Cybersecurity Supply Chain Risk Management Subject Matter Expert (Anticipated Position)

Location:

Remote / virtual support, aligned to Eastern Time core hours

Clearance Required

Active Top Secret clearance with SCI eligibility

Position Summary

The C-SCRM Subject Matter Expert will support GSA FAS/ASD in maturing its Cybersecurity Supply Chain Risk Management program from a compliance-focused model to a proactive, risk-informed enterprise capability. The SME will assess current C-SCRM practices, improve documentation and risk assessment processes, support strategy development, recommend scoring methodologies, develop practical C-SCRM guides, and advise stakeholders on cybersecurity, supplier risk, acquisition risk, and emerging technology considerations.

Key Responsibilities

• Lead assessment of current C-SCRM documentation practices and recommend standardized templates, naming conventions, version control practices, and collaboration processes
• Review current vendor risk assessment processes covering supplier ownership, foreign influence, cybersecurity posture, product or service criticality, supply chain dependencies, and prohibited source risks
• Develop recommendations for improving consistency, repeatability, accuracy, and usefulness of C-SCRM risk assessments
• Review existing C-SCRM questionnaires and recommend improvements to question clarity, evidence collection, applicability, scoring, and risk-informed decision support
• Develop or support development of a standardized C-SCRM Risk Assessment Framework
• Support development of a C-SCRM Strategy and Implementation Plan, including priorities, governance approach, maturity objectives, roadmap, milestones, dependencies, and responsible parties
• Assist with planning, coordination, tracking, and execution of C-SCRM projects
• Develop C-SCRM guides, standard operating procedures, frameworks, briefings, and other written deliverables as requested
• Support integration of C-SCRM into acquisition processes and stakeholder workflows
• Provide expert analysis related to NIST SP 800-161, cybersecurity risk management, enterprise risk management, acquisition assurance, supplier risk, and emerging cybersecurity requirements
• Support monthly status reporting, technical meetings, deliverable reviews, and Government stakeholder engagement
• Work with minimal direction and produce executive-ready written products
  
  

Required Qualifications

• Minimum 3 years of experience establishing or supporting risk management programs, including C-SCRM
• Demonstrated experience across the PWS task areas, including C-SCRM documentation, vendor risk assessment, questionnaire/scoring methodology, strategy development, and guide development
• High-level cybersecurity or risk management certification, such as CISSP, CISM, or CRISC
• Active Top Secret clearance with SCI eligibility
• Strong knowledge of NIST SP 800-161, cybersecurity supply chain risk management, federal acquisition risk, and cyber risk frameworks
• Strong written and oral communication skills
• Ability to work independently with senior Government stakeholders
  
  

Preferred Qualifications

• Experience supporting GSA, DHS, DoD, IC, or other federal cybersecurity or acquisition programs
• Experience with Section 889, FASCSA, supplier risk, foreign ownership/control/influence concerns, prohibited source analysis, or acquisition assurance
• Experience developing federal SOPs, implementation plans, risk frameworks, scoring rubrics, stakeholder guides, and executive briefings
• Familiarity with AI-enabled risk management, automation, post-quantum cryptography planning, continuous monitoring, and enterprise C-SCRM maturity models