Research Cybersecurity Compliance Lead

About The Position

Requirements

• Bachelor's degree in information technology, computer science, cybersecurity, engineering, or a closely related field. Equivalent professional experience may be considered in lieu of a degree.
• At least 5 years of professional experience in cybersecurity, systems administration, or IT infrastructure management, with demonstrated responsibility for secure system design and operations.
• Hands-on experience administering both Linux and Windows environments, including implementation of security baselines and compliance controls.
• Experience with cloud services and identity platforms such as Microsoft Entra ID, M365, and Azure, particularly in identity and access management.
• Working knowledge of federal cybersecurity and export control requirements including NIST 800-171, CMMC, ITAR, and EAR.
• Strong ability to translate regulatory requirements into technical and procedural controls that can be understood and followed by researchers and non-technical staff.
• Ability to obtain the Certified CMMC Professional (CCP) credential within six months of employment.

Nice To Haves

• Advanced degree in information security, computer science, engineering, or a related field.
• More than 7 years of professional experience in cybersecurity operations, secure systems administration, or IT infrastructure management, with at least 3 years in a compliance or research security context.
• Demonstrated experience with federal security and compliance frameworks such as NIST SP 800-171, CMMC, NIST 800-53, FedRAMP, and export control requirements (ITAR, EAR, OFAC). See also, https://www.usu.edu/infosec/regulations/
• Direct involvement in preparing for or supporting CMMC or other third-party compliance assessments, with familiarity in evaluating evidence for sufficiency, adequacy, and audit readiness under the CMMC Assessment Process (CAP).
• Professional certifications such as CISSP, CISM, CCSP, or CompTIA Security+, in addition to or in pursuit of Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA).
• Strong understanding of identity and access management concepts and their application in environments such as Microsoft Entra ID, M365, and Azure.
• Excellent written and verbal communication skills, with the ability to explain complex compliance and technical requirements to both technical and non-technical stakeholders.

Responsibilities

• Vendor collaboration and transition: Partner with the university's selected vendor to stand up a compliant secure research environment. Learn the environment's architecture, configuration, and controls from the beginning, with the goal of gradually assuming more responsibility for day-to-day management and long-term sustainability.
• Program leadership: Serve as the lead point of contact for USU's research cybersecurity compliance program, ensuring that the secure environment supports requirements such as CMMC, NIST 800-171, ITAR, EAR, OFAC, and related regulations.
• Policy and procedure development: Translate cybersecurity and export control requirements into practical research-wide policies, procedures, and standards that can be consistently followed by researchers and IT staff.
• Research collaboration: Work closely with the Office of Research and individual researchers to develop project-specific compliance plans, including Technology Control Plans (TCPs), and provide guidance for securely handling Controlled Unclassified Information (CUI) and other regulated data.
• Assessment readiness: Act as the primary liaison during third-party assessments, including C3PAO evaluations, ensuring that required documentation and evidence meet CMMC criteria for sufficiency and adequacy and are maintained in an audit-ready state.
• Risk and vulnerability management: Conduct or coordinate internal risk assessments, track vulnerabilities, and ensure remediation within the research environment.
• Documentation stewardship: Maintain essential records, including the System Security Plan (SSP), Plans of Action and Milestones (POA&Ms), incident response procedures, and other compliance documentation.
• Continuous improvement: Regularly evaluate the effectiveness of controls, policies, and processes, providing reports and recommendations to university leadership.
• Training and outreach: Provide guidance and education to researchers and staff on compliance obligations, secure workflows, and the use of the secure research environment.