Virtual Chief Information Security Officer

Overview We are a managed service provider specializing in Department of Defense contractor environments and CMMC 2.0 compliance.

The vCISO will lead client security programs end-to-end, aligning cybersecurity strategy with CMMC requirements (Levels 1–3), NIST SP 800-171 / 172, and DFARS 252.204-7012.

This role is responsible for designing and governing right-sized security programs for small to mid-sized organizations handling FCI and CUI, ensuring audit readiness, measurable risk reduction, and sustainable compliance.   Key Responsibilities Program Leadership and Governance Serve as the executive security leader for multiple client accounts; establish governance, KPIs, and roadmaps aligned to CMMC and business objectives.

Chair client security steering meetings and deliver QBRs, risk reports, and executive briefings.

CMMC Strategy and Readiness Perform gap assessments against CMMC 2.0 practices and processes; produce SSPs, POA&Ms, and remediation plans.

Guide clients through SPRS scoring, readiness for C3PAO assessments, and ongoing compliance maintenance.

Advise on CUI data lifecycle, scoping and boundary definition, enclave strategies, and inheritance from MSP / MSSP services.

Risk Management and Policy Framework Build and maintain risk registers; conduct risk assessments and business impact analyses.

Author and maintain policy, standards, and procedures mapped to CMMC, NIST SP 800-171, and applicable customer contracts.

Security Architecture and Controls Implementation Design pragmatic control architectures for SMB environments leveraging Microsoft 365 (E5), Azure AD / Entra, Intune, Defender, Sentinel, and GCC High where appropriate.

Oversee implementation of access control, logging / monitoring, vulnerability management, patching, backup / restore, DLP, email security, endpoint hardening, and zero trust principles aligned to CMMC practices.

Incident Preparedness and Response Establish IR plans / playbooks, conduct tabletop exercises, and coordinate response with clients and MSP / MSSP partners.

Ensure DFARS 252.204-7012 cyber incident reporting readiness and evidence collection procedures.

Audit and Evidence Management Build evidence catalogs and objective artifacts mapped to CMMC assessment objectives.

Coordinate internal readiness reviews and act as liaison with C3PAOs, RPOs, and assessors.

Third-Party and Supply Chain Assess and manage third-party risks, flow-down requirements, and sub-contractor compliance related to CUI handling.

Client Advisory and Enablement Educate executives and technical teams on CMMC nuances, including scoping pitfalls, inheritance, assessment objectives, and sustainment.

Develop program budgets, roadmaps, and SOWs; prioritize remediation to maximize SPRS score improvements and audit outcomes.

Qualifications 7+ years in cybersecurity with 3+ years in a CISO, vCISO, or senior security leadership capacity serving multiple clients.

Proven, hands-on experience building and sustaining CMMC 2.0 and NIST SP 800-171-aligned programs, including SSP / POA&M development, evidence management, and audit readiness.

Deep understanding of CMMC 2.0 levels, domains / practices, assessment objectives, and the DoD ecosystem (C3PAO process, RPO role, SPRS, eMASS concepts).

Demonstrated success leading security programs in SMB / manufacturing / DoD supplier environments handling FCI / CUI and DFARS 252.204-7012 requirements.

Bachelor’s degree in Information Security, Computer Science, or related field; equivalent experience considered.

Relevant certifications strongly preferred :

• CISSP, CISM, CCISO, or CISA CMMC-focused credentials such as CCP, RP, or CCA Additional : ISO 27001 Lead Implementer / Auditor, CEH, GCCC / GCIH / GCLD (nice to have) U.S. citizenship required; ability to work with ITAR / EAR-restricted information.
• Security clearance a plus but not required.
• Consulting / MSP experience managing multiple concurrent client programs.
• Core Skills CMMC / NIST Expertise CMMC 2.0 scoping, boundary definition, inheritance, assessment objectives, and POA&M constraints.
• NIST SP 800-171 / 172 control interpretation and practical implementation in SMB environments.
• DFARS cyber clauses, incident reporting expectations, and contractual flow-downs.
• Technical Leadership Designing and governing security controls across Microsoft 365, Azure / Entra, GCC High, SIEM / SOAR (e.g., Sentinel), EDR / XDR, vulnerability management, identity, and zero trust.

Data protection for CUI :