Security Policy and Compliance Lead

Security Policy and Compliance Lead Position Title: Security Policy and Compliance Lead Program: SBA Enterprise Cybersecurity Services (ECS) Position Overview The Security Policy and Compliance Lead shall serve as the senior cybersecurity policy, compliance, and Risk Management Framework (RMF) lead supporting the U.S. Small Business Administration (SBA) Enterprise Cybersecurity Services (ECS) program. Key Responsibilities Active Certified Information Systems Security Professional (CISSP) certification Lead and oversee enterprise cybersecurity policy and compliance support activities across SBA systems, applications, and programs. Manage and support the SBA Risk Management Framework (RMF) lifecycle, including system authorization, assessment, continuous monitoring, and ongoing authorization activities. Develop, review, revise, maintain, and update cybersecurity and privacy documentation including SSPs, CMPs, ISCPs, ISCP Test Reports, ERAs, POA&Ms, policies, procedures, and architecture diagrams. Ensure documentation aligns with SBA implementation procedures, NIST SP 800-series guidance, FISMA requirements, OMB mandates, FedRAMP, and Zero Trust principles. Lead controls assessment and evaluation activities in accordance with NIST SP 800-53 and NIST SP 800-53A methodologies. Coordinate and support Information System Continuous Monitoring (ISCM) activities, Ongoing Authorization (OA) testing, and enterprise cybersecurity metrics reporting. Provide ISSO oversight and coordination support for assigned systems, ensuring systems maintain compliance with authorization requirements and agency security standards. Support FISMA reporting activities including collection, validation, analysis, and submission of enterprise cybersecurity metrics and CyberScope reporting. Coordinate audit support activities for Inspector General (IG), GAO, FISMA, FedRAMP, and internal cybersecurity audits. Support development and maintenance of cybersecurity dashboards, risk registers, visualizations, and automated compliance reporting capabilities. Facilitate High Value Asset (HVA) assessment activities and ensure alignment with CISA and OMB requirements. Support FedRAMP Continuous Monitoring (CONMON) activities and facilitate monthly stakeholder meetings. Support enterprise vulnerability management coordination, remediation tracking, and compliance reporting. Develop and deliver cybersecurity awareness and compliance training content in support of agency requirements. Coordinate enterprise risk management (ERM) integration activities utilizing FAIR methodology and cybersecurity risk quantification. Ensure all deliverables are peer reviewed, Section 508 compliant, and submitted in accordance with SBA-defined timelines and quality standards. Serve as a trusted advisor to SBA leadership, ISSOs, system owners, and program stakeholders regarding cybersecurity governance, policy, and compliance matters. Required Qualifications Bachelor’s degree in Cybersecurity, Information Assurance, Information Technology, Computer Science, Engineering, or related field. Master’s degree preferred. Minimum of ten (10) years of experience supporting federal cybersecurity policy, compliance, RMF, and FISMA programs. At least five years of experience developing the required documents for the A&A package (e.g., SSP, CP, and SAR), including oversight and development of POA&M's, and performing all continuous monitoring functions with the most recent experience occurring in the last three years. Experience in applying risk management techniques to develop and complete risk assessments based on NIST standards to ensure system design and implementation sufficiently addresses or mitigates IA risk. At least five years of experience implementing NIST 800-53A security controls for Federal agencies. At least one year of experience in data structures, data mining, business intelligence, with the ability to correlate data across multiple disparate sources, linking common data elements, and constructing informative visualizations. Minimum of five (5) years of experience serving in an ISSM, ISSO, cybersecurity compliance lead, or equivalent leadership role. Demonstrated expertise in NIST RMF processes, NIST SP 800-53 Rev. 5, NIST SP 800-53A, FISMA, OMB Circular A-130, and federal cybersecurity governance. Experience developing and maintaining cybersecurity documentation including SSPs, POA&M's, SARs, ISCPs, CMPs, and related accreditation artifacts. Experience supporting continuous monitoring, ongoing authorization (OA), audit readiness, and security controls assessments. Strong understanding of federal cybersecurity compliance frameworks including FedRAMP, CISA HVA requirements, and Zero Trust Architecture. Experience supporting enterprise governance, risk, and compliance (GRC) platforms and automated reporting solutions. Excellent written and verbal communication skills with experience supporting executive briefings, audits, and stakeholder coordination. Relevant cybersecurity certifications such as CISSP, CISM, CAP, GSLC, or equivalent required. Project Management Professional (PMP) certification preferred. Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required. Desired Experience Experience supporting SBA, DHS, CISA, or other civilian federal agencies. Experience supporting FedRAMP cloud environments including AWS, Azure, Microsoft 365, Salesforce, and SaaS platforms. Experience developing enterprise cybersecurity dashboards, metrics, automation, and data visualizations. Experience supporting enterprise risk management (ERM) integration and FAIR-based risk quantification. #J-18808-Ljbffr