Cybersecurity SCRM Expert

Cybersecurity SCRM Expert Job Description

This position requires the ability to obtain a Public Trust. We are seeking a highly knowledgeable and experienced Cybersecurity Subject Matter Expert (SME) and Supply Chain Risk Management (SCRM) Analyst to provide expert-level systems analysis, design, integration, and implementation advice on complex cybersecurity challenges, with a specific focus on managing supply chain risks. The successful candidate will contribute to all phases of study development, assist with SCRM program management efforts, and conduct security risk assessments of third-party vendors. Additionally, the Analyst will play a critical role in enhancing cybersecurity awareness through training programs and ensuring adherence to federal regulations, including NIST SP 800-53 Rev. 5 and OMB M-22-18.

Responsibilities
• Provide high-level analysis, design, and integration advice on complex cybersecurity challenges, particularly within the realm of supply chain risk management (SCRM).
• Assist the SCRM Task Lead with managing and governing the organization's cybersecurity SCRM program, ensuring that procedures are up-to-date and aligned with federal regulations.
• Identify and categorize supply chain vendors into risk levels based on services and products provided and conduct thorough security risk assessments to identify gaps against security controls and requirements.
• Develop and maintain a framework for proactively managing cybersecurity supply chain risks, addressing issues such as counterfeit insertion, tampering, unauthorized production, theft, and insertion of malicious code throughout the Software Development Life Cycle (SDLC).
• Integrate SCRM concepts into the organization's Information Security Continuous Monitoring (ISCM) program, as part of the transition to NIST SP 800-53 Rev. 5.
• Support the implementation of OMB M-22-18 and assist in integrating the Secure Software Development Framework (SSDF) into the SDLC and ISCM processes.
• Establish and contribute to a Cyber Workforce Training, Education, and Awareness Program, including the creation of certificate pathways for key cybersecurity roles, with a focus on setting training requirements and ensuring accountability.
• Assist the customer in developing and maintaining a well-trained cybersecurity workforce that can achieve and maintain necessary industry certifications and academic credentials.
• Support the Information System Security Officer (ISSO) function by assisting in the development of Authority to Operate (ATO) packages and strategizing ways to centralize the ISSO support function.
• Prepare and deliver senior management presentations, reports, and briefings on the progress of cybersecurity initiatives, SCRM efforts, and workforce development.

Requirements
• Bachelor's degree in Cybersecurity, Information Technology, or a related field.
• Minimum 5 years of experience in cybersecurity, with a focus on supply chain risk management (SCRM) and cybersecurity program management.
• Possesses IAT Level II certification (e.g., CompTIA Security+, GIAC, or equivalent).
• Strong understanding of NIST SP 800-53 Rev. 5, federal cybersecurity regulations, and supply chain risk management frameworks.
• Experience conducting security risk assessments for third-party vendors and identifying compliance gaps.
• Familiarity with the Information Security Continuous Monitoring (ISCM) process and the integration of SCRM concepts into cybersecurity frameworks.
• Ability to manage complex projects and collaborate with cross-functional teams to achieve cybersecurity goals.
• Experience supporting the ISSO function and developing ATO packages.
• Strong written and verbal communication skills, with the ability to present complex technical information to both technical and non-technical audiences.
• Experience with Secure Software Development Framework (SSDF) and its integration into organizational processes preferred.
• Familiarity with the implementation of OMB M-22-18 and other federal cybersecurity regulations preferred.
• Proven track record of managing and maintaining cybersecurity workforce training programs, including certification tracking and development preferred.
• Past applicable job experience may include, but is not limited to: Cyber Security Specialist, Security Risk Management Analyst, or Information Security Consultant

---