Risk Manager

OverviewCVP is seeking a Cybersecurity Risk Manager for a large government agency enterprise-level cybersecurity program. The Cybersecurity Risk Manager will work directly with the Cybersecurity Program Manager and the agency’s CIO and CISO in cybersecurity tasks such as information security policy development and implementation; security compliance monitoring; security audit management; risk assessment; system authorization; security reporting; and other information security-related tasks.ResponsibilitiesIdentify, evaluate, and develop strategies for handling risks to reduce information security and privacy risk across the agency.Provide recommendations, guidance, planning, and implementation support for agency risk management activities and tools, and provide support as needed to enhance the agency’s Information Security Program related to governance, optimizations, automation, and supporting tools.Develop an agency Information Security Risk Management Strategy in accordance with the latest released versions of NIST Special Publications (SPs) such as SP 800-37 (Risk Management Framework for Information Systems and Organizations) and SP 800-39 (Managing Information Security Risk).Conduct an enterprise risk assessment and develop an agency Information Security Risk Assessment Report addressing all findings.Develop an agency Privacy and Security Roadmap that recommends privacy and information security capabilities based on risks identified in the Risk Assessment Report.Develop an agency Information Security Risk Management Plan covering risk tolerance, risk assessment, risk response, risk monitoring, and risk capabilities.Provide risk management guidance to agency offices for A&A activities, ensuring continuous risk monitoring of information security control implementation and required compliance.Support the Information Security and Assurance Office (ISAO) in implementing and overseeing information security risk management and security assessment and authorization (A&A) activities.Advise on tailoring the revised A&A process for non-traditional technologies (e.g., cloud, mobile, Internet of Things).Provide recommendations on continuous monitoring and assessment of security posture and alert decision makers to increased risk or imminent threats.Develop guidance, templates, tools, and advice to program offices to support their risk management and ATO activities.Provide risk management and continuous monitoring program implementation recommendations to program offices.Track and review Plans of Actions and Milestones (POA&Ms) agency-wide to identify risk areas due to unimplemented POA&Ms or cross-cutting issues.Track A&A status for divisions and programs to ensure protection of agency data and operations.Develop artifacts to complete security accreditation packages for OCIO information systems and provide oversight and advisory support for A&A package completion.Follow NIST FIPS and SPs (e.g., FIPS 199/200, SP 800-39, SP 800-37, SP 800-137, SP 800-60, SP 800-53, SP 800-53A, SP 800-34, SP 800-30, SP 800-18) and comply with agency IT security and Privacy policies, including PIA requirements and templates.QualificationsMinimum of six years’ experience in cybersecurity; 10+ years’ experience preferred.Minimum of six years' experience leading and delivering in FISMA-based and FedRAMP Assessment and Authorization (A&A) programs for comparably sized federal agencies; seven+ years’ experience preferred.Shall have at least one of the following industry-recognized certifications:Certified Information System Security Professional (CISSP)Certified Information Systems Auditor (CISA)Certified Information Security Manager (CISM)Certified in Risk and Information Systems Control (CRISC)Familiarity with ITIL Foundation, GRC tools, continuous monitoring, and vulnerability management tools (NIH currently uses CSAM).Demonstrated experience managing cybersecurity teams including personnel, workload, priorities, scheduling, and risks.Proven experience bringing innovative approaches to reduce FISMA workload and time to authorization/reauthorization (e.g., boundary consolidation, common control reuse, automation, assessment readiness, digital transformation).Desired SkillsPMP CertificationCISSP CertificationExperience with Security Assessment Tools (Tenable Nessus, DBProtect, Wireshark, WebInspect)NIH/HHS experienceLocationRockville, MD (Hybrid)Salary$130-140k (Depending on experience)About CVPCVP is an award-winning healthcare and next-gen technology and consulting services firm solving critical problems for healthcare, national security, and public sector clients. We help organizations achieve lasting transformation.CVP is an Equal Opportunity Employer dedicated to actively recruiting individuals and providing advancement opportunities based on merit and legitimate job qualifications. We ensure that all associates receive equal opportunities based on their personal qualifications and job requirements. CVP strictly prohibits any form of discrimination or harassment.At CVP, we cultivate a work environment that encourages fairness, teamwork, and respect among all associates. We are committed to maintaining a workplace where everyone can grow both personally and professionally. #J-18808-Ljbffr