NextGen Information Services, Inc

Position Overview

We are seeking a highly experienced Senior ISSO / GRC Lead to own and drive end-to-end System Security Plan (SSP) development, vulnerability remediation governance, and compliance oversight for enterprise systems operating under federal/state security frameworks.

This role will ensure continuous audit readiness, risk-based vulnerability management, and compliance with security standards including NIST 800-53, RMF, and CMS MARS-E v2.2.

The ideal candidate has deep expertise in Governance, Risk & Compliance (GRC), SSP ownership, POA&M management, and enterprise security architecture across cloud and hybrid environments.

Key Responsibilities1. SSP Ownership & Compliance Governance

• Lead end-to-end development, maintenance, and updates of System Security Plans (SSPs)
• Ensure alignment with NIST 800-53, NIST RMF, CMS MARS-E v2.2, and applicable privacy controls
• Maintain assessor-ready documentation at all times

2. POA&M & Remediation Management

• Create, manage, and track POA&Ms (Plan of Action & Milestones)
• Drive remediation efforts across application, infrastructure, and security teams
• Ensure timely closure of compliance gaps within defined SLAs

3. Vulnerability & Penetration Testing Oversight

• Translate penetration testing and vulnerability findings into actionable remediation work items (EPICs, user stories, tickets)
• Oversee risk-based vulnerability prioritization
• Coordinate validation and re-testing activities

4. Security Control Implementation & Evidence Collection

• Document control implementations
• Collect and validate audit evidence including configurations, monitoring logs, approvals, and incident traceability
• Support internal and external audits

5. Cloud & Enterprise Security Governance

• Provide governance oversight for:
• Endpoint security controls
• Web application security
• Cloud security (AWS/Azure/hybrid environments)
• Support Secure SDLC and DevSecOps practices

6. Stakeholder & Executive Communication

• Translate technical security issues into compliance-aligned remediation strategies
• Present risk posture and remediation status to executive stakeholders
• Guide teams on security governance best practices

Required Qualifications

• 12+ years of experience in:
• Governance, Risk & Compliance (GRC)
• Enterprise Security Architecture
• Vulnerability Management & Penetration Testing
• Cloud Security (Hybrid Environments)
• 10+ years of:
• End-to-end SSP development and ownership
• Experience with CMS MARS-E v2.2 or comparable federal/state frameworks
• POA&M creation, tracking, and remediation governance
• Audit evidence collection and validation
• 8+ years of:
• NIST 800-53 and NIST RMF expertise
• Secure SDLC / DevSecOps knowledge
• Translating technical findings into compliance actions
• Cross-functional stakeholder management
• Excellent written and verbal communication skills

Preferred Qualifications

• Experience in multi-vendor, multi-platform enterprise environments
• Proven ability to reduce repeat audit findings
• Experience mentoring security governance teams
• Experience supporting HHSC or similar state agency systems

Nice-to-Have Certifications

• CISSP
• CISM
• CRISC
• CISA
• CAP (Certified Authorization Professional)

Ideal Candidate Profile

This role is best suited for a senior-level security professional who has:

• Served as an ISSO in federal/state environments
• Owned SSPs from initial development through audit cycles
• Led POA&M remediation programs
• Deep familiarity with NIST-based frameworks
• Experience working in regulated environments

Job Type: Contract

Pay: $80.00 - $90.00 per hour

Work Location: In person