Risk Management Project Director

We are seeking a motivated and customer-oriented professional to support our HHS client.

Location: Remote

Duties and responsibilities include:

• Provide strategic leadership to the enterprise cybersecurity risk management task area of the Cybersecurity Support Services (CSS) program at the Department of Health and Human Services (HHS).
• Provide strategic leadership of activities required under Circular A-123, Management Responsibility for Internal Controls, as well as those under the Federal Managers Financial Integrity Act of 1982, improving accountability and effectiveness of federal programs and operations.
• Manage communication between contract support, federal leads, and the HHS Risk Branch Chief regarding personnel, processes, contract deliverables, etc.
• Conduct assessments to determine the likelihood and potential impact of identified risks in each program area.
• Anticipate and identify risks associated with risk program areas, develop and recommend risk mitigation plans to minimize the impact of identified risks, and work with HHS to implement changes to mitigate risks and improve overall HHS risk posture.
• Work with Risk Team Leads to mature HHS Risk area programs and processes.
• Provide leadership and guidance to the Risk Team, fostering a culture of risk awareness and accountability.
• Continuously evaluate and improve HHS' risk management processes, tools, and methodologies based on industry best practices and lessons learned.
• Ensure that risk management practices comply with relevant regulatory requirements and industry standards.
• Support additional activities under other task areas of the contract, as directed by the CSS Program Manager.

Required Qualifications:

• Understanding of risk-related guidance from the National Institute of Standards and Technology (NIST); particularly Special Publication 500, 800, and 1800 series, as well as Interagency or Internal Reports (NISTIRs) and related artifacts.
• Identifying factors and circumstances that may influence or lead to the formation of risks, issues, and opportunities.
• Eliciting risks, issues, and opportunities from historical references, technical documentation, business processes, and U.S. Government-approved interview techniques, such as prompt lists and dipstick queries.
• Experience defining and explaining risks, issues, and opportunities from a:
  • Threat-centric approach.
  • Control-centric approach.
  • Vulnerability-centric approach.
• Experience performing all steps of the NIST Risk Management Framework (RMF).
• Experience with both identifying and modeling threats.
• Excellent verbal and written communication required.

Desired Qualifications:

• Performing enterprise risk assessments.
• Performing enterprise risk analyses (qualitative, quantitative, and semi-quantitative).
• Performing issue and opportunity impact assessments and analyses.
• Performing privacy threshold assessments (PTAs) and privacy impact analyses (PIAs).
• Evaluating and comparing mitigations (including cost/benefit and time/resource evaluations).
• Performing analyses of alternatives (AoAs).
• Familiarity (prefer experience) with multi-layer and multi-dimensional relationships between specific and enterprise risks, issues, and opportunities, as described in ISO 31000, the 7 imperatives of Continuous Adaptive Risk and Trust Assessment (CARTA), the COSO Cube®, and (ISC)2.
• Working familiarity with U.S. Government approved mitigation approaches.
• Experience as an Information System Security Officer (ISSO) and/or a Security Control Assessor (SCA).
• Performing physical facility risk, issue, and opportunity (RIO) walkthrough inspections.
• Developing taxonomies to clarify the policy-level relationship between traditional GRC and privacy.
• Procedure development and process improvement, such as ITIL, Lean, Six Sigma, and CMMI.
• The following certifications and training are preferred:
  • Project Management Professional (PMP)
  • Certified Risk Manager (CRM) or Certified Risk Management Professional (CRMP)
  • Completion of U.S. Government authorized RMF training, either:
    • Introduction to the RMF, from the Center for Development of Security Excellence (CDSE), Defense Counterintelligence and Security Agency; or
    • RMF for Systems and Organizations Introductory Course - Version 2, from NIST.
  • Certified Authorization Professional (CAP), Certified Information Systems Security Professional (CISSP), and/or Certified Cloud Security Professional (CCSP)

Education Requirement: Bachelor's degree in business administration, Cybersecurity, or related field required

Clearance Requirement: Ability to obtain and maintain a Public Trust.

Why Join Gunnison?

• Gunnison takes on ambitious projects. We target fun, challenging work that requires creative thinking and innovation.
• Quality is our top priority.
• Gunnison employee benefits meet or exceed what other companies in the Washington, D.C. metropolitan area offer.
• There is a great sense of camaraderie at Gunnison. This is an atmosphere we will maintain as we continue to grow.
• We are growing rapidly and the opportunity for individual professional growth with Gunnison is outstanding.
• We hire for careers at Gunnison, not to fill a position.

Employee Benefits

Gunnison employee benefits meet or beat other companies in the Washington, D.C. metropolitan area, including:

• Bonuses AND profit-sharing!
• 401k Matching
• Certifications and training allowance $2,500/year
• 3 weeks of personal leave your first year (160 hours can roll over every year)
• 5 days of Flex-Time-Off per year

Equal Opportunity/Affirmative Action Employer. Must be eligible for employment in the United States. We are unable to sponsor candidates at this time.

In 1994 Gunnison Consulting Group began serving the greater Washington, D.C. metro area, focused on tackling our customers' most ambitious technology projects. By creating a culture dedicated to enabling our customers and employees to achieve more than they ever thought they could, the company has thrived for over 25 years.