Talent.com
Virtual Chief Information Security Officer
Virtual Chief Information Security OfficerExecutech • Flagstaff, AZ, US
Virtual Chief Information Security Officer

Virtual Chief Information Security Officer

Executech • Flagstaff, AZ, US
4 days ago
Job type
  • Full-time
Job description

Job Description

Job Description

Overview

We are a managed service provider specializing in Department of Defense contractor environments and CMMC 2.0 compliance. The vCISO will lead client security programs end-to-end, aligning cybersecurity strategy with CMMC requirements (Levels 1–3), NIST SP 800-171 / 172, and DFARS 252.204-7012. This role is responsible for designing and governing right-sized security programs for small to mid-sized organizations handling FCI and CUI, ensuring audit readiness, measurable risk reduction, and sustainable compliance.

Key Responsibilities

  • Program Leadership and Governance

Serve as the executive security leader for multiple client accounts; establish governance, KPIs, and roadmaps aligned to CMMC and business objectives.

  • Chair client security steering meetings and deliver QBRs, risk reports, and executive briefings.
  • CMMC Strategy and Readiness

    • Perform gap assessments against CMMC 2.0 practices and processes; produce SSPs, POA&Ms, and remediation plans.

  • Guide clients through SPRS scoring, readiness for C3PAO assessments, and ongoing compliance maintenance.
  • Advise on CUI data lifecycle, scoping and boundary definition, enclave strategies, and inheritance from MSP / MSSP services.
  • Risk Management and Policy Framework

    • Build and maintain risk registers; conduct risk assessments and business impact analyses.

  • Author and maintain policy, standards, and procedures mapped to CMMC, NIST SP 800-171, and applicable customer contracts.
  • Security Architecture and Controls Implementation

    • Design pragmatic control architectures for SMB environments leveraging Microsoft 365 (E5), Azure AD / Entra, Intune, Defender, Sentinel, and GCC High where appropriate.

  • Oversee implementation of access control, logging / monitoring, vulnerability management, patching, backup / restore, DLP, email security, endpoint hardening, and zero trust principles aligned to CMMC practices.
  • Incident Preparedness and Response

    • Establish IR plans / playbooks, conduct tabletop exercises, and coordinate response with clients and MSP / MSSP partners.

  • Ensure DFARS 252.204-7012 cyber incident reporting readiness and evidence collection procedures.
  • Audit and Evidence Management

    • Build evidence catalogs and objective artifacts mapped to CMMC assessment objectives.

  • Coordinate internal readiness reviews and act as liaison with C3PAOs, RPOs, and assessors.
  • Third-Party and Supply Chain

    • Assess and manage third-party risks, flow-down requirements, and sub-contractor compliance related to CUI handling.

  • Client Advisory and Enablement

    • Educate executives and technical teams on CMMC nuances, including scoping pitfalls, inheritance, assessment objectives, and sustainment.

  • Develop program budgets, roadmaps, and SOWs; prioritize remediation to maximize SPRS score improvements and audit outcomes.

    • Qualifications

  • 7+ years in cybersecurity with 3+ years in a CISO, vCISO, or senior security leadership capacity serving multiple clients.
  • Proven, hands-on experience building and sustaining CMMC 2.0 and NIST SP 800-171-aligned programs, including SSP / POA&M development, evidence management, and audit readiness.
  • Deep understanding of CMMC 2.0 levels, domains / practices, assessment objectives, and the DoD ecosystem (C3PAO process, RPO role, SPRS, eMASS concepts).
  • Demonstrated success leading security programs in SMB / manufacturing / DoD supplier environments handling FCI / CUI and DFARS 252.204-7012 requirements.
  • Bachelor’s degree in Information Security, Computer Science, or related field; equivalent experience considered.
  • Relevant certifications strongly preferred :

    • CISSP, CISM, CCISO, or CISA

  • CMMC-focused credentials such as CCP, RP, or CCA
  • Additional : ISO 27001 Lead Implementer / Auditor, CEH, GCCC / GCIH / GCLD (nice to have)
  • U.S. citizenship required; ability to work with ITAR / EAR-restricted information. Security clearance a plus but not required.
  • Consulting / MSP experience managing multiple concurrent client programs.

    • Core Skills

  • CMMC / NIST Expertise

    • CMMC 2.0 scoping, boundary definition, inheritance, assessment objectives, and POA&M constraints.

  • NIST SP 800-171 / 172 control interpretation and practical implementation in SMB environments.
  • DFARS cyber clauses, incident reporting expectations, and contractual flow-downs.
  • Technical Leadership

    • Designing and governing security controls across Microsoft 365, Azure / Entra, GCC High, SIEM / SOAR (e.g., Sentinel), EDR / XDR, vulnerability management, identity, and zero trust.

  • Data protection for CUI : data flow mapping, labeling / marking, DLP, encryption, key management, and secure enclaves.
  • Governance, Risk, and Compliance (GRC)

    • Policy / standard / procedure authoring; evidence collection; audit liaison; risk quantification; metrics / KPIs.

  • Hands-on with GRC platforms and evidence workflows.
  • Communication and Stakeholder Management

    • Executive-level storytelling, board-ready reporting, and the ability to translate assessment objectives into actionable workstreams.

  • Vendor management, SOW creation, and prioritization under budget / time constraints.
  • Operational Excellence

    • Building repeatable program playbooks for SSP / POA&M, change management, vulnerability / Patch SLAs, logging / retention, and backup testing.

  • Incident response readiness, tabletop execution, and post-incident corrective action governance.

    • Powered by JazzHR

    d7c7FVfwpC

    Create a job alert for this search

    Chief Information Security Officer • Flagstaff, AZ, US