Security Analyst / ISSO

Full-time · Remote · US-based · Senior level · Reports to CISO

US citizenship or Lawful Permanent Resident status required. This role involves access to Controlled Unclassified Information (CUI); no security clearance required.

ABOUT LYNK

Lynk is building the world’s first global satellite-to-cellular network, enabling direct device-to-device (D2D) connectivity from commercial low Earth orbit (LEO) satellites to standard mobile phones, no special hardware required. We operate in a market alongside other commercial LEO constellations, satellite-direct-to-cellular providers, and large-scale broadband satellite networks, competing for the same spectrum, orbits, and government contracts.

Our technology and network infrastructure are of significant interest to US government and defense customers. Protecting the integrity of that infrastructure and the Controlled Unclassified Information that flows through it is mission critical. That’s where you come in.

Role Overview:

Reporting directly to the CISO, you’ll own Lynk’s cybersecurity compliance program across CMMC Level 2 / NIST SP 800-171, DFARS 7012, SOC 2 Type II, and GDPR. You’ll be ISSO for CUI-scoped systems: authoring SSPs, maintaining POA&Ms, running control assessments, and leading C3PAO engagement. Lynk has a functioning security toolset in place including SIEM/log management, EDR, MDM, vulnerability management and IT asset management; your job is to mature and align that stack to CMMC requirements, not start from zero.

Responsibilities:

GRC & Compliance (primary)

• Own and maintain the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) for all CUI-scoped systems; always keep documentation audit-ready.

• Assess all 110 NIST SP 800-171 practices for implementation and effectiveness; map existing controls (Wazuh, ThreatDown, Tenable, ManageEngine, AD GPOs, SnipeIT) to CMMC requirements, identify gaps, and drive remediation.

• Maintain the organizational risk register; support ongoing Risk Management Framework (RMF) processes and report risk posture to the CISO.

• Lead preparation for CMMC Level 2 assessments — build evidence packages, coordinate with the C3PAO, and manage assessor requests and findings.

• Develop and maintain cybersecurity policies, procedures, and standards aligned to CMMC, DFARS, SOC 2, and GDPR; ensure version control and staff acknowledgment records are maintained.

• Define, track, and report security metrics and KPIs to the CISO and non-technical stakeholders including legal, contracts, and business development teams.

• Support contract teams with DFARS clause requirements, cybersecurity representations, and customer security questionnaires.

• Conduct vendor and third-party risk assessments; maintain supplier risk documentation.

• Manage the security awareness training program and phishing simulations; maintain completion records per CMMC requirements.

Security Operations (secondary)

• Monitor SIEM for security events and alerts relevant to CUI systems; write and tune detection rules; triage and escalate incidents; produce post-incident reports with compliance impact assessment. Leverage audit log aggregation to satisfy CMMC AU (Audit & Accountability) control evidence requirements.

• Monitor EDR alerts for CUI-scoped endpoints; investigate detections and coordinate response with IT.

• Work with IT to ensure vulnerability findings are remediated within CMMC-required timeframes, track and report on remediation status.

• Leverage MDM and Active Directory to enforce device compliance, GPO-based security baselines, and access control policies across CUI-scoped endpoints.

• Use asset inventory as the authoritative hardware/software asset register for CMMC system boundary documentation; keep it current and audit ready.

• Conduct periodic access control audits; enforce least-privilege across AD, SSO, and SaaS tooling handling CUI.

Required Skills and Experience:

• 3–6 years in cybersecurity with a strong GRC or compliance focus; prior ISSO experience or equivalent accountability preferred.

• Deep, working knowledge of NIST SP 800-171 and DFARS 7012. Able to assess, gap-analyze, and evidence all 110 controls independently.

• Demonstrated experience authoring SSPs and POA&Ms for government-facing or regulated environments.

• Familiarity with the CMMC Level 2 assessment process and C3PAO engagement.

• Hands-on SIEM experience: writing detection rules, querying logs, and generating compliance-grade audit evidence.

• Hands-on experience with EDR and vulnerability scanning tools in a compliance context. Mapping tool outputs to NIST controls and generating assessor evidence.

• Working knowledge of SOC 2 Type II and GDPR compliance requirements.

• Some cloud security fundamentals (AWS preferred). IAM, CloudTrail, GuardDuty, access policies.

• Clear, structured communicator. Equally comfortable writing formal policy documentation and briefing non-technical executives.

• US citizenship or Lawful Permanent Resident status.

Nice to Have:

• CMMC Registered Practitioner (RP) or Professional (CCP)

• CISSP / CISM / Security+

• RMF / ATO experience

• FedRAMP familiarity

• Space / satellite industry background

• Telecom or critical infrastructure security

• Prior C3PAO assessment experience

• GRC platform experience (Vanta, Drata, Archer, ServiceNow)

• Scripting in Python or Bash for evidence collection automation

• Zero-trust architecture

What Lynk Offers:

• Competitive salary and equity in a company building genuinely novel global infrastructure.

• Remote-first, US-based role.

• Direct line to the CISO; your work defines Lynk’s compliance posture at a critical growth stage.

• A functioning security toolset already in place. Your focus is maturing and aligning it, not standing it up from scratch.

• Learning and certification budget.

Lynk is an equal opportunity employer. This position requires US citizenship or Lawful Permanent Resident status due to access to Controlled Unclassified Information.