Risk Manager

About The Position

Requirements

• Minimum of six years’ experience in cybersecurity. 10+ years’ experience is preferred.
• Minimum of six years' experience leading and delivering in FISMA-based and FedRAMP Assessment and Authorization (A&A) programs for comparably sized federal agencies and programs. Seven plus years’ experience is preferred.
• Shall have at least one of the following industry-recognized certifications: Certified Information System Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC)
• Familiarity with Information Technology Infrastructure Library (ITIL) Foundation Compliance (GRC) tool, continuous monitoring, and vulnerability management tools or services. Note: NIH currently uses CSAM.
• Demonstrated experience managing cybersecurity teams including personnel, workload, priorities, scheduling, and risks.
• Proven experience bringing innovative approaches to help reduce the FISMA workload and time to authorization/reauthorization through such methods as boundary consolidation, common control identification and re-use, automation, assessment readiness reviews, and digital transformation.

Nice To Haves

• PMP Certification
• CISSP Certification
• Experience with Security Assessment Tools (Tenable Nessus, DBProtect, Wireshark, WebInspect)
• NIH/HHS experience

Responsibilities

• Identify, evaluate, and develop strategies for handling risks to reduce information security and privacy risk across the agency.
• Provide recommendations, guidance, planning, and implementation support for agency risk management activities and tools, and provide support as needed to enhance the agency’s Information Security Program related to governance, optimizations, automation, and supporting tools.
• Developing an agency Information Security Risk Management Strategy in accordance with the latest released versions of NIST Special Publications (SPs) such as SP 800-37, Risk Management Framework for Information Systems and Organizations and SP 800-39, Managing Information Security Risk (as revised).
• Conducting an enterprise risk assessment and developing an agency Information Security Risk Assessment Report that addresses all findings from the assessment
• Developing an agency Privacy and Security Roadmap that recommends privacy and information security capabilities based on risks identified in the agency’s Information Security Risk Assessment Report
• Developing an agency Information Security Risk Management Plan that addresses how the agency will implement and perform risk management activities regarding risk tolerance, risk assessment, risk response, risk monitoring, and risk capabilities
• Providing risk management guidance to the agency offices for A&A activities as required, ensuring continuous risk monitoring of information security control implementation effectiveness and required information security compliance requirements
• Support the Information Security and Assurance Office (ISAO) in implementing and overseeing the organization’s information security risk management and security assessment and authorization (A&A) activities.
• Advise the agency on how best to tailor the revised A&A process to handle non-traditional technologies including, but not limited to, cloud, mobile, and Internet of Things.
• Provide the agency recommendations on how it can continuously monitor and assess the security posture of agency information systems over time and alert agency decision makers when an information system presents an increased risk or eminent threat to agency data and/or operations.
• Develop guidance, templates, other tools, and advice to the program offices to support their risk management and ATO activities.
• Provide risk management and information security continuous monitoring program implementation recommendations to program offices
• Track and review Plans of Actions and Milestones (POA&Ms) agency-wide to identify areas of risk as a result of unimplemented POA&Ms, a buildup of risk-based decisions, or other cross-cutting issues observed as a result of its risk management support.
• Track the A&A status for all divisions and programs that have information systems to validate they meet the requirements to protect the agency’s data and operations.
• Develop the required artifacts to complete security accreditation packages for OCIO information systems and perform any required assessments, as requested.
• The Contractor shall provide oversight and advisory support to agency program office personnel for completion of information system A&A packages, as requested.
• Follow NIST Federal Information Processing Standards (FIPS) and Special Publications (SPs) to include, but not limited to, FIPS 199 and 200, SP 800-39, SP 800-37, SP 800-137, SP 800-60, SP 800-53, SP 800-53A, SP 800-34, SP 800-30, and SP 800-18.
• The Contractor shall comply with all agency IT security and Privacy policies and standards including, and the agency Privacy Impact Assessment (PIA) requirements and associated templates.