GRC and CMMC Assessment Lead - Senior Manager

About The Position

Requirements

• Eight plus years of relevant experience in cybersecurity GRC, CMMC assessment, risk management, compliance, or consulting (level will map to experience); hands-on CMMC assessment or readiness support experience strongly preferred.
• Bachelor’s degree in a related field is required.
• Demonstrated expertise implementing and operationalizing cybersecurity frameworks and control programs: CMMC Level 2 & Level 3, NIST SP 800-171 / 800-172 (required); NIST CSF / NIST 800-53, ISO 27001/27002, SOC 2, CIS, FedRAMP Controls (supporting experience valued)
• Familiarity with privacy fundamentals as they intersect with CUI handling and federal compliance (e.g., NIST SP 800-171 Practice 3.13 – System and Communications Protection); deep privacy program expertise is not required but is a plus.
• Experience performing or leading: CMMC readiness assessments and mock assessments (Level 2 and/or Level 3), NIST SP 800-171 gap assessments and remediation planning, SSP and POA&M development and maintenance, enterprise/security risk assessments, control design/testing, policy and standards development aligned to CMMC practice domains, DFARS clause compliance reviews and supply chain flow-down assessments, compliance/regulatory readiness programs
• Exceptional written and verbal communication skills with a track record of producing executive-level deliverables.
• Proven ability to lead teams, manage timelines/budgets, and deliver in a client-facing environment.

Nice To Haves

• Certifications: Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), CISM, CISSP, CRISC, CISA.
• PE/portfolio company experience: rapid maturity uplift, integration, carve-out/stand-up, and pragmatic road mapping.
• Exposure to incident readiness, tabletop exercises, and crisis communications coordination with Legal/Comms.
• Experience supporting audits and assurance activities (SOC 2 readiness, ISO certification readiness, CMMC third-party assessments as part of a C3PAO or DIBCAC-adjacent engagement).

Responsibilities

• Lead end-to-end CMMC assessment and GRC engagements, including scoping, gap analysis, SSP/POAM development, remediation planning, and executive reporting.
• Design and operationalize cybersecurity governance models (policies, standards, risk appetite, committees, reporting KPIs/KRIs).
• Build and mature enterprise risk programs: risk assessments, risk registers, control libraries, and control testing approaches.
• Conduct CMMC readiness assessments and mock assessments against NIST SP 800-171 practice domains; develop and implement security policies, standards, and procedures aligned to applicable frameworks (CMMC, NIST CSF, ISO 27001/27002, CIS, SOC 2, FedRAMP).
• Support regulatory readiness and compliance initiatives (e.g., SEC cyber disclosure support, NYDFS 500, GDPR/UK GDPR, CCPA/CPRA, HIPAA, PCI DSS, SOX ITGC, CMMC, FedRAMP alignment where applicable).
• Advise defense industrial base (DIB) clients on Controlled Unclassified Information (CUI) scoping, CUI registry management, and system boundary definition to support CMMC Level 2 and Level 3 compliance.
• Perform vendor/third-party risk assessments and implement scalable TPRM operating models, including supply chain risk assessments in the context of DFARS and CMMC flow-down requirements.
• Support clients in developing and maintaining SPRS scores, POA&Ms, and System Security Plans (SSPs) to demonstrate assessment readiness.
• Coordinate cross-functional stakeholders (Legal, IT, Security, Compliance, Product, HR) to drive outcomes and adoption.
• Translate complex technical, regulatory, and privacy requirements into business-oriented recommendations.
• Deliver executive-ready artifacts: board/audit committee materials, roadmaps, operating models, heatmaps, and risk dashboards.
• Serve as a trusted advisor to senior leadership; confidently present findings and influence decisions.
• Contribute to go-to-market development: offerings, templates, accelerators, methodologies, and points of view.
• Support business development through proposal writing, SOW development, client presentations, and solution shaping.
• Mentor and develop consultants and managers; lead teams across multiple engagements while maintaining quality and delivery rigor.
• Partner with other CFGI service lines (Accounting Advisory, CFO Advisory, Technology Enablement) to deliver integrated solutions.

Benefits

• Competitive compensation
• benefits
• career growth trajectory