Senior SCRM Analyst

Job Description:

The Senior Cybersecurity Supply Chain Risk Management (SCRM) Analyst supports a Federal Agency by managing cybersecurity risks across the Agency’s complex, Interconnected Information, Communications, and Operational Technology (ICT/OT) supply chain. This role helps ensure that ICT/OT products and services remain secure, reliable, and resilient throughout their lifecycle. Responsibilities include reviewing procurement documentation, evaluating supplier risk, and identifying Cyber Information Security Agency (CISA) Known Exploited Vulnerabilities (KEV) to prioritize remediation of actively exploited supply chain vulnerabilities that guide procurement decisions or asset redirection.

Requirements:

• U.S. Citizenship is required
  
• Must have or be able to receive a Public Trust
  
• Candidate must live in the Washington, D.C., metropolitan area. The position requires working onsite for three days and remotely two days in Washington, D.C.

Qualifications and Experience:

• Bachelor’s degree in computer science from an accredited institution, Cybersecurity, or related field (Master's degree preferred).
  
• 8 years of experience in cybersecurity, risk management, or supply chain analysis. Equivalent combinations of experience, certifications, or demonstrated prior work may substitute for formal experience.
  
• Certifications: CISSP, CISSM, AWS Certified Security, Azure Security Engineer Associate, Security , Network or equivalent IT certifications (preferred)
  
  

Responsibilities:

• Establish the context for risk-based decisions identify, assess, and mitigate cybersecurity risks of supply chain compromise-both intentional and unintentional.
  
• Review and interpret criticality, threat, vulnerability, likelihood, impact associated with the distributed and interconnected nature of information, communications, and operational technology ICT/OT product and service supply chains.
  
• Ensure the integrity, security, quality, and resilience of the supply chain and its products and services.
  
• Develop detailed technical vulnerability reports for ICT products and "as-a-service" procurements.
  
• Identify areas where existing security policies and procedures require updates or where new ones should be developed.
  
• Provide subject matter expertise on Configuration Control Boards (CCB) and Engineering Review Boards to contribute to the creation of security architecture standards for the adoption of new technologies.
  
• Identify, quantify, and recommend mitigation actions for security risks impacting enterprise projects.
  
• Produce management reporting, monitor risk exposure and the effectiveness of mitigating risk on an ongoing basis, including tracking changes to an information system or supply chain using effective enterprise communications and a feedback loop to stakeholders and vendors for continuous improvement.