540-318-7077 | Employee Hub
IT Operations

Chief Information Security Officer

Remote Full-Time
Back to Open Positions

About This Role

AIS is searching for a Chief Information Security Officer (CISO) to lead our compliance efforts. Ideally, we are in search of an individual who has been through the CMMC and FedRAMP assessment processes firsthand. We have immediate need to complete CMMC LVL 2 certifications; this will be followed by an effort to complete the FedRAMP authorization of our commercial software products. We are looking for someone passionate about compliance and security who will assist in championing the broader cybersecurity posture of the company.

What You’ll Be Doing

CMMC Level 2 Certification (Immediate)

Own the effort end-to-end: review and finalize the SSP and evidence packages, close remaining control gaps, manage our C3PAO relationship, and drive us to a successful assessment. Post-assessment, you will ensure ongoing process maintenance, staff engagement with the enclave, and execution of recurring tasks to sustain a CMMC-rated environment.

FedRAMP Authorization (Near-Term)

Lead the authorization of our commercial software product, in tandem with our development teams — strategy development (agency path, boundary scoping, timeline), 3PAO engagement, and coordination with product and engineering to ensure the security and compliance processes have been satisfied to FedRAMP levels.

Cyber Security Program Ownership

In tandem with the CIO, CTO, and IT team, you will help define the long-term security strategy, policies, risk management framework, and cyber security operations. Make tooling decisions (GRC platform, SIEM, vulnerability management), set the roadmap and help build the team as we scale.

Executive Communication

Report directly to executive leadership on security posture, compliance status, and risk. Translate technical security matters into business context that supports decision-making.

Subcontractor Risk Management

Champion the evaluation and oversight of subcontractor security posture, including flow down of CMMC, NIST 800-171, and DFARS requirements. Establish and maintain processes for assessing third-party compliance, managing risk across the supply chain, and ensuring subcontractors meet contractual and regulatory security obligations.

Hands-On Execution

In a given week you may be reviewing a POA&M progress, evaluating a vendor, responding to an incident, coordinating a risk assessment, or working with IT to develop requirements on system hardening plans. This role requires someone who thrives in that breadth.

What You Bring

Required

  • 8-10+ years in information security, with at least 3-5 in a senior or leadership role, spanning both technical and compliance work.
  • Significant experience with CMMC Level 2 (or equivalent NIST 800-171) assessment processes. You are prepared to jump in quickly and take ownership of the effort end-to-end and serve as the primary point of contact for assessors and partners in the process.
  • Led or been a primary contributor to a FedRAMP authorization. You understand the full lifecycle: readiness, package development, 3PAO assessment, continuous monitoring, significant change management.
  • Deep knowledge of NIST SP 800-171, NIST SP 800-53, FISMA, and CMMC. Strong command of control families and how they map across frameworks.
  • Experience authoring and defending SSPs, POA&Ms, and authorization packages in front of assessors.
  • CISSP or CISM (active, in good standing).
  • Cloud security experience — scoping and securing environments (AWS, Azure, or GCP) in a compliance context.
  • U.S. citizenship and ability to obtain/maintain a government security clearance.
  • Familiarity with DFARS 252.204-7012, 7019, 7020, 7021 and FAR security requirements, including flow down to subcontractors.

Preferred

  • Experience enhancing and maturing a security program at a small or mid-size company, not just maintaining one.
  • Awareness of the NIST SP 800-171 r3 transition and its implications.
  • Experience with StateRAMP, IL4/IL5, or other government authorization frameworks.
  • Literacy in ITAR and EAR export control regulations and their intersection with cybersecurity and data handling requirements.
  • Additional certifications: CCISO, CISA, CRISC, or CGRC.
  • Hands-on experience with GRC platforms (RegScale, eMASS, OSCAL-based tooling).
  • Background at a government contractor, GovTech, or defense tech company.

Interested in This Position?

Fill out the form below to apply. We'll review your application and get back to you.

Apply Directly

All fields are required. Your resume will be sent directly to our HR team.

Click to upload or drag and drop

PDF, DOC, or DOCX — Max 5MB