Senior Cybersecurity and Privacy Program Manager
Employment Information
Report this job
Job expired or something wrong with this job?
Job Description
Senior Cybersecurity and Privacy Program Manager leading NSF's cybersecurity and privacy program at Criterion. Overseeing cyber risk management and compliance with federal regulations.
Responsibilities:
- Lead NSF’s enterprise cybersecurity and privacy program; set objectives, coach for performance, ensure cross-training and continuity; maintain an adaptive posture with rigorous analysis and implementation.
- Govern to NIST RMF (SP 800-37), FISMA, OMB guidance, NIST SP 800-series (including privacy controls), CISA BODs, and FedRAMP; own FISMA IG maturity targets and drive quarterly improvements with metrics-based reporting.
- Develop and maintain cybersecurity and privacy policies, plans, procedures, standards, operational guides; establish and manage a documentation and knowledge repository.
- Drive risk-based management and security-focused configuration management across infrastructure and applications; maintain risk registers, executive dashboards, and remediation plans.
- Privacy Program Management: Partner with SAOP (Senior Agency Official for Privacy) to lead oversight; conduct privacy control assessments (NIST SP 800-53 Rev. 5 privacy, OMB memos); maintain a privacy risk register; embed privacy risk in enterprise reporting; deliver compliance reporting and corrective actions.
- Assessment and Authorization/Continuous Monitoring: Lead A&A/Ongoing Authorization; plan and execute assessments aligned to NIST SP 800-53/53A, 800-171/172; manage evidence, weakness analysis, POA&Ms, and durable closure; mature Continuous Monitoring and DHS CDM integrations, dashboards, automated reporting, and alert fidelity.
- SIEM (Security Information and Event Management) Monitoring and Audit Logging: Oversee Splunk operations; enforce audit logging standards, log source coverage (infrastructure, applications, cloud), retention/integrity, and compliance mapping; tune detections and dashboards.
- Zero Trust and Modernization: Execute NSF’s Zero Trust plan across identity, devices, networks, applications/workloads, and data; implement comprehensive monitoring, risk-based access, automation; conduct red/blue team testing; advance data-centric security, DLP, and protection of sensitive/PII; plan for post-quantum cryptography transitions.
- Identity and Account Management: Own enterprise IAM governance—joiner/mover/leaver automation, identity proofing, MFA and conditional access, ABAC (Attribute-Based Access Control)/RBAC (Role-Based Access Control) design, federation, lifecycle monitoring metrics; enforce least privilege, just-in-time/just-enough access.
- Privileged Access Management: Lead CyberArk operations for vaulting, credential rotation, session monitoring/recording, access brokering; integrate with IdP, ticketing, and automation to reduce risk and improve efficiency.
- Application Security and DevSecOps: Establish secure SDLC standards, threat modeling, secure code reviews, SAST (Static Application Security Testing)/DAST (Dynamic Application Security Testing)/SCA(Software Composition Analysis) in CI/CD, developer training; enforce configuration management; track AppSec KPIs (coverage, defect density, remediation time).
- Cloud and External Services Reviews: Conduct security reviews, analysis, and continuous monitoring of cloud/external services; validate FedRAMP inheritance and compensating controls; enforce CSPM policies; perform vendor risk assessments; run quarterly posture reviews and remediation.
- Operations, IR, and Forensics: Lead SOC operations and major incident response including after-hours surge; drive root cause analysis, lessons learned, corrective actions; direct IT forensics and eDiscovery with proper chain-of-custody and audit-ready evidence.
- Continuity, Contingency, and Service Recovery: Direct BCP (Business Continuity Plans)/DR (Disaster Recovery) strategy with defined RTO (Recovery Time Objective)/RPO (Recovery Point Objective); run tabletop and failover exercises; manage dependency mapping, evidence capture, and corrective actions to meet restoration objectives.
- Supply Chain Risk Management: Support ICT (Information and Communications Technology) SCRM (Supply Chain Risk Management) across development, acquisition, maintenance, and disposal; integrate NIST SP 800-161r1 practices, oversee ongoing monitoring and end-of-life disposal controls.
- Infrastructure Asset Identification and Classification: Establish authoritative asset inventory and classification standards; integrate with CMDB and DHS CDM for visibility, control coverage, and risk reporting.
- Independent Reviews and SCIF Support: Coordinate internal and third-party independent security reviews; support SCIF-related security operations and processes as required.
- Tool Refresh and Maturation: Plan refresh cycles and maturity targets for SIEM (Splunk), EDR/XDR, vulnerability scanning, IAM/IdP, PAM (CyberArk), DLP, CSPM/CWPP, configuration management tools, and cloud-native services; measure efficacy and ROI; deprecate low-value tools.
- Cybersecurity and Privacy Training: Own awareness and role-based training programs; coordinate content, track completion, measure effectiveness (e.g., phishing resilience), and drive continuous improvement.
- Reporting and Deliverables: Deliver monthly/quarterly reports covering FISMA IG maturity, POA&M status/closure, CDM dashboards, SIEM coverage and detection efficacy, incident metrics (MTTD/MTTR), audit response packages, training metrics, continuity/DR test results, and executive risk dashboards.
- Performs other job-related duties as assigned.
Requirements:
- 10+ years of cybersecurity leadership; 5+ years leading federal or large enterprise programs with multi-vendor teams.
- Demonstrated privacy program leadership in federal environments; partnership with SAOP; execution of PIAs (Privacy Impact Assessments)/SORNs (Systems of Records Notices) and privacy control assessments.
- Deep experience with NIST RMF, FISMA, OMB guidance, NIST SP 800-series (including 53/53A and privacy controls), CISA BODs, FedRAMP, DHS CDM.
- Proven A&A/Ongoing Authorization leadership; strong continuous monitoring, assessment planning/execution, evidence management, POA&M remediation.
- SIEM/Splunk expertise: detections, dashboards, content tuning, data onboarding, audit/log monitoring, and threat analytics.
- IAM governance: IdP/IAM platforms (Azure AD/Entra, Okta, Ping), conditional access/MFA, lifecycle automation, ABAC/RBAC policy design, identity proofing, federation.
- PAM/CyberArk: architecture and operations for vaulting, credential rotation, session recording, least privilege, JIT/JEA access, and workflow integrations.
- Application Security/DevSecOps: secure SDLC, threat modeling, secure code reviews, CI/CD integrations; tooling such as GitLab/GitHub Actions, SonarQube, Veracode, Snyk; familiarity with NIST SSDF.
- SOC leadership, incident response, forensics/eDiscovery; cloud security governance across major CSPs; CSPM/CWPP policy design and enforcement.
- SCRM and vendor risk management implementing NIST SP 800-161r1; SBOM practices; lifecycle controls from acquisition through disposal.
- BCP/DR planning and execution; defined RTO/RPO; exercise orchestration and evidence management.
- Strong automation orientation; ability to write and evaluate code in PowerShell, Python, SQL, Java; familiarity with VBA.
- Experience establishing authoritative asset inventories and CMDB/CDM integrations; audit logging standards and compliance mapping.
- Bachelor’s in Cybersecurity, Information Assurance, Computer Science, Engineering, or related field; Master’s preferred.
- Certifications preferred: CISSP, CISM, CRISC, CAP, CCSP, PMP.
- Splunk certifications (e.g., Power User, Admin) and CyberArk certifications (Defender, Sentry, Guardian) preferred.
- Privacy certification strongly preferred: CIPP/G or equivalent federal privacy leadership experience.
- Must pass pre-employment qualifications of Cherokee Federal.
Benefits:
- Medical
- Dental
- Vision
- 401K
- Other possible benefits as provided. Benefits are subject to change with or without notice.
Similar Jobs
Chief Information Security Officer
Chief Information Security Officer focusing on governance and risk management in fintech company. Responsible for implementing information security management systems under ISO 27001 standards.
Cybersecurity Governance Analyst
Governance Analyst contributing to Cybersecurity governance at SailPoint. Involve in policy documentation and compliance activities aligned with industry best practices.
Senior Cloud Cyber Security Engineer
Senior Cloud Cyber Security Engineer designing secure cloud architectures and ensuring compliance for Sentara Health. Conducting security assessments and collaborating with cross-functional teams to enhance cloud security.
Senior Manager, Product Security
Senior Manager of Product Security at Amgen developing strategies to counter threats to the global supply chain. Responsible for overseeing security initiatives and collaborating across diverse teams.
Account Executive – Cybersecurity, Risk Assurance
Account Executive managing complex B2B sales for Sensiba’s cybersecurity and risk assurance services. Focusing on ISO/IEC 27001, SOC 1, and SOC 2 engagements with C-suite executives.
Social Security Claims Specialist
Social Security Specialist at Lincoln Financial handling Social Security Disability Insurance claims. Acts as liaison between internal teams, claimants, and legal representation.
Senior Manager, Cloud Security Consultant
Senior Manager in cloud security at PwC focusing on cybersecurity threats. Leading development and implementation of cloud security strategies with advanced technologies.
Adjunct Faculty, Fundamentals of Networking – Cybersecurity
Adjunct Faculty teaching online course Fundamentals of Networking at UMGC. Engaging adult learners and fostering collaboration in a remote setting.
IT Sales Manager – Modern Infrastructure, Cyber Security, Managed Services
IT Sales Manager responsible for driving B2B sales in Modern Infrastructure, Cyber Security, and Managed Services. Collaborating with consulting teams and establishing new markets in Germany.
Head of Compliance – HIPAA and Security
Head of Compliance (HIPAA) leading strategic legal support and data governance for Bask Health. Overseeing compliance frameworks, training, and regulatory adherence in a remote setup.
Security Engineer
Security Engineer protecting Serve’s delivery platform and infrastructure while collaborating with IT and engineering teams. Ensuring security best practices across cloud infrastructure and applications.
Member of Technical Staff – Security
First dedicated security hire responsible for building security practices at AI infrastructure company. Defining company-wide security strategy and collaborating with engineering and research teams.
Cybersecurity Engineer
Cybersecurity Engineer responsible for maintaining security in compliance-driven environments for Teal. Protecting clients through security monitoring, vulnerability management, and incident response.
Cybersecurity Lead
Lead Cybersecurity Strategy at Intersect, safeguarding critical systems in a cloud-first environment. Collaborate cross-functionally to integrate security practices for innovative energy solutions.
Principal, Multicloud Data Center Solutions – AI, Data Security & Resilience
Lead development of solutions for enterprise Multicloud/Data Center, AI & Data and Security & Resilience at Dell Technologies. Engage with customers and drive transformative technology solutions.
Lead Security Officer – Rotational
Lead Security Officer ensuring health, safety and security for clients in remote settings. Providing oversight, training, and recommendations based on security operations.
Security Officer, Seasonal
Remote Security Officer monitoring and patrolling assigned areas for safety and security. Working in remote settings where health, safety, and security is a priority.
Platform Engineer, Security
Platform & Security Engineer responsible for IT infrastructure and security at Cosuno. Leading compliance and operational excellence in a remote role.
Security and Threat Operations Engineer
Security and Threat Operations Engineer protecting the fintech environment at OnePay. Collaborating with teams to proactively identify and respond to security threats.
Security Implementation Engineer
Security Implementation Engineer responsible for deploying, configuring, and implementing cybersecurity solutions. Focused on security infrastructure projects across customer environments in Logically's client base.