Security Policy and Compliance Manager

Position Title: Security Policy and Compliance Manager

Location: On Site - Washington, D.C.

Clearance Required: Public Trust

Cybervance is a rapidly growing information security and information technology company in Washington, D.C., and we are an equal opportunity employer that designs, develops, and manages the successful execution of training programs for government and private sector organizations. Cybervance believes in creating innovative solutions to deliver measured results.

Cybervance is seeking a highly skilled Security Policy and Compliance Lead to support our federal customer in ensuring security standards, policies, and regulatory requirements are met across enterprise systems.

The Security Policy and Compliance Lead will be responsible for developing, maintaining, and overseeing security documentation, implementing and assessing security controls, and leading risk management efforts in alignment with NIST and federal standards. The ideal candidate will bring hands-on expertise in security authorization and assessment (A&A), continuous monitoring, and policy oversight, coupled with strong leadership skills and the ability to communicate effectively with both technical and executive stakeholders.

Responsibilities:

• Develop, maintain, and manage security documentation required for the Authorization and Accreditation (A&A) package, including System Security Plans (SSPs), Contingency Plans (CPs), and Security Assessment Reports (SARs).
• Provide oversight and development of Plans of Action and Milestones (POA&Ms) and ensure timely remediation of identified risks.
• Lead and perform all continuous monitoring activities, ensuring security controls remain effective and compliant with federal regulations.
• Conduct and document risk assessments based on NIST standards, ensuring that system design and implementation sufficiently mitigate Information Assurance (IA) risks.
• Implement, assess, and validate NIST SP 800-53A security controls for federal agencies, ensuring systems achieve and maintain compliance.
• Apply advanced risk management techniques to identify vulnerabilities and provide recommendations for mitigation strategies.
• Collaborate with technical teams to integrate security into system development life cycles and operational processes. Utilize data analysis, data mining, and business intelligence techniques to correlate data from disparate sources, identify trends, and create informative risk/compliance dashboards and visualizations.
• Provide guidance on security policy, compliance requirements, and audit readiness to technical and business stakeholders.
• Stay current with evolving federal security requirements, emerging technologies, and industry best practices to maintain a compliance posture.

Required Skills And Experience:

• At least 5 years of hands-on experience developing required A&A documentation (SSP, CP, SAR) and overseeing POA&Ms, with continuous monitoring responsibilities performed within the last three years.
• CISSP certification required.
• Minimum of 5 years’ experience implementing NIST 800-53A security controls in federal environments.
• Strong expertise in applying risk management frameworks and conducting risk assessments in accordance with NIST standards.
• 1+ years of experience working with data structures, data mining, and business intelligence, including correlating disparate data sources and creating data-driven visualizations.
• Strong understanding of federal security and compliance requirements (e.g., NIST RMF, FISMA, FedRAMP).
• Excellent written and verbal communication skills, with proven ability to prepare clear, concise, and compliant documentation.
• Strong analytical and problem-solving skills with attention to detail.
• Ability to collaborate effectively across technical, compliance, and executive teams.

Education And Certifications:

• Bachelor’s degree in computer science, Information Systems, Cybersecurity, or a related field (or equivalent experience).
• CISSP certification required.
• Additional certifications such as CISM, CISA, CAP, or Security+ are desirable.