The ISSM Role: Managing Information Assurance Across a Program Portfolio

Programmatic leadership: policy development, resource advocacy, CCB and risk committee governance.

RMF execution: system categorization, control tailoring, package review. The ISSM's signature is the guarantee to the government that the package is complete and accurate.

Continuous monitoring oversight, consolidated POA&M management, risk acceptance articulation to the AO.

Incident response command: leading the response, owning DIBNet/DC3 reporting on the DFARS 7012 clock, coordinating damage assessment.

ISSM is strategic and programmatic; ISSO is tactical and operational. ISSM tailors controls and approves the package; ISSO implements and gathers evidence.

ISSM interfaces with the AO frequently; ISSO rarely. In incidents the ISSM commands and reports; ISSO triages and contains.

The span-of-control trap: ISSMs forced into tactical work because their ISSOs are weak will fail strategically. Build the ISSO bench.

Typically IAM Level II or III: CISSP, CISM, GSLC. But a credential alone doesn't make an ISSM.

Executive presence to explain cyber risk in business terms. Regulatory mastery of RMF, 800-53, 800-171, and agency-specific policy. Enough technical depth to challenge a network engineer who says "we can't do that."

Enablers, not the Department of No. They find compliant paths instead of blocking the mission.

Manage risk, not just checklists. They know when to enforce and when to accept residual risk.

Build trusting relationships with the AO and their staff — proactively, not just at signature time.

Mentor their ISSOs. A strong ISSO bench is the ISSM's greatest leverage.

Mid-level cleared ISSM with CISSP: $130K–$200K+. Senior ISSM in TS/SCI portfolios: well above $200K. Below-market labor rates won't staff or retain the role.