Information Systems Security Officer (ISSO)

About This Opportunity:

The Information Systems Security Officer (ISSO) is responsible for safeguarding the confidentiality, integrity, and availability of Docebo’s information assets. This specialized expert role Owns and operates the company’s FedRAMP authorization and maintenance program — end-to-end governance, risk management, continuous monitoring, ATO/ATO-maintenance artifacts, cross-functional coordination, and government/3PAO engagement — to enable and sustain FedRAMP and DoD RMF authorizations required by our customers and contracts. The ISSO ensures compliance with various regulatory frameworks, including FedRAMP, NIST, and DoD guidelines. 

Responsibilities:

• Own the FedRAMP/DoD RMF authorization lifecycle for assigned systems (strategy → authorization → continuous monitoring → ATO maintenance).
• Define and maintain the FedRAMP program governance model, roles & responsibilities (including Sponsor/Authorizing Official interactions).
• Create, own, maintain, and version-control the System Security Plan (SSP), Security Assessment Report (SAR), continuous monitoring (ConMon) artifacts, POA&Ms, SSP annexes, and all ATO package deliverables.
• Build and run the ConMon program: define telemetry requirements, dashboards, vulnerability ingestion, thresholds, incident feed, and reporting cadence.
• Triage vulnerabilities, manage POA&Ms (track remediation owners, dates, residual risk), and ensure POA&M closure meets customer and FedRAMP expectations.
• Lead the selection, engagement, and technical coordination with 3PAOs and any external assessors. Ensure assessments, testing, and SAR content are accurate and timely.
• Evaluate security impact for architectural or operational changes (Security Impact Analysis), own risk acceptance processes, and coordinate Risk Acceptance with Sponsors/Authorizing Officials.
• Integrate change control with the ConMon program to ensure authorized/approved changes are documented and do not break control baselines.
• Act as the primary internal liaison across Product, Engineering, DevOps, Security, Sales, Legal, and Marketing for anything impacting the FedRAMP posture and ATO timelines. Drive working groups and weekly syncs.
• Support pre-sales and customer conversations on FedRAMP posture and timelines alongside Sales; maintain the relationship with the government Sponsor/Authorizing Official and the FedRAMP PMO as required.
• Build and manage program timelines (Gantt), identify and mitigate schedule risk, report status to Management and stakeholders, and maintain an issues/risk register for the authorization lifecycle.
• Develop/update policies, control implementations, and procedures to ensure alignment with FedRAMP Rev (current guidance), NIST SP 800-53/800-37/800-137, and DoD RMF as applicable.
• Provide training for engineers, product managers, and GRC teams on FedRAMP requirements, evidence collection, secure configuration baselines, and artifacts expectations.
• Coordinate security incidents affecting FedRAMP-scope systems into the ConMon program and ensure incident reporting/lessons learned are reflected in POA&Ms and governance.
• Capture lessons learned from audits and assessments, refine processes, and drive automation of evidence collection and control attestations to scale the program.

Requirements:

• 8+ years of experience in information systems security, with a focus on compliance with NIST and DoD guidelines.
• In-depth knowledge of FedRAMP, NIST SP 800-37, NIST SP 800-53, and DoD 8510.01 policies and procedures.
• Strong technical writing skills for developing SOPs, work instructions, and senior-level briefs. Proficient in risk and vulnerability assessment, security infrastructure design, and continuous monitoring.
• Prior experience on obtaining FedRamp ATO

Benefits & Perks 😍

• Generous Vacation Policy, plus extra floating holidays to use for religious or cultural events that matter to you
• Employee Share Purchase Plan
• Career progression/internal mobility opportunities
• Four employee resource groups to get involved with (the Docebo Women's Alliance, PRIDE, BIDOC, and Green Ambassadors)
• WeWork partnership and “Work from Anywhere” program

Hybrid Office Model 🏢

We believe when people are together, they develop deeper relationships and accelerate innovation. Because of this, all Docebo employees worldwide are “hybrid.” We encourage in-person collaboration while supporting work-from-home when employees need dedicated focus time, allowing Docebians to do their best every day. Each team leader is able to decide how often their teams come into the office, considering the needs of the team and the employee’s needs. Our Talent Acquisition team will let you know about the role you are applying for and the hybrid details during the first interview.