Information System Security Officer (ISSO)
Location: Wall Township, NJ | Reports to: CISO | Clearance: U.S. Person required; ability to obtain Public Trust preferred
About the Role
911inform is seeking an Information System Security Officer (ISSO) to serve as the day-to-day security steward of our FedRAMP Moderate authorized SaaS platform. The ISSO is the hands-on owner of the System Security Plan (SSP), continuous monitoring (ConMon), POA&M management, and audit evidence collection across our AWS GovCloud and Commercial environments. This role is ideal for a detail-oriented security practitioner who thrives in compliance-driven operations and enjoys turning controls into working processes.
Key Responsibilities
System Security Plan (SSP) Ownership — Maintain and update the FedRAMP Moderate SSP, including all narrative sections, appendices (cryptographic modules, ports/protocols, interconnections), and supporting attachments.
Continuous Monitoring (ConMon) — Execute monthly ConMon deliverables: vulnerability scan reports (Tenable), POA&M updates, inventory reconciliation, and significant change requests.
POA&M Management — Track, prioritize, and drive remediation of findings to closure; coordinate with engineering and IT to meet FedRAMP timelines (30/90/180 days by severity).
Audit Evidence Collection — Package and submit evidence for FedRAMP, SOC 2 Type II, and ISO 27001 audits; maintain Vanta and SharePoint-based evidence libraries.
Access Reviews — Conduct quarterly access reviews across AWS (Commercial + GovCloud), M365 GCC, MongoDB Atlas for Government, CrowdStrike, Tenable, Action1, Jira, and other in-boundary systems.
Vulnerability & Endpoint Oversight — Monitor Tenable Nessus, CrowdStrike Falcon, and Action1 coverage; investigate agent reporting gaps and orphaned endpoints.
Incident Response Support — Maintain the IR Plan, support tabletop exercises, complete Appendix B incident collection forms, and assist in real-world investigations (e.g., supply chain events).
Policy & Procedure Maintenance — Keep Access Control, Privileged Access, Data Management, Incident Response, Secure SDLC, and Third-Party Management policies current and audit-ready.
Third-Party / Vendor Risk — Onboard new vendors, review DPAs/SLAs/SOC 2 reports, maintain the vendor risk register, and route critical-risk acceptances to the CFO per policy.
Control Implementation Support — Partner with engineering on NIST 800-53 Rev. 5 control implementation, particularly AC, AU, CM, CP, IR, RA, SC, and SI families.
Required Qualifications
3–5+ years in information security, compliance, or GRC roles.
Working knowledge of NIST 800-53 Rev. 5, FedRAMP Moderate, SOC 2, and ISO 27001.
Hands-on experience with AWS (GovCloud a plus), Microsoft 365 (GCC a plus), and at least one EDR/VM platform (CrowdStrike, Tenable, Defender).
Experience writing and maintaining SSPs, POA&Ms, and audit evidence.
Strong written communication — able to produce audit-ready narratives and executive summaries.
Preferred Qualifications
CISSP, CISA, CAP, CCSP, Security+, or equivalent.
Prior experience supporting a FedRAMP authorization or 3PAO assessment.
Familiarity with Vanta, Drata, or similar GRC automation tools.
Background in public safety, 9-1-1, telecom, or critical infrastructure SaaS.
Benefits:
Work Location: In person