Director of Security & Compliance
Designated Information System Security Officer (ISSO)
Reports to: Executive Director
ARRO is a technology partner to government and emergency response organizations, delivering cloud-based solutions that require rigorous security and regulatory compliance. As ARRO expands its federal and state agency partnerships, we are investing in the leadership and infrastructure needed to achieve and sustain FedRAMP authorization and broader regulatory compliance across our platform.
ARRO is seeking an experienced Director of Security & Compliance to own our enterprise security program and serve as our designated Information System Security Officer (ISSO). This is not a build-from-scratch role — we are mid-gap remediation in our FedRAMP authorization journey, with an active 3PAO relationship and real momentum. We need a leader who has lived inside a FedRAMP authorization, knows how to close a POA&M, and can drive cross-functional accountability across engineering, cloud infrastructure, and operations.
This role carries significant organizational authority and executive visibility. You will report directly to the Executive Director and serve as the internal voice of security and compliance across the organization.
FedRAMP Authorization & Ongoing Compliance
Serve as ARRO’s designated ISSO — named in the authorization package and accountable for the security posture of ARRO’s information systems
Own the FedRAMP authorization strategy and drive execution from mid-gap remediation through ATO and into continuous monitoring
Serve as the primary point of contact for 3PAO assessors, external security consultants, and sponsoring agencies
Oversee all FedRAMP documentation including System Security Plans (SSPs), Plans of Action & Milestones (POA&Ms), and ConMon artifacts
Ensure ARRO maintains operational readiness for regulatory assessments across FedRAMP, NIST 800-53, CMMC, TX-RAMP, and SOC 2
Enterprise Security Program
Lead the development and ongoing maturity of ARRO’s enterprise security program, aligned with NIST 800-53 and applicable regulatory frameworks
Establish and maintain a Continuous Monitoring Program, including vulnerability management, control assessments, risk reporting, and remediation tracking
Own security policy development, maintenance, and enforcement across the organization
Lead security incident response planning and tabletop exercises
Ensure security controls are implemented effectively across ARRO’s Azure Government / GCC High infrastructure and platform
Governance, Risk & Compliance (GRC)
Lead and mentor the GRC Lead, establishing clear ownership and accountability for compliance deliverables
Maintain a structured risk management program including identification, assessment, prioritization, and remediation tracking
Establish internal governance processes to track compliance posture and surface risk to executive leadership
Coordinate audit readiness activities with 3PAO assessors and external consultants
Cross-Functional Security Leadership
Partner with Engineering leadership to integrate security practices into the software development lifecycle
Collaborate with cloud and infrastructure teams to ensure secure architecture and operational practices in Azure Government / GCC High
Provide the Executive Director and leadership team with clear, actionable visibility into ARRO’s security posture, compliance progress, and risk landscape
Promote a culture of security awareness and continuous improvement across the organization
Demonstrated, hands-on FedRAMP authorization experience — you have shepherded a system through an ATO or actively maintained one post-authorization
Deep working knowledge of NIST 800-53 control implementation — you have authored or owned SSPs, POA&Ms, and ConMon artifacts
Direct experience working with 3PAO assessors through an assessment cycle
7+ years in information security or GRC, with 3+ years in a leadership or program ownership capacity
Demonstrated ability to drive cross-functional accountability without direct authority over engineering or infrastructure teams
Strong written communication skills — this role requires executive-level reporting and regulatory documentation
Formal ISSO experience — you have been a named ISSO on at least one system under FedRAMP or FISMA
Hands-on experience in Azure Government or GCC High environments
Familiarity with CMMC, TX-RAMP, or state-level regulatory frameworks
Background in cloud infrastructure, DevSecOps, or security architecture
Experience in a SaaS or cloud-native environment serving government clients
Certifications (one or more preferred)
CISSP — strongly preferred for ISSO designation
CAP (Certified Authorization Professional) — directly aligned with FedRAMP/FISMA work
CISM — relevant given the governance and program management weight of this role
Direct impact on outcomes that matter — ARRO’s technology supports emergency response and public safety organizations
Executive visibility and organizational authority to drive real change
Active 3PAO relationship and real FedRAMP momentum — you’re not starting from zero
Budget flexibility to grow the team as the program matures
Director of Security & Compliance
ARRO is seeking a Director of Security & Compliance to lead their enterprise security program and serve as the Information System Security Officer (ISSO). This role is pivotal in ARRO's FedRAMP authorization journey, requiring someone with hands-on experience in achieving and maintaining FedRAMP ATO. The ideal candidate will own the FedRAMP authorization strategy, manage relationships with 3PAO assessors, and oversee all FedRAMP documentation. This position reports directly to the Executive Director, offering significant organizational authority and visibility.
The Director will also be responsible for developing and maintaining ARRO’s enterprise security program, ensuring alignment with NIST 800-53 and other regulatory frameworks. Key responsibilities include establishing a Continuous Monitoring Program, leading security incident response, and collaborating with engineering and cloud infrastructure teams to implement effective security controls. Strong leadership and communication skills are essential, as the role involves mentoring the GRC Lead, managing risk, and providing clear visibility into ARRO’s security posture to executive leadership.
