Principal, Public Sector SecOps & GRC

About The Position

Requirements

• Bachelor's degree in computer science, information technology, or cybersecurity.
• Active Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certification.
• Undergo a Public Trust Background Investigation with a favorable suitability determination.
• 8+ years of experience in information security governance, risk, and compliance, with at least 5 years specifically supporting FedRAMP High, FISMA, NIST SP 800-53 rev 5, or RMF.
• 5+ years in the ISSM or ISSO role managing the security package for federal government agencies high-impact systems.
• 5+ years of experience managing or supporting security assessments with Third Party Assessment Organizations (3PAOs).
• 3+ years of hands-on experience using GRC platforms (e.g., RSA Archer, ServiceNow GRC, OneTrust) and vulnerability management platforms (e.g., Tenable, Qualys, Rapid7).
• 2+ years direct experience mapping controls and leading assessments for GovRAMP, CMMC (Level 2+), and StateRAMP/SLED requirements.
• 2+ years of experience with identity and access management systems (e.g., Okta, Azure AD) for access control governance.
• Demonstrated experience working within cloud environments such as AWS GovCloud or Azure Government, including cloud-native security controls.
• Proficiency with AWS CLI, Powershell and scripting automated compliance tasks in Windows and Linux systems tools, Nessus Pro, Burp Suite, Splunk, AWS IAM, Jira, FortiGate firewalls, eMASS, Box.com for Gov, and Okta for Gov Identity Provider.
• Demonstrates strong analytical skills to assess complex security risks, interpret compliance requirements, and evaluate technical vulnerabilities.
• Builds and refines repeatable, auditable processes for security governance, risk management, and compliance activities.
• Communicates clearly and effectively with technical and non-technical stakeholders, including auditors, developers, and executive leadership.
• Ability to implement continuous monitoring and assessment programs to identify and address security threats in real-time, maintaining a proactive SecOps stance.
• Reliable, high speed internet.
• Active U.S. Citizenship or green card holder residing in the U.S. for a minimum of 3 consecutive years and working location is in the U.S.

Nice To Haves

• Active U.S. Citizenship or green card holder residing in the U.S. for a minimum of 3 consecutive years and working location is in the U.S.

Responsibilities

• Lead the design, implementation, and ongoing management of a unified GRC program encompassing FedRAMP High Rev. 5, GovRAMP, CMMC, and SLED/StateRAMP frameworks.
• Compile and submit Monthly Continuous Monitoring (ConMon) reports, including vulnerability scans, POA&M trackers, and asset inventories for all applicable public sector frameworks.
• Oversee threat hunting and vulnerability remediation to ensure compliance with strict federal timelines, specifically: High (30 days), Moderate (90 days), and Low (180 days).
• Escalate unremediated vulnerabilities and initiate Plan of Action and Milestones (POA&M) creation within 7 days of issue identification when remediation deadlines cannot be met.
• Coordinate and lead Annual 3PAO Security Assessments, including penetration testing and red team exercises, across FedRAMP and other public sector programs.
• Manage and maintain a compliant, hosted secure repository for storing, retrieving, and provisioning access to security packages and artifacts.
• Manage third parties, including managed security service providers (MSSPs) performing public sector security functions, and direct project management support for these programs.
• Serve as System Steward for the VA-F package in eMASS, managing Risk Management Framework (RMF) activities, ATO assessments, and workflows.
• Submit and maintain accurate documentation for the initial and ongoing marketplace listings (e.g., FedRAMP, StateRAMP) of Consensus as a Cloud Service Provider (CSP).
• Oversee actionable incident response testing every 6 months , and administer incident response training to all assigned personnel within 10 days of role assignment and annually thereafter.
• Oversee background checks and reinvestigations for all personnel requiring system access, consistent with high-impact public trust requirements , and enforce Rules of Behavior agreements.
• Maintain current SaaS platform architecture diagrams and submit all Security Change Requests (SCRs) and Deviation Requests for approval.
• Contribute to non-FedRAMP commercial compliance frameworks, such as ISO 27001, SOC 2, or HIPAA, ensuring unified control mappings across public and private sector services.
• Provide security and compliance guidance to IT, engineering, and development teams to support the design of secure, compliant, and resilient cloud-based architectures.
• Identify, evaluate, and implement GRC and SecOps tools that support policy automation, identity management, and threat intelligence.
• Assist with responses to customer security assessments and third-party due diligence requests from prospective SLED and federal agencies.
• Mentor junior staff or cross-functional team members in information security, compliance best practices, and secure development lifecycles.
• Support business continuity planning, disaster recovery documentation, and live operational exercises.
• Perform other duties and responsibilities as required, assigned, or requested. Consensus reserves the right to add or change duties at any time.

Benefits

• Annual performance bonus
• ESPP
• Enhanced time off packages
• Health insurance
• Dental insurance
• Vision insurance