Security Policy and Compliance Lead

SECURITY POLICY AND COMPLIANCE LEAD

Project

SBA Enterprise Cybersecurity Services

Client

U.S. Small Business Administration (SBA)

Agency

SBA Office of the Chief Information Officer

Location

Washington DC 20416

Contract Duration

FTE Position

Interview Type

Virtual

Tentative Start Date

October 15 2025

The U.S. Small Business Administration (SBA) provides critical value-added services to the small business community. To protect mission-critical systems, applications, and sensitive data, the SBA Office of the Chief Information Officer (OCIO) Information Security Division (ISD) is strengthening its enterprise cybersecurity posture. The SBA IT ecosystem is centered on a 20,000-node MPLS infrastructure, two primary data centers, seventy regional field offices, and a mix of on-premises and cloud-hosted environments, including Microsoft O365/M365/D365, Amazon Web Services (AWS), Salesforce, and over forty SaaS products.

The ISD seeks innovative and adaptable cybersecurity professionals with expertise in cybersecurity policy and compliance, risk management, continuous monitoring, and governance frameworks. The Security Policy and Compliance Lead will be instrumental in ensuring compliance with NIST standards, FISMA, and SBA-specific information assurance requirements across the enterprise

The Security Policy and Compliance Lead will:

• Develop, review, and maintain required Authorization & Accreditation (A&A) documentation, including System Security Plans (SSP), Contingency Plans (CP), Security Assessment Reports (SAR), and associated deliverables.
  
• Oversee and manage Plans of Action and Milestones (POA&Ms) to track, remediate, and close identified security risks and weaknesses.
  
• Lead all continuous monitoring functions, ensuring security controls are tested, validated, and reported per SBA and federal standards.
  
• Conduct risk assessments leveraging NIST Risk Management Framework (RMF) to identify, assess, and mitigate cybersecurity and information assurance risks.
  
• Support SBA in the implementation of NIST SP 800-53A security controls across enterprise systems and verify compliance for FISMA reporting.
  
• Correlate and analyze information from data structures, data mining, and business intelligence tools to produce risk dashboards, compliance visualizations, and executive-level reporting.
  
• Collaborate with SBA stakeholders, including the Chief Information Security Officer (CISO), ISSOs, and privacy/compliance staff, to integrate cybersecurity into system lifecycle activities
  

Required: Bachelor’s degree in Computer Science, Information Technology, Cybersecurity, or closely related discipline.

Preferred: Master’s degree in a related field with specialization in cybersecurity, risk management, or information assurance

• At least 8 years of Information Technology experience and minimum 5 years of direct experience developing and maintaining A&A documentation (SSP, CP, SAR) and managing POA&Ms.
  
• Demonstrated ability to perform continuous monitoring and compliance reporting within the last three years.
  
• Strong experience applying risk management frameworks (NIST RMF, SP 800-37) to federal systems.
  
• At least 5 years implementing NIST 800-53A security controls for federal agencies.
  
• At least 1 year of experience in data structures, data mining, business intelligence, including correlating data from multiple disparate sources to develop compliance dashboards and reports.
  
• CISSP Certification required.