Gunnison Consulting is seeking a Cybersecurity Risk Assessment Lead to work in the Washington, DC area to support the Department of Health and Human Services' (HHS) cybersecurity mission of ensuring HHS can actively protect the vital health information with which it is entrusted, respond to existing and emerging cybersecurity threats, and continue to enhance the program to ensure HHS has the capability and capacity to respond to new and emerging requirements, technologies and threats.

The Cybersecurity Risk Assessment Lead will work with the HHS Office of Information Services (OIS) Cybersecurity Risk Management Branch federal client and the Cybersecurity Risk Management Project Manager in the development, coordination, and execution of Risk Assessments through HHS OpDivs/StaffDivs. The candidate must be able to lead a small team in support of a fast-paced and dynamic customer environment with broad impact to the customer's mission. The role requires a competent leader, self-starter, and strong problem solver who can identify/anticipate requirements and provide creative solutions to the team.

Location: Remote

Duties and responsibilities include:

• Lead risk assessments, develop strategies to mitigate risks, identify potential vulnerabilities to the organization's IT infrastructure, and ensure compliance with industry regulations.
• Create and utilize a Cyber Risk Register to aggregate and normalize the risks documented at the Department level.
• Monitor and analyze emerging cyber threats and provide proactive solutions to mitigate risks.
• Collaborate with cross-functional teams to implement and execute enterprise risk assessments.
• Develop and maintain GRC risk assessment procedures.
• Stay updated on the latest industry trends and technologies related to cyber risk management.
• Communicate risk assessment findings and recommendations to senior management and stakeholders.
• Maintain documentation of all risk management processes, procedures, and findings.
• Monitor, track, and report assessment results for risk owners; as well as escalate risks to Senior Leadership.
• Develop mitigation and corrective action plans with application/system owners.
• Define expectations for assessments/re-assessments.
• Communicate and collaborate with internal teams, stakeholders, and leadership.
• Assist with tracking and remediation of vulnerabilities.
• Recommend appropriate policy, standards, process, and procedural updates as part of comprehensive remediation solutions.
• Develop and provide key risk metrics for the cybersecurity risk management program.
• Develop and maintain documentation in support of audit reviews.

Required Qualifications :

• Bachelor's degree and seven (7) or more years of related professional experience; Master's degree and three (3) or more years of related professional experience
• 7 years of project management experience as a government contractor
• Proficient with Microsoft Products (Excel, Word, Project)
• Strong presentation skills and ability to adapt to various customers, to include government and/or contractors
• Possess an inclination for critical thinking and analytical approaches to solving problems dealing with issues not readily defined and/or conflict with available information with the ability to reach sound decisions quickly employing systematic, multi-step approaches
• Ability to resolve complex issues
• Ability to work independently
• Demonstrated knowledge of cybersecurity concepts and principles
• Superior writing and communication skills
• Industry-standard cybersecurity certification required (e.g. Security , CISM)
• CRISC certified or in-progress

Desired Qualifications:

• Performing enterprise risk assessments.
• Performing enterprise risk analyses (qualitative, quantitative, and semi-quantitative).
• Performing issue and opportunity impact assessments and analyses.
• Performing privacy threshold assessments (PTAs) and privacy impact analyses (PIAs).
• Evaluating and comparing mitigations (including cost/benefit and time/resource evaluations).
• Performing analyses of alternatives (AoAs).
• Familiarity (prefer experience) with multi-layer and multi-dimensional relationships between specific and enterprise risks, issues, and opportunities, as described in ISO 31000, the 7 imperatives of Continuous Adaptive Risk and Trust Assessment (CARTA), the COSO Cube ® , and (ISC)2.
• Working familiarity with U.S. Government approved mitigation approaches.
• Experience as an Information System Security Officer (ISSO) and/or a Security Control Assessor (SCA).
• Performing physical facility risk, issue, and opportunity (RIO) walkthrough inspections.
• Developing taxonomies to clarify the policy-level relationship between traditional GRC and privacy.
• Procedure development and process improvement, such as ITIL, Lean, Six Sigma, and CMMI.
• The following certifications and training are preferred:
  • Project Management Professional (PMP)
  • Certified Risk Manager (CRM) or Certified Risk Management Professional (CRMP)
  • Completion of U.S. Government authorized RMF training, either:
    • Introduction to the RMF, from the Center for Development of Security Excellence (CDSE), Defense Counterintelligence and Security Agency; or
    • RMF for Systems and Organizations Introductory Course - Version 2, from NIST.
  • Certified Authorization Professional (CAP), Certified Information Systems Security Professional (CISSP), and/or Certified Cloud Security Professional (CCSP)

Education Requirement: Bachelor's degree in Computer Science, Information Systems, Engineering or related field (or equivalent experience 5 years of experience)

Clearance Requirement : Ability to obtain and maintain a Public Trust.

Why Join Gunnison?

• Gunnison takes on ambitious projects. We target fun, challenging work that requires creative thinking and innovation.
• Quality is our top priority.
• Gunnison employee benefits meet or exceed what other companies in the Washington, D.C. metropolitan area offer.
• There is a great sense of camaraderie at Gunnison. This is an atmosphere we will maintain as we continue to grow.
• We are growing rapidly and the opportunity for individual professional growth with Gunnison is outstanding.
• We hire for careers at Gunnison, not to fill a position.

Employee Benefits

Gunnison employee benefits meet or beat other companies in the Washington, D.C. metropolitan area, including:

• Bonuses AND profit-sharing!
• 401k Matching
• Certifications and training allowance $2,500/year
• 3 weeks of personal leave your first year (160 hours can roll over every year)
• 5 days of Flex-Time-Off per year

Equal Opportunity/Affirmative Action Employer. Must be eligible for employment in the United States. We are unable to sponsor candidates at this time.

In 1994 Gunnison Consulting Group began serving the greater Washington, D.C. metro area, focused on tackling our customers' most ambitious technology projects. By creating a culture dedicated to enabling our customers and employees to achieve more than they ever thought they could , the company has thrived for over 25 years.