Cybersecurity Risk Manager

MIT Lincoln Laboratory is a Federally Funded Research and Development Center (FFRDC) whose mission is research in support of National Security.
* Mission - The Security Services Department's (SSD) overall mission is to identify and counter security threats to the MIT Lincoln Laboratory's (MIT LL) mission of development of game-changing technology in support of national security, including guarding against compromise by foreign intelligence agencies and insider threats.
* Culture - We foster an inclusive, opportunity-filled environment of empowered team members from diverse backgrounds

Reporting directly to the Laboratory's Chief Information Security Officer (CISO), you will have enterprise-level responsibility for managing and sustaining organizational efforts for the Laboratory's Cyber Maturity Model Certification (CMMC) program compliance, to include planning for future implementation of additional regulatory and contractual requirements
* You will directly lead and oversee daily operations of the Laboratory's Cybersecurity Risk Management Team (CRMT), a team of cybersecurity professionals who are the core component of the Laboratory's Enterprise Risk Management Program, providing daily technical and operational supervision, mentoring, and performance oversight for Cybersecurity Risk Analysts and Cybersecurity Risk Managers
* Participate in personnel retention efforts for staff, schedule and conduct candidate screening and interviews for team vacancies
* Define team strategy, goals, action plans, and metrics aligned with Laboratory, Cybersecurity and Security Department strategic initiatives
* Assist in staff goal setting and performance appraisals, identify opportunities for professional development
* Develop, administer and predict team budgets and schedules in accordance with established organization strategy
* Assess technologies, systems, and components to identify cybersecurity risks and conduct security impact analyses
* Work closely with the IT department in collaboration of enterprise activities and security requirements
* Conduct security impact analysis of emerging technologies and components intended for use across the Laboratory enterprise
* Serve as Product Owner for the Laboratory's Governance, Risk, and Compliance (GRC) tool, ensuring alignment with mission objectives and strong user adoption
* Evaluate and understand complex system environments and determine whether the appropriate level of security measures are enforced based on applicable security best practices and/or governing policies and regulations
* Assist in planning, organizing and leading enterprise-level IT security projects related to network, system and data security, enterprise information security reporting, auditing, as well as system risk management and mitigation, to include Cyber Maturity Model Certification (CMMC), Zero Trust Architecture and others
* Participate in ongoing meetings with Laboratory management and present briefings and reports regarding risk assessments and evaluations of emerging technology
* Participate in corporate policy and procedure development, maintain Cybersecurity Risk Management Team operating procedures
* Develop and maintain cybersecurity policies, processes, and procedures aligned with requirements and industry best practices

Must be a U.S. citizen
* Education: Bachelor's degree in Computer Science, Information Technology, Computer Information Systems, or related field is required
* Experience: Seven (7) or more years of management experience in a Defense Industrial Base (DIB) setting is desired, with related work in the following areas: Security Control Assessor, Information Assurance, Risk Assessment, IT Security, or equivalent combination of education and experience
* Leadership: Demonstrated capability in leading cross-functional teams and presenting ideas both in writing and orally within a collaborative team environment
* Thorough understanding of National Institute of Standards and Technology (NIST) Special Publications 800-171, 800-171a, 800-172, 800-172a, Federal Information System Modernization Act (FISMA) processes, and the Federal Risk and Authorization Management Program (FedRAMP) requirements for cloud security, Defense Federal Acquisition Regulation Supplement (DFARS) requirements for Safeguarding Covered Defense Information and Cyber Incident Reporting, Cyber Maturity Model Certification (CMMC)
* Demonstrated knowledge of the CMMC Assessment Process (CAP).
* GRC tool experience.
* Technical experience, skills and industry IT certifications may be considered substitutes for DIB security experience
* Demonstrated knowledge of technology testing and evaluation methods and procedures, including the development of techniques for system acceptability testing and evaluation by establishing test criteria and data to ensure program modules and outputs are validated appropriately validated
* Must have excellent oral, written and presentation skills
* Demonstrated ability to multitask projects/programs and to redirect priorities as needed
* The position has a direct interface and coordination role with members of the IT Department and must have demonstrated ability to work across organizational units and with customers
* Selected candidate must be a reliable self-starter who makes sound, well-informed and objective decisions, works independently under minimal supervision, with a demonstrated ability to manage complex situations, follow-up and solve problems
* Must have excellent interpersonal communication, organizational, and customer service skills
* Excellent writing skills are required in order to complete extensive written reports, documenting inspection findings and observations
* Position may require local and some overnight travel
* The selected candidate will be subject to a pre-employment background investigation and must be able to obtain a Top Secret level security clearance with compartmented program eligibility.

Demonstrated knowledge of the National Industrial Security Program Operations Manual (NISPOM), as well as the DCSA Assessment and Authorization Guide (DAAG), based on the Risk Management Framework (RMF), NIST 800-53 controls and other associated NIST publications, SAP/SCI Community and Intelligence Community requirements and directives, to include JSIG, and ICD 503.
* Experience as a product owner of a technical program, such as a GRC or other IT tool.
* Cybersecurity management certifications, such as CISSP, CISM, or IT auditor certification, such as the CISA or GNSA. Other relevant certifications, including DoDM 8140 baseline certifications, are viewed favorably
* CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA)

You will find significant opportunities to do meaningful work in an environment intentionally designed to be one where you will learn, thrive and belong.
* Leadership: Room to advance on your team or to lead cross-functional projects.
* Growth Opportunities: Potential for lateral and vertical movement.
* Education/Training: Management training, mentorship, in-house and external courses.
* Exposure: Engagement with sponsors, stakeholders, Laboratory leadership and other Departments and Divisions.
* Community: Participation is encouraged for Laboratory social events, Employee Resource Groups (ERGs), clubs and study groups, volunteering and community service projects.