Program Manager (C-SCRM)

About The Position

Requirements

• A minimum of a bachelor’s degree in Cybersecurity, Computer Science, Engineering, or related field is required. Alternatively, an additional 4 years (12 years total) of equivalent full-time nuclear industry cyber security experience may be considered in lieu of a degree.
• NSCP 800-161 Foundation Certificate or equivalent is required.
• A minimum of 8 years of full-time cybersecurity experience with a focus on supply chain risk, vendor management, or secure procurement is required.
• Must have experience across OT/ICS and IT cybersecurity, including digital I&C systems, embedded controllers, industrial networking, and enterprise IT infrastructure.
• Detailed knowledge of NIST SP 800‑161, NIST SP 800‑82, and NIST SP 800‑53 control families related to supply chain, assurance, and risk assessment (SR/SA/RA/PM).
• Familiarity with nuclear regulatory guidance including NEI 08‑09, RG 5.71, and RIS 2015‑08 Rev 1.
• Demonstrated ability to lead cross‑disciplinary teams and manage complex supplier ecosystems.
• Strong written and verbal communication skills; ability to influence at all organizational levels.
• Eligible to work under Department of Energy 10 CFR Part 810.
• Ability to understand and communicate clearly using a phone, personal interaction, and computers.
• Ability to learn new job functions and comprehend and understand new concepts quickly and apply them accurately in a rapidly evolving environment.
• The employee frequently is required; to sit and stand; walk; bend, use hands to operate office equipment; and reach with hands and arms.
• Ability to lift ten to fifteen pounds.

Nice To Haves

• Professional certifications such as CISSP, CISM, CRISC, GICSP, CISA, or ISA/IEC 62443 certificates are preferred.
• Experience in nuclear energy, critical infrastructure, or similarly regulated sectors preferred.
• Working knowledge of SBOM formats (SPDX, CycloneDX) and secure software development lifecycle (SSDLC) practices (e.g., NIST SP 800-218).
• Understanding of OT protocols, deterministic network architectures, physical/functional separation concepts, and secure digital I&C implementation (e.g., Regulatory Guide 1.152, Revision 3, Regulatory Position C.2).

Responsibilities

• Develop and manage the enterprise C‑SCRM program for OT (digital I&C platforms, field devices, PLCs, networked sensors, safety‑related cyber systems) and IT (commercial software, COTS hardware, servers, cloud services, network equipment).
• Create and maintain policies, standards, and procedures aligned to NIST SP 800‑161 and NIST SP 800‑53 SR, SA, RA, PM control families.
• Integrate nuclear sector guidance (NEI 08‑09, RG-5.71, RIS 2015‑08 Rev 1) into supply chain expectations for safety‑related and security‑related digital systems.
• Establish supplier risk tiering and criticality criteria covering safety‑related functions, digital asset categorization, and impacts on plant operations and corporate environments.
• Lead the C‑SCRM Steering Committee and drive alignment between Supply Chain, Engineering, Plant Services Cyber Security, Legal, QA, and Supplier Quality Assurance.
• Oversee the complete supplier lifecycle: inherent risk assessments, due diligence, technical evaluation, contracting, onboarding, continuous monitoring, reassessment, and offboarding.
• Ensure contractual language includes security requirements, SBOM/MBOM deliverables, secure SDLC expectations, vulnerability disclosure procedures, and sub‑tier supplier transparency.
• Implement structured workflows for third‑party risk assessments that incorporate NIST SP 800‑53 SR/SA obligations, NEI 08‑09 defensive architecture principles, and NIST SP 800‑82 OT constraints.
• Coordinate supplier audits and assessments, ensuring traceability of security commitments and evidence of control effectiveness.
• Define and enforce minimum security requirements for suppliers, including software integrity controls, code signing, firmware assurance, and supply chain provenance.
• Evaluate SBOMs for software, firmware, and embedded system components; drive vulnerability assessment and remediation plans based on exploitability in OT/ICS contexts.
• Oversee technical acceptance processes such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), configuration verification, deterministic communication requirements, and architecture compliance checks for digital I&C components.
• Support secure engineering design reviews for systems that integrate COTS hardware, virtualized servers, network infrastructure, and embedded digital components.
• Coordinate risk analysis and compensating control strategies where patching or upgrading is constrained in OT environments.
• Perform qualitative and quantitative supply chain risk assessments covering vendor security posture, component integrity, lifecycle support, and cyber threat exposure.
• Document risk findings, residual risk calculations, and recommended mitigations; present clear decision options to executive leadership.
• Develop Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to track program maturity and supplier health.
• Maintain centralized risk evidence repositories supporting compliance and audit readiness.
• Ensure the C‑SCRM program adheres to NIST SP 800‑161, NIST SP 800‑53, NIST SP 800‑82, NEI 08‑09, RG 5.71, and RIS 2015‑08 Rev 1 requirements.
• Prepare for internal audits, external assessments, and US NRC reviews; provide documentation showing control compliance and technical baselines.
• Coordinate with Engineering and Plant Services Cyber Security to ensure digital I&C assets meet expectations for secure procurement, configuration control, and lifecycle management.
• Develop training and communication materials to improve supply chain security awareness across engineering, operations, IT, and procurement teams.
• Coach project managers, system owners, and procurement professionals on secure supplier interactions and risk evaluation processes.
• Communicate supply chain threats, vulnerabilities, mitigations, and accepted risks to senior leadership in clear, actionable terms.

Benefits

• Employee Benefits | NuScale Power