Evolver Federal is seeking a Cybersecurity Risk Management and Compliance Lead to support its Federal client in Springfield, VA in managing all aspects of the client’s cybersecurity governance, risk, and compliance program. The Lead is responsible for managing a team of cybersecurity professionals in managing the client’s FISMA Inventory, Enterprise Common Controls, development and maintenance of cybersecurity policies, end-to-end management of POA&Ms, and FISMA compliance.
This Position requires strong leadership, communication, project management expertise (agile/scrum/kanban) and significant experience leading enterprise level Enterprise Cybersecurity Risk Management and Compliance programs for large Federal agencies.
The successful candidate will have previous experience leading Teams in executing Assessment and Authorization (A&A) processes resulting in issuance of ATOs, leading cybersecurity teams in executing FISMA compliance Federal Programs and implementing the NIST Cybersecurity Framework (CSF) in a DHS environment. FISMA Metrics, NIST RMF, Security Controls Assessment, ISSO, OIG, GAO, OMB audit experience, Cyber ALF, Threat Modeling, FedRAMP, Cloud Security, GRC tool, automation, AI/ML experience, cybersecurity policy development.

BASIC QUALIFICATIONS:

• Bachelor’s degree in Computer Science or related field
• 10 years of experience in cybersecurity risk management and compliance
• Must have at least one of the following certifications: GISP, CISM, CISSP, or CGRC
• 10 years of experience with NIST 800-37, experience that can span across a subset, or all, of the steps within the Risk Management Framework.
• 5 years of experience assessing security controls in accordance with NIST 800-53 in/ in support of the Federal Government to include evaluating and validating security control implementation.
• 3 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs).
• 5 years’ experience managing POA&Ms from open to closure, including developing realistic mitigation plans aligning to realistic and achievable milestones.
• 2 years of experience in managing common controls, could include operating in an ISSO Role for a system that is a Common Control Provider. Ability to identify and assess common controls and determine appropriate inheritability across a portfolio of systems.
• 2 years of experience with developing and maintaining cybersecurity policies for Federal Agencies, specifically DHS.
• 2 years of experience with NIST SP 800-53, 800-37, DHS 4300A/B
• 2 years of experience with FISMA metrics and security compliance.
• 2 years of experience with FedRAMP with knowledge of compliance criteria.
• 3 years of experience executing continuous monitoring activities, including those supporting vulnerability management and configuration management.
• 2 years of experience with CSAM.
• Familiarity with DHS Cybersecurity Acquisition Lifecycle Framework (ALF).
• Experience in participating in and/or managing responses to external and internal audits sponsored by auditing entities such as OIG, GAO, OMB.
• Minimum 3 years of experience leading, organizing, assigning, and managing workload across a small team to ensure submission of quality deliverables in accordance with contract requirements and established deadlines.
• Must have one of the following certifications: GISP, CISM, CISSP, or CGRC
• Must have Active Secret clearance

PREFERRED QUALIFICATIONS:

• 5 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs).
• 3 years of experience in managing common controls, could include operating in an ISSO Role for a system that is a Common Control Provider. Ability to identify and assess common controls and determine appropriate inheritability across a portfolio of systems.
• 3 years of experience with developing and maintaining cybersecurity policies for Federal Agencies, specifically DHS.
• Experience managing/ supporting cybersecurity architecture and governance, preferred.
• Experience with emerging technologies such as Machine Learning, AI, RPA, IoT/OT, etc. with ability to apply this experience to advise on recommended automation strategies to promote efficiencies in the client environment.
• Ability to schedule and lead meetings, including Working Groups and formal Governance Groups, with a diverse group of government and contractor stakeholders at various levels within the organization, including developing and maintaining agendas, meeting notes, and meeting records, including maintaining a repository of all meeting records.
• Ability to communicate clearly and effectively via written and verbal communication in both formal and informal situations.
• Ability to clearly communicate complex technical concepts to Information Technology Project Managers, ISSOs, Application Developers, and Security Compliance Analysts, as well as non-technical POCs such as Branch Chiefs and Business System Owners.
• Ability to adapt to frequent changes in priorities, follow project schedules, meet established deadlines, and proactively communicate risks and issues to the Contractor PM and/or Federal Leads.
• Project management skills and previous experience leading teams using approved Agile methods/ methodology.
• Possess good listening skills and the ability to detect explicit and implicit needs and wants of the client.
• Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints
• Possess strong analytical and critical thinking skills with the ability to apply them to the client/ contract workspace.
• Excellent organizational skills and attention to detail.
• Strong analytical, critical thinking, and problem-solving skills.
• PMP Certification
  Evolver Federal is an equal opportunity employer and welcomes all job seekers. It is the policy of Evolver Federal not to discriminate based on race, color, ancestry, religion, gender, age, national origin, gender identity or expression, sexual orientation, genetic factors, pregnancy, physical or mental disability, military/veteran status, or any other factor protected by law.
  Actual salary will depend on factors such as skills, qualifications, experience, market and work location. Evolver Federal offers competitive benefits, including health, dental and vision insurance, 401(k), flexible spending account, and paid leave (including PTO and parental leave) in accordance with our applicable plans and policies

• Lead the FISMA Inventory Management Team responsible for managing the DHS FISMA Inventory and system designations such as CFO, HVA, MES, and PII.
• Oversee processing of Inventory Change Requests, coordination of quarterly meetings with DHS components, and resolution of action items and responses.
• Lead the Enterprise Common Controls Program and team responsible for managing DHS Common Control and Program implementation. Responsibilities include reviews of controls, assessment documentation, POA&Ms, and ensure proper control inheritance across systems. Develop control baselines, training materials, and policies, lead the DHS Common Control Working Group, and ensure compliance with NIST and industry standards.
• Lead the development and maintenance of department-level cybersecurity policies governing DHS IT cybersecurity implementation.
• Establish and implement standards and frameworks for managing FISMA and FedRAMP compliance, cybersecurity risks, and system inventory across the Department.
• Oversee advisory support to DHS Enterprise Cybersecurity Governance (ECG) personnel on enterprise compliance activities and external cybersecurity engagements.
• Develop department-wide cybersecurity policies and standards aligned with DHS strategies and frameworks, including RMF, AI RMF, and Cyber ALF.
• Support emerging technologies such as Machine Learning, RPA, IoT/OT, and secure development practices across the Department.
• Lead the review and recommended updates to the DHS 4300 Policy series, attachments, memos, and related directives to enhance cybersecurity posture.
• Provide recommendations on policy updates including updates specific to areas including Security Authorization, POA&Ms, known findings, Ongoing Authorization, and Document Review.
• Oversee cybersecurity risk awareness support for IT governance and enterprise risk management, while collaborating across DHS to develop best practices, guidance, and identify innovative tools like AI/ML to enhance cybersecurity program efficiency.
• Lead the research effort and provide recommendations on areas of improvements to enhance the DHS Security Authorization (SA) process, including various ATO types and FedRAMP. Standardize and streamline SA and Risk Management using an agile model that emphasizes efficiency, value, and adaptability.
• Conduct document reviews and validate submitted SA documentation.
• Lead the management and maintenance of the Department’s official POA&M repository to address weaknesses identified through audits, assessments, and continuous monitoring.
• Develop and update POA&M procedures to ensure effective and high-quality remediation of identified issues.
• Collaborate with the Federal Lead and DHS offices to identify, plan, and integrate AI/ML technologies into the DHS environment, while evaluating these tools to ensure their safe and effective use by DHS personnel.
• Collaborate with Training Team to provide expertise on federal and departmental cybersecurity policies, strategies, and frameworks, including RMF, NIST AI RMF, ML, RPA, SELC, SecDevOps, and Cyber Acquisition Lifecycle Framework (ALF).Lead small Team of matrixed resources in meeting client SOW objectives.