What are the responsibilities and job description for the Compliance Manager (NIST Cybersecurity Framework Maturity Lead) (Contract) position at Planet Pharma?
Description
Seeking an experienced, self-directed cybersecurity contractor to serve as the NIST Cybersecurity Framework (CSF) Maturity Lead for a focused six-month engagement. This individual will own the design, execution, and documentation of our journey toward NIST CSF maturity — driving the organization from its current baseline to a defined, measurable, and sustainable maturity target. The Lead will operate with a high degree of autonomy, partnering with a junior GRC contractor and collaborating across IT, Engineering, Quality, and Regulatory functions. This is a build role: the person we hire will create the processes, tooling, and governance artifacts needed to support the program — and will be accountable for ensuring those outputs can be transitioned to internal staff at engagement close.
Requirements
What You’ll Do NIST CSF Assessment & Roadmap
Seeking an experienced, self-directed cybersecurity contractor to serve as the NIST Cybersecurity Framework (CSF) Maturity Lead for a focused six-month engagement. This individual will own the design, execution, and documentation of our journey toward NIST CSF maturity — driving the organization from its current baseline to a defined, measurable, and sustainable maturity target. The Lead will operate with a high degree of autonomy, partnering with a junior GRC contractor and collaborating across IT, Engineering, Quality, and Regulatory functions. This is a build role: the person we hire will create the processes, tooling, and governance artifacts needed to support the program — and will be accountable for ensuring those outputs can be transitioned to internal staff at engagement close.
Requirements
What You’ll Do NIST CSF Assessment & Roadmap
- Lead a current-state assessment of company cybersecurity posture against the NIST CSF (v1.1 or v2.0) across all five Functions: Identify, Protect, Detect, Respond, and Recover.
- Establish a target maturity tier and define a prioritized, time-boxed roadmap with clear milestones within the six-month engagement window.
- Map existing controls (policies, procedures, technical safeguards) to CSF Categories and Subcategories; identify gaps and document residual risk.
- Where NIST CSF does not apply directly, leverage equivalent controls from NIST 800-53, ISO 27001, SOC 2, CMMC, or other applicable frameworks to provide crosswalk evidence. Program Governance &
- Establish and maintain a formal program charter, RACI matrix, and weekly status reporting cadence for all NIST CSF workstreams.
- Own the program plan — maintaining tasks, owners, dependencies, and milestone dates with rigorous tracking and proactive escalation of blockers.
- Manage the junior GRC contractor: assign work, review deliverables, provide structured feedback, and ensure quality and consistency across outputs.
- Run structured stakeholder meetings, produce clear meeting notes, action registers, and decision logs.
- Maintain a living program dashboard visible to CISO and senior leadership reflecting current maturity scores, risk posture, and roadmap status.
- Draft, revise, and finalize cybersecurity policies, standards, procedures, and control narratives required to close CSF gaps.
- Design and implement repeatable processes for control execution — including access reviews, vulnerability management SLA tracking, patch governance, and control attestations.
- Develop evidence collection templates, control calendars, and checklists to support ongoing monitoring post-engagement.
- Build a governance repository (SharePoint, Confluence, or equivalent) organized for auditability and long-term operability.
- Maintain a cybersecurity risk register aligned to CSF subcategories, capturing likelihood, impact, ownership, and remediation status.
- Facilitate risk assessment workshops with IT, Engineering, and Quality stakeholders; document findings and drive decisions to closure.
- Identify, document, and manage exceptions; develop compensating controls where remediation timelines extend beyond engagement scope. Stakeholder Engagement & Influence
- Operate as the primary point of accountability for all NIST CSF maturity activities, working without direct authority over functional teams.
- Build trusted relationships across IT, Engineering, Quality, Legal, and Regulatory Affairs to drive compliant outcomes.
- Communicate program status, risk posture, and decisions clearly to both technical and executive audiences.
- Deliver training or awareness content to stakeholders on relevant control expectations and their responsibilities.
- Design all processes with handoff in mind: document workflows, runbooks, and control calendars sufficient for an internal team member to continue operating the program independently.
- Conduct formal knowledge transfer sessions in the final 30 days of the engagement.
- Produce a final engagement report summarizing maturity progress, residual gaps, and recommended next steps.
- 7 years of experience in cybersecurity, GRC, or a closely related field.
- Demonstrated hands-on experience leading a NIST CSF assessment, gap analysis, or maturity improvement program — OR equivalent depth in NIST 800-53, ISO 27001, SOC 2, or CMMC with proven ability to apply crosswalk to NIST CSF.
- Strong project management skills: the ability to build and manage a formal program plan, track milestones, escalate risks, and deliver consistently on schedule.
- Proven track record of working autonomously in contractor or consulting roles with minimal supervision.
- Experience managing or mentoring junior team members and reviewing their work for quality.
- Demonstrated ability to build processes and documentation from scratch that are designed to outlast the builder’s tenure.
- Experience producing executive-facing reporting (dashboards, risk summaries, status decks).
- Strong written communication skills — policies, procedures, and program documentation must be clear, concise, and audit-ready.
- Prior engagement in a regulated industry (medical device, pharma, financial services, defense) where compliance rigor and documentation standards are high.
- Familiarity with the NIST CSF v2.0 update and its new Govern function.
- Experience with GRC platforms (ServiceNow GRC, Archer, Drata, Vanta, or similar).
- Relevant certifications: CISM, CRISC, CGRC/CAP, CISSP, ISO 27001 Lead Implementer, or equivalent.
- Familiarity with FDA cybersecurity guidance in the context of medical device GRC (a plus, not a requirement).
- Must be able to operate as a self-starter — define the work, not just execute it.
- Must demonstrate structured thinking: organized, methodical, detail-oriented with an eye for process quality.
- Must be comfortable with ambiguity and building structure in environments where it does not yet fully exist.
- Must communicate proactively — surfacing issues, seeking alignment, and keeping stakeholders informed without being prompted.