Purpose

Program Manager Critical Infrastructure Protection (CIP) oversees the SMUD CIP program, which includes ensuring the program meets FERC/NERC/NRC and other security regulatory obligations. This position acts as a liaison with internal and external stakeholders for development and implementation of governance and technology compliance. The role provides in-depth knowledge and technical expertise on security (both cyber and physical), NERC CIP requirements, industry best practices, controls, and information governance; and has responsibilities to monitor and direct all self-log, self-report, and mitigation plan activities. This position is expected to perform technical detailed analysis on NERC CIP compliance assessments, root causes, and controls reviews to strengthen the NERC CIP compliance program for SMUD.

Nature and Scope

Program Manager CIP is the subject matter expert/consultant-level classification in the CIP Compliance Specialist series. This position assumes responsibility for resolving routine to complex problems, providing project oversight, and establishing that SMUD's CIP program meets FERC/NERC/NRC and other regulatory protection criteria. The role may also serve in a lead/supervisory role and assist in planning, coordinating, prioritizing, monitoring and evaluating work results in assigned areas and in selecting, training, motivating, evaluating and developing lower-level personnel.

Duties and Responsibilities

• Leads the oversight of NERC reliability and security CIP compliance activities.
• Oversees CIP physical and cyber security governance, compliance, and risk; introduces, monitors, and enforces policy to ensure organization-wide compliance and security risk management is aligned with strategic goals, applicable laws, and regulations.
• Acquires and manages the necessary resources, including leadership support, financial resources, and key personnel, to support reliability and security goals and objectives and reduce overall organizational risk.
• Performs self-certification reviews, compliance assessments, risk assessments, controls monitoring, and corrective action activities related to internal controls and compliance oversight activities.
• Advises executive and senior management on compliance and security risk levels, reliability and security posture, and cost/benefit analysis of compliance and security programs, policies, processes, and systems.
• Participates in the development, implementation, and maintenance of NERC CIP reliability standards.
• Ensures research, coordination, development, and communication of CIP policies, procedures, and standards as set forth by regulatory requirements from NERC, FERC, WECC, and other regulatory agencies.
• Facilitates readiness reviews with peer organizations and regulatory bodies, as necessary.
• Interfaces with external organizations (e.g., government agencies like FERC, DOE, or DHS, law enforcement, utilities) to ensure appropriate and accurate dissemination of information both internally and externally.
• Ensures that compliance and security improvement actions are evaluated, validated, and implemented as required.
• Identifies implications of new technologies or technology upgrades on compliance and security.
• Monitors and evaluates the effectiveness of the enterprise's security controls to ensure that they provide the intended level of protection.
• Tracks performance and completion of activities supporting CIP compliance and directs optimization activities related to governance risk and compliance tools supporting overall compliance activities.
• Tracks audit findings and recommendations.
• Participates in investigations of suspected security breaches and policy violations; communicates unresolved risk exposures, misuse, or noncompliance situations.
• Manages the development and implementation of outreach programs, seminars, workshops, and bulletins to further personnel compliance and security education and awareness; maintains technical reference library; develops training materials for personnel as appropriate.
• Oversees initiatives in support of annual and long-range compliance and security goals, strategies, metrics, reporting mechanisms and program services, and maturity models and roadmaps for continual program improvements.
• Supports a high performance, accountable culture, clearly setting expectations, mentoring direct reports, coaching, and motivating the team via Agile fundamentals; implements professional development plans for all members of the team, ensuring appropriate skill sets and resources are in place to meet current and future needs.
• Performs other related duties as needed to include working outside of typical business hours when necessary.

Required Education

• Bachelor's degree in Cybersecurity, Computer Science, Information Technology, Management Information Systems, Computer Information Systems or related field, or equivalent experience. If no degree, eleven (11) years of relevant experience is required.

Required Experience Qualifications

• Seven or more (7 ) years of progressively responsible relevant work experience in cybersecurity governance, risk and compliance, electric utility compliance or progressively responsible relevant work experience in security and/or compliance.

Knowledge Of

• Cybersecurity governance, risk, and compliance fundamentals.
• Laws, regulations, policies, and ethics as they relate to both physical security and cybersecurity.
• FERC, NERC or NRC related cyber security regulations, standards, and requirements, particularly NERC Critical Infrastructure Protection (CIP) standards.
• Fundamentals, procedures, and practices of reliability compliance related to electric utilities.
• Risk management processes (e.g., methods for assessing and mitigating risk).
• Critical infrastructure systems with information communication technology that were designed without system security considerations.
• Federal, State and local laws, codes and regulations governing reliability compliance standards.
• Specific operational impacts of cybersecurity lapses.
• Encryption algorithms.
• Data backup and recovery.
• Business continuity and disaster recovery continuity of operations plans.
• Host/network access control mechanisms (e.g., access control list, capabilities lists).
• Cybersecurity fundamentals used to manage risks related to the use, processing, storage, and transmission of information or data.
• Vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
• The NIST Risk Management Framework (RMF) requirements.
• How traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• Supply Chain Risk Management Practices (NIST SP 800-161).
• Network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• Network security architecture concepts including topology, protocols, components, and fundamentals (e.g., application of defense-in-depth).
• Methods and techniques for planning, organizing, directing, controlling work activities, training staff, report preparation, and writing.
• Concepts of interconnected electric utility operations.
• Utility regulatory policies and processes.
• Fundamentals and practices for delegating, prioritizing, assigning and reviewing work assignments.
• Fundamentals and practices for motivating, coaching, mentoring, and training employees.
• Practices of program evaluation.
• Safety policies, practices, and procedures.
• Procedures and practices for monitoring and managing projects.
• Fundamentals and practices of various analytical approaches, research, resolution, and resolving complex technical issues.
• Fundamentals, practices, and procedures related to power system operation, advanced power system theory.
• Basic distribution and transmission engineering concepts.
• Systems and concepts related to economic operation of a power system.
• Planning and design techniques.
• Standard operating procedures for modern office equipment including a computer and applicable software.
• English grammar, punctuation, and vocabulary standards.

Skills To

• Establish and maintain essential working relationships internally with compliance, reliability, and security stakeholders, and externally with industry peers and regulators.
• Research, recommend and resolve complex issues.
• Generate several viable alternatives to complex issues.
• Advising on the creation or modification of policies that reflect security objectives.
• Manage professionals in complex projects.
• Identifies how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• Interact with others to influence and motivate.
• Plan, organize, direct, control, and review the work of others.
• Interpret, evaluate, apply, and implement pertinent policies, procedures, regulations and requirements including current and future standards from FERC, NERC, WECC and other regulatory agencies, as well as SMUD policies, procedures, applicable MOU and/or other special agreements.
• Stay informed of new and emerging information technology and cybersecurity technologies, as well as threats and vulnerabilities.
• Prepare and implement plans, procedures, and practices.
• Compile and prepare technical, statistical and/or analytical reports and presentations.
• Develop presentations and reports for executive and Board level audiences.
• Develop and conduct oral presentations to internal/external audiences.
• Express ideas/facts clearly and concisely one-on-one and to groups.
• Plan, organize, prioritize, and schedule projects.
• Evaluate and resolve complex technical issues.
• Gather data from appropriate sources and identify relevant factors.
• Evaluate procedures/systems and develop/implement operational improvements.
• Identify the potential long-term outcomes of a change in operations.
• Research, evaluate and provide recommendations to achieve department objectives.
• Utilize a personal computer and/or computer terminal, systems, and software relevant to the job.

Desirable Qualifications

• Experience: 5 or more (5 ) years of experience in CIP reliability compliance with strong knowledge of NERC CIP Reliability Standards. Progressively responsible relevant work experience in electrical operations, energy management systems, IT networks, or cybersecurity.
• Education: Master's Degree in Cybersecurity, Management Information Systems, Computer Information Systems, Computer Science or Information Technology related discipline.

Physical Requirements