Information Systems Security Officer

About Swoop:

Swoop Technologies has a mission to organize and make accessible the world’s military and critical infrastructure. We are building a distributed operating system, SwoopOS, that decomposes the world’s equipment into a distributed robotic embodiment upon which a new generation of distributed systems, autonomous systems, and agentic AI can be built and deployed using our SDK, Valhalla, and operated via our browser, Surf. Imagine the world’s equipment - consisting of the electrical grid, communications architectures, manufacturing facilities, and militaries as a trapped supply of inputs possessing the potential to ensure Western military advantage, sovereign control of economically competitive manufacturing capacity, or the creation of a grid that fosters energy dominance. Swoop is liberating these trapped assets, allowing them to contribute to the world’s future as a series of building blocks to be combined at the speed of software, limited by only the hard constraints of physics and the soft constraints of safety. That is what Swoop is building. Not in the data center or cloud or edge on-premise computing node. In the physical world. This is a hybrid position that requires someone based in Minneapolis/St. Paul OR Washington DC who can work in-office 3+ days per week

Your Impact:

As our ISSO, you won't be maintaining compliance for its own sake — you'll be the person who keeps classified and CUI-adjacent systems authorized, hardened, and audit-ready so our engineers can do the work that matters. You'll own the RMF lifecycle end-to-end, interface directly with government AOs and SCA teams, and help build a security program that scales with a fast-moving defense tech company. If you want your ISSO work to feel consequential rather than administrative, this is the role.

What You’ll Do:

• Own end-to-end eMASS package lifecycle for one or more information systems — from initial system categorization through ATO maintenance and continuous monitoring

• Develop, maintain, and update all RMF Body of Evidence artifacts: SSPs, SARs, RAR, POA&Ms, ConMon plans, and control implementation statements aligned to NIST SP 800-53 Rev 5

• Coordinate with System Owners, ISSMs, SAs, and government stakeholders (AOs, SCAs, CORs) to ensure authorization packages remain current and accurate

• Execute continuous monitoring activities including vulnerability scan analysis (ACAS/Nessus), STIG review and validation via STIG Viewer/SCAP, and security log auditing

• Conduct and document security impact analyses (SIAs) for proposed system changes; represent security equities at Configuration Control Board (CCB) proceedings

• Track POA&M findings through remediation closure, providing fix actions and compensating controls where applicable

• Support JSIG, DCSA, and/or DoD SCA assessment activities including artifact readiness reviews, evidence collection, and assessor coordination

• Provide cybersecurity guidance to system administrators, developers, and program staff to promote compliant, secure operations throughout the system lifecycle

You Should Have:

• Active Secret or TS/SCI clearance

• 4+ years of hands-on ISSO or IA experience in a DoD or IC environment

• Demonstrated eMASS proficiency — end-to-end package management including artifact upload, milestone tracking, control inheritance documentation, and ATO submission

• Deep working knowledge of NIST SP 800-53 Rev 5, DoDI 8510.01, and the seven-step RMF process

• Experience preparing and defending authorization packages through government assessment and authorization cycles

• Hands-on familiarity with ACAS (Tenable/Nessus), STIG Viewer, and SCAP Compliance Checker

• DoD 8570/8140 IAM Level II or III certification (CISSP, CISM, CASP+, or equivalent)

• Strong technical writing skills — you write SSP control implementation statements that satisfy assessors, not just fill boxes

Bonus if you have:

• Experience with Air Force, Army, or SOCOM RMF programs including service-specific overlays and supplemental directives (AFI 17-101, AR 25-2, JSIG)

• Familiarity with cATO or Fast Track ATO processes

• Cloud security experience (AWS GovCloud, Azure Government) and FedRAMP control mapping

• Experience with CMMC Level 2/3 compliance in a DIB environment

• Working knowledge of Xacta, ServiceNow GRC, or other RMF automation platforms as eMASS adjacents

• Background as a sysadmin, network engineer, or security engineer — people who've touched the technical layer write better controls

• Offensive security background or familiarity with adversary TTPs (enhances risk-based thinking in control selection and POA&M prioritization)

Swoop Technologies is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, age, national origin, disability, protected veteran status, gender identity or any other factor protected by applicable federal, state, or local laws.