Cybersecurity Risk Lead

CVP is seeking an Cybersecurity Risk Lead for a large government agency enterprise-level cybersecurity program. The Cybersecurity Risk Lead will work directly with the Cybersecurity Program Manager and the agency’s CIO and CISO in cybersecurity tasks such as information security policy development and implementation; security compliance monitoring; security audit management; risk assessment; system authorization; security reporting; and other information security-related tasks.

• The Risk Lead will help the agency identify, evaluate, and develop strategies for handling risks to reduce information security and privacy risk across the agency.
• The Risk Lead will provide recommendations, guidance, planning, and implementation support for agency risk management activities and tools, and provide support as needed to enhance the agency’s Information Security Program related to governance, optimizations, automation, and supporting tools.
• The Risk Lead will support the agency’s operational responsibilities in complying with Federal, Department, and Agency mandates and policies that include Department of Health and Human Services policies, the Federal Information Security Modernization Act (FISMA), OMB Circular A-130, OMB Circular A-123, OMB Circular A-11, and any additional OMB guidance relevant to the scope of Risk Management and A&A. 
• The Risk Lead will support the agency’s privacy, security and FISMA risk management and compliance reporting requirements.
• Other responsibilities to include supporting, but not limited to, the following:
  • Developing an agency Information Security Risk Management Strategy in accordance with the latest released versions of NIST Special Publications (SPs) such as SP 800-37, Risk Management Framework for Information Systems and Organizations and SP 800-39, Managing Information Security Risk (as revised).
  • Conducting an enterprise risk assessment and developing an agency Information Security Risk Assessment Report that addresses all findings from the assessment
  • Developing an agency Privacy and Security Roadmap that recommends privacy and information security capabilities based on risks identified in the agency’s Information Security Risk Assessment Report
  • Developing an agency Information Security Risk Management Plan that addresses how the agency will implement and perform risk management activities regarding risk tolerance, risk assessment, risk response, risk monitoring, and risk capabilities
  • Developing a Risk Scorecard as part of the risk analysis conducted from the enterprise risk assessment, detailing agency’s overall risk posture. The Risk Scorecard shall be designed to proactively identify and manage risks across the agency.
  • Enhancing the agency’s Risk Management Program as prescribed in the latest released versions of NIST SP 800-37, Risk Management Framework for Information Systems and Organizations, SP 800-39, Managing Information Security Risk and the NIST Cybersecurity Framework

• • Developing a dashboard for agency leadership to provide constant view of risks to the IT ecosystem
  • Providing risk management guidance to the agency offices for A&A activities as required, ensuring continuous risk monitoring of information security control implementation effectiveness and required information security compliance requirements
  • Support the Information Security and Assurance Office (ISAO) in implementing and overseeing the organization’s information security risk management and security assessment and authorization (A&A) activities.
  • Provide recommendations and implement process improvements to the agency’s A&A process based on best practices from other HHS OPDIVs and federal agencies.
  • Advise the agency on how best to tailor the revised A&A process to handle non-traditional technologies including, but not limited to, cloud, mobile, and Internet of Things.
  • Provide the agency recommendations on how it can continuously monitor and assess the security posture of agency information systems over time and alert agency decision makers when an information system presents an increased risk or eminent threat to agency data and/or operations.

• • Develop guidance, templates, other tools, and advice to the program offices to support their risk management and ATO activities.
  • Provide risk management and information security continuous monitoring program implementation recommendations to program offices
  • Track and review Plans of Actions and Milestones (POA&Ms) agency-wide to identify areas of risk as a result of unimplemented POA&Ms, a buildup of risk-based decisions, or other cross-cutting issues observed as a result of its risk management support.
  • Track the A&A status for all divisions and programs that have information systems to validate they meet the requirements to protect the agency’s data and operations.
  • Develop the required artifacts to complete security accreditation packages for OCIO information systems and perform any required assessments, as requested. The Contractor shall provide oversight and advisory support to agency program office personnel for completion of information system A&A packages, as requested.
  • Follow NIST Federal Information Processing Standards (FIPS) and Special Publications (SPs) to include, but not limited to, FIPS 199 and 200, SP 800-39, SP 800-37, SP 800-137, SP 800-60, SP 800-53, SP 800-53A, SP 800-34, SP 800-30, and SP 800-18. The Contractor shall comply with all agency IT security and Privacy policies and standards including, and the agency Privacy Impact Assessment (PIA) requirements and associated templates.

• Must be eligible to obtain a Public Trust clearance
• 4-year college degree in Computer Science or related field 
• CISSP, CISM or GSLC Certification
• At least eight years of cybersecurity experience
• Knowledge of NIST Cybersecurity and Risk Management frameworks 
• NIH experience
• Demonstrated strong analytical, troubleshooting and problem-solving skills for cybersecurity
• Excellent communication skills, both written and oral
• Security+ or equivalent certification
• Knowledge of cloud environments
• Knowledge of computer networking concepts and protocols, and network security methodologies
• Knowledge of cyber threats and vulnerabilities
• Knowledge of business continuity and disaster recovery continuity of operations plans
• Knowledge of host/network access control mechanisms 
• Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data
• Knowledge of system life cycle management principles, including software security and usability

Desired Skills

• Experience with Security Assessment Tools (Tenable Nessus, DBProtect, Wireshark, WebInspect)

About CVP

CVP is an award-winning healthcare and next-gen technology and consulting services firm solving critical problems for healthcare, national security, and public sector clients. We help organizations achieve lasting transformation.

CVP is an Equal Opportunity Employer dedicated to actively recruiting individuals and providing advancement opportunities based on merit and legitimate job qualifications. We ensure that all associates receive equal opportunities based on their personal qualifications and job requirements. CVP strictly prohibits any form of discrimination or harassment.

At CVP, we cultivate a work environment that encourages fairness, teamwork, and respect among all associated. We are committed to maintaining a workplace where everyone can grow both personally and professionally.