable support for customer questions, and joining customer calls when deep expertise is needed • Own the quality of compliance content in the platform (including creating policies, evidence templates, Compliance enable playbooks for our CSMs, security awareness trainings and more) • Close framework gaps and incorporate auditor feedback into both team practice and platform improvements • Partner with product and engineering to translate compliance gaps into structured product work • Collaborate closely with CS, Product, and Founders to align compliance, customer, and roadmap priorities • Deepen relationships with our existing certification partners and train auditors on the Secfix platform so they can confidently use it during customer audits

Role Description GovCIO is currently hiring for an Information Systems Security Officer (ISSO) to support our client’s contract needs. The ISSO ensures the confidentiality, integrity, and availability of HUD information systems by executing the NIST Risk Management Framework (RMF), supporting system authorization activities, conducting continuous monitoring, and coordinating remediation efforts with system owners and technical teams. Key responsibilities include: - Support and execute all phases of the NIST SP 800-37 RMF lifecycle including categorization, control selection, implementation, assessment, authorization, and continuous monitoring. - Develop, maintain, and update RMF documentation in JCAM including System Security Plans, Security Assessment Plans, Security Assessment Reports, POA&Ms, Configuration Management Plans, Contingency Plans, Incident Response Plans, Risk Assessment documentation, and interconnection documents. - Establish system impact levels following FIPS 199 for confidentiality, integrity, and availability. - Ensure systems comply with FISMA, NIST SP 800-53 Rev 5, OMB A-130, and applicable agency cybersecurity policies. - Prepare and maintain Body of Evidence materials and control traceability documentation in JCAM. - Support Authorization to Operate (ATO), Authority to Connect (ATC), and ongoing authorization activities; maintain associated documentation in JCAM. - Review and analyze vulnerability scan results using Tenable Security Center. - Validate asset inventories and correlate system information. - Validate secure configuration baselines and system hardening standards. - Track remediation activities and ensure POA&M items and milestones are created, updated, and closed on schedule. - Review endpoint security posture and support investigations by correlating endpoint findings with vulnerability, configuration, and CDM data. - Provide security reporting, dashboards, and status updates to system owners and leadership. - Support configuration management processes by reviewing and assessing change requests for security impact. - Ensure security controls are implemented correctly during system changes, upgrades, or new deployments. - Stay informed on emerging cybersecurity policies, standards, and threat landscapes; provide recommendations for improving security posture. - Collaborate with technical and non-technical personnel to review systems, gather evidence, and communicate security requirements. Qualifications - Bachelor’s degree in IT, Cybersecurity, Computer Science, or related field (or equivalent experience) with 5-8+ years or (commensurate experience). Requirements - 2–3 years in an ISSO or cybersecurity compliance role supporting RMF process. - Strong understanding of NIST 800-53 controls and assessment procedures. - Experience collecting, developing and maintaining RMF artifacts. - Experience managing POA&Ms and documenting remediation efforts. - Experience reviewing, interpreting, or validating vulnerability and configuration findings. - Clearance Required: Ability to obtain and maintain a HUD Public Trust clearance. Preferred Qualifications - CISSP, CISM, or similar advanced certification. - Experience supporting federal authorization packages. - Familiarity with CDM reporting and continuous monitoring processes. - Experience supporting secure development or cloud system reviews. Posted Salary Range USD $90,000.00 - USD $110,000.00 /Yr.