Security Policy and Compliance Lead Job Description

Position Overview

Key Responsibilities

• Lead and oversee enterprise cybersecurity policy and compliance support activities across SBA systems applications and programs.
• Manage and support the SBA Risk Management Framework (RMF) lifecycle including system authorization assessment continuous monitoring and ongoing authorization activities.
• Develop review revise maintain and update cybersecurity and privacy documentation including SSPs CMPs ISCPs ISCP Test Reports ERAs POA&Ms policies procedures and architecture diagrams.
• Ensure documentation aligns with SBA implementation procedures NIST SP 800-series guidance FISMA requirements OMB mandates FedRAMP and Zero Trust principles.
• Lead controls assessment and evaluation activities in accordance with NIST SP 800-53 and NIST SP 800-53A methodologies.
• Coordinate and support Information System Continuous Monitoring (ISCM) activities Ongoing Authorization (OA) testing and enterprise cybersecurity metrics reporting.
• Provide ISSO oversight and coordination support for assigned systems ensuring systems maintain compliance with authorization requirements and agency security standards.
• Support FISMA reporting activities including collection validation analysis and submission of enterprise cybersecurity metrics and CyberScope reporting.
• Coordinate audit support activities for Inspector General (IG) GAO FISMA FedRAMP and internal cybersecurity audits.
• Support development and maintenance of cybersecurity dashboards risk registers visualizations and automated compliance reporting capabilities.
• Facilitate High Value Asset (HVA) assessment activities and ensure alignment with CISA and OMB requirements.
• Support FedRAMP Continuous Monitoring (CONMON) activities and facilitate monthly stakeholder meetings.
• Support enterprise vulnerability management coordination remediation tracking and compliance reporting.
• Develop and deliver cybersecurity awareness and compliance training content in support of agency requirements.
• Coordinate enterprise risk management (ERM) integration activities utilizing FAIR methodology and cybersecurity risk quantification.
• Ensure all deliverables are peer reviewed Section 508 compliant and submitted in accordance with SBA-defined timelines and quality standards.
• Serve as a trusted advisor to SBA leadership ISSOs system owners and program stakeholders regarding cybersecurity governance policy and compliance matters.

Required Qualifications

• Bachelors degree in Cybersecurity Information Assurance Information Technology Computer Science Engineering or related field. Masters degree preferred.
• Minimum of ten (10) years of experience supporting federal cybersecurity policy compliance RMF and FISMA programs.
• Minimum of five (5) years of experience serving in an ISSM ISSO cybersecurity compliance lead or equivalent leadership role.
• Demonstrated expertise in NIST RMF processes NIST SP 800-53 Rev. 5 NIST SP 800-53A FISMA OMB Circular A-130 and federal cybersecurity governance.
• Experience developing and maintaining cybersecurity documentation including SSPs POA&Ms SARs ISCPs CMPs and related accreditation artifacts.
• Experience supporting continuous monitoring ongoing authorization (OA) audit readiness and security controls assessments.
• Strong understanding of federal cybersecurity compliance frameworks including FedRAMP CISA HVA requirements and Zero Trust Architecture.
• Experience supporting enterprise governance risk and compliance (GRC) platforms and automated reporting solutions.
• Excellent written and verbal communication skills with experience supporting executive briefings audits and stakeholder coordination.
• Relevant cybersecurity certifications such as CISSP CISM CAP GSLC or equivalent required.
• Project Management Professional (PMP) certification preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting SBA DHS CISA or other civilian federal agencies.
• Experience supporting FedRAMP cloud environments including AWS Azure Microsoft 365 Salesforce and SaaS platforms.
• Experience developing enterprise cybersecurity dashboards metrics automation and data visualizations.
• Experience supporting enterprise risk management (ERM) integration and FAIR-based risk quantification.