Virtual Chief Information Security Officer

We are a managed service provider specializing in Department of Defense contractor environments and CMMC 2.0 compliance. The vCISO will lead client security programs end-to-end, aligning cybersecurity strategy with CMMC requirements (Levels 1–3), NIST SP 800-171/172, and DFARS 252.204-7012. This role is responsible for designing and governing right-sized security programs for small to mid-sized organizations handling FCI and CUI, ensuring audit readiness, measurable risk reduction, and sustainable compliance.

• Program Leadership and Governance
  • Serve as the executive security leader for multiple client accounts; establish governance, KPIs, and roadmaps aligned to CMMC and business objectives.
  • Chair client security steering meetings and deliver QBRs, risk reports, and executive briefings.
• CMMC Strategy and Readiness
  • Perform gap assessments against CMMC 2.0 practices and processes; produce SSPs, POA&Ms, and remediation plans.
  • Guide clients through SPRS scoring, readiness for C3PAO assessments, and ongoing compliance maintenance.
  • Advise on CUI data lifecycle, scoping and boundary definition, enclave strategies, and inheritance from MSP/MSSP services.
• Risk Management and Policy Framework
  • Build and maintain risk registers; conduct risk assessments and business impact analyses.
  • Author and maintain policy, standards, and procedures mapped to CMMC, NIST SP 800-171, and applicable customer contracts.
• Security Architecture and Controls Implementation
  • Design pragmatic control architectures for SMB environments leveraging Microsoft 365 (E5), Azure AD/Entra, Intune, Defender, Sentinel, and GCC High where appropriate.
  • Oversee implementation of access control, logging/monitoring, vulnerability management, patching, backup/restore, DLP, email security, endpoint hardening, and zero trust principles aligned to CMMC practices.
• Incident Preparedness and Response
  • Establish IR plans/playbooks, conduct tabletop exercises, and coordinate response with clients and MSP/MSSP partners.
  • Ensure DFARS 252.204-7012 cyber incident reporting readiness and evidence collection procedures.
• Audit and Evidence Management
  • Build evidence catalogs and objective artifacts mapped to CMMC assessment objectives.
  • Coordinate internal readiness reviews and act as liaison with C3PAOs, RPOs, and assessors.
• Third-Party and Supply Chain
  • Assess and manage third-party risks, flow-down requirements, and sub-contractor compliance related to CUI handling.
• Client Advisory and Enablement
  • Educate executives and technical teams on CMMC nuances, including scoping pitfalls, inheritance, assessment objectives, and sustainment.
  • Develop program budgets, roadmaps, and SOWs; prioritize remediation to maximize SPRS score improvements and audit outcomes.

• 7+ years in cybersecurity with 3+ years in a CISO, vCISO, or senior security leadership capacity serving multiple clients.
• Proven, hands-on experience building and sustaining CMMC 2.0 and NIST SP 800-171-aligned programs, including SSP/POA&M development, evidence management, and audit readiness.
• Deep understanding of CMMC 2.0 levels, domains/practices, assessment objectives, and the DoD ecosystem (C3PAO process, RPO role, SPRS, eMASS concepts).
• Demonstrated success leading security programs in SMB/manufacturing/DoD supplier environments handling FCI/CUI and DFARS 252.204-7012 requirements.
• Bachelor’s degree in Information Security, Computer Science, or related field; equivalent experience considered.
• Relevant certifications strongly preferred:
  • CISSP, CISM, CCISO, or CISA
  • CMMC-focused credentials such as CCP, RP, or CCA
  • Additional: ISO 27001 Lead Implementer/Auditor, CEH, GCCC/GCIH/GCLD (nice to have)
• U.S. citizenship required; ability to work with ITAR/EAR-restricted information. Security clearance a plus but not required.
• Consulting/MSP experience managing multiple concurrent client programs.

• CMMC/NIST Expertise
  • CMMC 2.0 scoping, boundary definition, inheritance, assessment objectives, and POA&M constraints.
  • NIST SP 800-171/172 control interpretation and practical implementation in SMB environments.
  • DFARS cyber clauses, incident reporting expectations, and contractual flow-downs.
• Technical Leadership
  • Designing and governing security controls across Microsoft 365, Azure/Entra, GCC High, SIEM/SOAR (e.g., Sentinel), EDR/XDR, vulnerability management, identity, and zero trust.
  • Data protection for CUI: data flow mapping, labeling/marking, DLP, encryption, key management, and secure enclaves.
• Governance, Risk, and Compliance (GRC)
  • Policy/standard/procedure authoring; evidence collection; audit liaison; risk quantification; metrics/KPIs.
  • Hands-on with GRC platforms and evidence workflows.
• Communication and Stakeholder Management
  • Executive-level storytelling, board-ready reporting, and the ability to translate assessment objectives into actionable workstreams.
  • Vendor management, SOW creation, and prioritization under budget/time constraints.
• Operational Excellence
  • Building repeatable program playbooks for SSP/POA&M, change management, vulnerability/Patch SLAs, logging/retention, and backup testing.
  • Incident response readiness, tabletop execution, and post-incident corrective action governance.