Disclaimer:

By submitting your resume for this job posting, you authorize CMT Services, Inc. to forward your resume to all applicable internal and external managers, agencies, and recruitment personnel for review and consideration to hire.

ABOUT US:

CMT Services, Inc. is a dynamic and growing small business supporting Federal, State, and Local government agencies. As a SBA-certified HUBZone, Woman Owned Small Business (WOSB), we deliver quality, professional services to support the missions and strategic business goals of our clients. Leaning on our core values of Integrity & Commitment, CMT’s mission is to continue delivering the highest quality services to our customers by applying best practices from our team of Industry experts ensuring not only our customers success, but the establishment of CMT Services as their Reliable Partner of Choice.

Position Summary:

Take a lead role in support of Montgomery County's Office of Enterprise Information Security’s cloud cybersecurity compliance program. Identify and prioritize cloud-related risks enterprise-wide, executing comprehensive risk assessments and control gap analyses in line with established information security policies and widely recognized risk management frameworks applicable to a range of public cloud environments. This is an ON-SITE position located in Rockville, MD with a duration of one year and potential for extension.

Start Date: 04/01/2024

Location: Rockville, MD 20850 (ON - SITE)

Responsibilities:

• Conducting thorough reviews of legal contracts and agreements relevant to cloud services, including service level agreements (SLAs), data processing agreements (DPAs), and vendor contracts. This involves interpreting complex legal language and terms to ensure compliance with information security and privacy requirements, identifying potential risks or areas of non-compliance, and articulating these findings in a clear, comprehensible manner to business units and legal counsel.
• Liaise closely with County attorneys and business stakeholders to provide actionable insights, ensuring that contractual obligations align with the County’s governance, risk, and compliance frameworks and standards.
• Designing, implementing, and continuously improving the County’s cloud information security/privacy compliance program based on applicable policies, local/state/federal laws/regulations and adopted risk management frameworks.
• Designing, implementing, leading cloud-based risk assessments and control gap analysis procedures, activities, documents, and communication plans
• Leveraging NIST 800-53/FedRAMP assessment experience, technical, and program management skills to lead, plan, track, collaborate and report on the cloud governance, risk compliance program deliverables, including scheduling/leading meetings, assigning/tracking action items, and developing status reports.
• Performing cross functional interviews with business, technical and information security partners to determine if information security/privacy controls are implemented correctly, operating as intended, and producing the desired results.
• Communicating program controls, measurements, metrics, and assessment results confidentially, professionally, and effectively, in both written and verbal formats, with business, technical, and third-party stakeholders.

Required:

• 5 years-experience applying governance, risk, compliance principles to public cloud ecosystems such as AWS (Amazon), Azure (Microsoft) and/or (GRC) Google
• 5 years-experience designing/implementing cloud-based information security/privacy polices mapped to industry standards and regulatory frameworks (e.g., NIST 800-53, FedRAMP, PCI, HIPAA etc.)
• Experience designing, implementing, and performing cloud-based risk assessments and control gap analysis; identifying, analyzing, and evaluating cloud security/privacy risks through analysis of vendor-provided SOC2 and other cloud security control documentation.
• Experience developing monitoring, gathering, and analyzing information security and compliance metrics for management for the cloud environment.
• Proven ability to communicate confidentially, professionally, and effectively, in both written and verbal formats, with business, technical, and third-party stakeholders.