Position: "Cyber Supply Chain Risk Management (CSCRM) Governance Lead"

Location: Woodlawn, MD, United States

Duration: Contract, Long Term

Duties and Responsibilities:

The role sits inside of a national security focused team within the bigger cybersecurity group.

The team has been in a pretty immature state for some time now as they've struggled to get an initial policy and movement.

This person really needs to be able to think big about third party risk management across the organization, and help design systems that will eventually be a "program"

This team is also in a somewhat internally competitive position with another team that operates in the compliance side of the group doing FedRAMP and SaaS security.

On a day-to-day basis, this person will be meeting with stakeholders across HHS and CMS. They will be working on policy. They will be directing and contributing to supplier risk reviews. They will be making tool decisions and working in TPRM tools as they try to weave all of this together into a program.

Location: Woodlawn, MD MANDATORY

Required Travel: 0 - 10%

Security Clearance: TS/SCI ( optional)

Level of Experience: Senior

We are seeking a Hybrid Cyber Supply Chain Risk Management (CSCRM) Governance Lead. This position will focus on developing policies and procedures to structure a SCRM program intended to mitigate risks associated with the agency's supply chain and third-party vendors. This role involves creating and maintaining a comprehensive cyber risk management framework, ensuring compliance with security standards and regulatory requirements, and overseeing governance processes to protect the organization's assets and data. They will also work to develop and incorporate contract and acquisition policies with associated terms and conditions to ensure all agreements align with the agency's security standards and risk management objectives.

What You Will Do

Policy Creation and Governance:

• Develop Comprehensive Cyber Supply Chain Policies:
• Establish policies that define the security requirements and expectations for all supply chain partners and third-party vendors.
• Ensure policies cover key areas such as data protection, incident response, access controls, and secure software development.
• Align policies with industry standards (e.g., NIST SP 800-161) and regulatory requirements (e.g., GDPR, CCPA).
• Policy Implementation and Enforcement:
• Develop procedures to enforce compliance with established policies.
• Implement monitoring mechanisms to ensure adherence to policies and procedures.
• Collaborate with internal teams to integrate policy requirements into procurement and vendor management processes.
• Continuous Improvement and Policy Updates:
• Regularly review and update policies to address new threats and vulnerabilities.
• Gather feedback from stakeholders to improve policy effectiveness.
• Stay informed about industry best practices and regulatory changes to ensure policies remain current.

Risk Management Framework:

• Design and Maintain Risk Management Framework:
• Create a framework for identifying, assessing, and mitigating risks associated with the supply chain and third-party vendors.
• Implement risk assessment tools and methodologies to evaluate the security posture of vendors and suppliers.
• Develop risk mitigation strategies and action plans to address identified vulnerabilities.
• Integrate Risk Management with Governance:
• Ensure the risk management framework is integrated with governance processes to provide oversight and accountability.
• Establish key risk indicators (KRIs) and key performance indicators (KPIs) to monitor the effectiveness of risk management activities.

Governance and Oversight:

Establish Governance Committees:

• Form and lead governance committees or working groups focused on third-party risk management.
• Develop governance structures to ensure clear roles, responsibilities, and accountability.
• Develop and Maintain Risk Registers: Create and maintain third-party risk registers to document and track identified risks.
• Monitor and Report on Governance Activities:
• Generate regular reports on the status of governance activities, including policy compliance and risk management efforts.
• Present findings and recommendations to senior leadership and relevant stakeholders.
• Due Diligence and Onboarding:
• Conduct thorough due diligence on potential vendors and third-party partners.
• Ensure security requirements are integrated into vendor selection and onboarding. Collaborate with procurement and legal teams to negotiate contracts that include robust security clauses.
• Contract and Acquisition Policy Integration:
• Develop and incorporate security and risk management requirements into contract and acquisition policies.
• Ensure all vendor agreements and contracts include terms and conditions that align with the company's security standards and risk management objectives.
• Review and update contract terms and conditions regularly to address evolving risks and regulatory requirements.

What We Are Looking For

• 15 years relevant experience with Bachelors in related field; 13 years relevant experience with Masters in related field; 10 years relevant experience with PhD or Juris Doctorate in related field; or High School Diploma or equivalent and 19 years relevant experience.
• Bachelor's degree in Cybersecurity, Information Technology, Business Administration, or a related field.
• Minimum of 10 years of experience in policy creation, governance, and risk management in supply chain or third-party risk management.
• Strong knowledge of cybersecurity principles, risk management frameworks, and regulatory requirements (e.g., NIST, ISO 27001, GDPR).
• Experience developing and implementing risk management policies and governance frameworks.
• Proven experience in integrating security requirements into contract/acquisition policies and managing terms/conditions in vendor agreements.
• Excellent analytical, problem-solving, and communication skills.
• Ability to work independently and as part of a team in a fast-paced environment.
• Possess and maintain a current TS-SCI clearance.

Preferred: Bonus Points For...

• Familiarity with supply chain management and federal acquisition procurement processes.
• Experience with governance, risk, and compliance (GRC) tools and software.
• Knowledge of emerging threats and trends in cybersecurity and supply chain risk management.
• Relevant certifications (CISSP, CISM, CRISC, or CTPRP, etc.)