Security Policy and Compliance Lead

Position Overview

Key Responsibilities

• Active Certified Information Systems Security Professional (CISSP) certification
• Lead and oversee enterprise cybersecurity policy and compliance support activities across SBA systems, applications, and programs.
• Manage and support the SBA Risk Management Framework (RMF) lifecycle, including system authorization, assessment, continuous monitoring, and ongoing authorization activities.
• Develop, review, revise, maintain, and update cybersecurity and privacy documentation including SSPs, CMPs, ISCPs, ISCP Test Reports, ERAs, POA&Ms, policies, procedures, and architecture diagrams.
• Ensure documentation aligns with SBA implementation procedures, NIST SP 800-series guidance, FISMA requirements, OMB mandates, FedRAMP, and Zero Trust principles.
• Lead controls assessment and evaluation activities in accordance with NIST SP 800-53 and NIST SP 800-53A methodologies.
• Coordinate and support Information System Continuous Monitoring (ISCM) activities, Ongoing Authorization (OA) testing, and enterprise cybersecurity metrics reporting.
• Provide ISSO oversight and coordination support for assigned systems, ensuring systems maintain compliance with authorization requirements and agency security standards.
• Support FISMA reporting activities including collection, validation, analysis, and submission of enterprise cybersecurity metrics and CyberScope reporting.
• Coordinate audit support activities for Inspector General (IG), GAO, FISMA, FedRAMP, and internal cybersecurity audits.
• Support development and maintenance of cybersecurity dashboards, risk registers, visualizations, and automated compliance reporting capabilities.
• Facilitate High Value Asset (HVA) assessment activities and ensure alignment with CISA and OMB requirements.
• Support FedRAMP Continuous Monitoring (CONMON) activities and facilitate monthly stakeholder meetings.
• Support enterprise vulnerability management coordination, remediation tracking, and compliance reporting.
• Develop and deliver cybersecurity awareness and compliance training content in support of agency requirements.
• Coordinate enterprise risk management (ERM) integration activities utilizing FAIR methodology and cybersecurity risk quantification.
• Ensure all deliverables are peer reviewed, Section 508 compliant, and submitted in accordance with SBA-defined timelines and quality standards.
• Serve as a trusted advisor to SBA leadership, ISSOs, system owners, and program stakeholders regarding cybersecurity governance, policy, and compliance matters.

Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Assurance, Information Technology, Computer Science, Engineering, or related field. Master’s degree preferred.
• Minimum of ten (10) years of experience supporting federal cybersecurity policy, compliance, RMF, and FISMA programs.
• At least five years of experience developing the required documents for the A&A package (e.g., SSP, CP, and SAR), including oversight and development of POA&M's, and performing all continuous monitoring functions with the most recent experience occurring in the last three years.
• Experience in applying risk management techniques to develop and complete risk assessments based on NIST standards to ensure system design and implementation sufficiently addresses or mitigates IA risk.
• At least five years of experience implementing NIST 800-53A security controls for Federal agencies.
• At least one year of experience in data structures, data mining, business intelligence, with the ability to correlate data across multiple disparate sources, linking common data elements, and constructing informative visualizations.
• Minimum of five (5) years of experience serving in an ISSM, ISSO, cybersecurity compliance lead, or equivalent leadership role.
• Demonstrated expertise in NIST RMF processes, NIST SP 800-53 Rev. 5, NIST SP 800-53A, FISMA, OMB Circular A-130, and federal cybersecurity governance.
• Experience developing and maintaining cybersecurity documentation including SSPs, POA&Ms, SARs, ISCPs, CMPs, and related accreditation artifacts.
• Experience supporting continuous monitoring, ongoing authorization (OA), audit readiness, and security controls assessments.
• Strong understanding of federal cybersecurity compliance frameworks including FedRAMP, CISA HVA requirements, and Zero Trust Architecture.
• Experience supporting enterprise governance, risk, and compliance (GRC) platforms and automated reporting solutions.
• Excellent written and verbal communication skills with experience supporting executive briefings, audits, and stakeholder coordination.
• Relevant cybersecurity certifications such as CISSP, CISM, CAP, GSLC, or equivalent required.
• Project Management Professional (PMP) certification preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting SBA, DHS, CISA, or other civilian federal agencies.
• Experience supporting FedRAMP cloud environments including AWS, Azure, Microsoft 365, Salesforce, and SaaS platforms.
• Experience developing enterprise cybersecurity dashboards, metrics, automation, and data visualizations.
• Experience supporting enterprise risk management (ERM) integration and FAIR-based risk quantification.

Powered by JazzHR