GRC and CMMC Assessment Lead - Senior Manager

Client Advisory & Delivery:

• →

  Lead end-to-end CMMC assessment and GRC engagements, including scoping, gap analysis, SSP/POAM development, remediation planning, and executive reporting.

• →

  Design and operationalize cybersecurity governance models (policies, standards, risk appetite, committees, reporting KPIs/KRIs).

• →

  Build and mature enterprise risk programs: risk assessments, risk registers, control libraries, and control testing approaches.

• →

  Conduct CMMC readiness assessments and mock assessments against NIST SP 800-171 practice domains; develop and implement security policies, standards, and procedures aligned to applicable frameworks (CMMC, NIST CSF, ISO 27001/27002, CIS, SOC 2, FedRAMP).

• →

  Support regulatory readiness and compliance initiatives (e.g., SEC cyber disclosure support, NYDFS 500, GDPR/UK GDPR, CCPA/CPRA, HIPAA, PCI DSS, SOX ITGC, CMMC, FedRAMP alignment where applicable).

• →

  Advise defense industrial base (DIB) clients on Controlled Unclassified Information (CUI) scoping, CUI registry management, and system boundary definition to support CMMC Level 2 and Level 3 compliance.

• →

  Perform vendor/third-party risk assessments and implement scalable TPRM operating models, including supply chain risk assessments in the context of DFARS and CMMC flow-down requirements.

• →

  Support clients in developing and maintaining SPRS scores, POA&Ms, and System Security Plans (SSPs) to demonstrate assessment readiness.

• →

  Coordinate cross-functional stakeholders (Legal, IT, Security, Compliance, Product, HR) to drive outcomes and adoption.

Executive Communication & Stakeholder Management:

• →

  Translate complex technical, regulatory, and privacy requirements into business-oriented recommendations.

• →

  Deliver executive-ready artifacts: board/audit committee materials, roadmaps, operating models, heatmaps, and risk dashboards.

• →

  Serve as a trusted advisor to senior leadership; confidently present findings and influence decisions.

Practice Development & Leadership:

• →

  Contribute to go-to-market development: offerings, templates, accelerators, methodologies, and points of view.

• →

  Support business development through proposal writing, SOW development, client presentations, and solution shaping.

• →

  Mentor and develop consultants and managers; lead teams across multiple engagements while maintaining quality and delivery rigor.

• →

  Partner with other CFGI service lines (Accounting Advisory, CFO Advisory, Technology Enablement) to deliver integrated solutions.

• Eight plus years of relevant experience in cybersecurity GRC, CMMC assessment, risk management, compliance, or consulting (level will map to experience); hands-on CMMC assessment or readiness support experience strongly preferred.

• Bachelor’s degree in a related field is required.

• Demonstrated expertise implementing and operationalizing cybersecurity frameworks and control programs: CMMC Level 2 & Level 3, NIST SP 800-171 / 800-172 (required); NIST CSF / NIST 800-53, ISO 27001/27002, SOC 2, CIS, FedRAMP Controls (supporting experience valued)

• Familiarity with privacy fundamentals as they intersect with CUI handling and federal compliance (e.g., NIST SP 800-171 Practice 3.13 – System and Communications Protection); deep privacy program expertise is not required but is a plus. Experience performing or leading: CMMC readiness assessments and mock assessments (Level 2 and/or Level 3), NIST SP 800-171 gap assessments and remediation planning, SSP and POA&M development and maintenance, enterprise/security risk assessments, control design/testing, policy and standards development aligned to CMMC practice domains, DFARS clause compliance reviews and supply chain flow-down assessments, compliance/regulatory readiness programs

• Exceptional written and verbal communication skills with a track record of producing executive-level deliverables.

• Proven ability to lead teams, manage timelines/budgets, and deliver in a client-facing environment.

• Certifications: Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), CISM, CISSP, CRISC, CISA.

• PE/portfolio company experience: rapid maturity uplift, integration, carve-out/stand-up, and pragmatic road mapping.

• Exposure to incident readiness, tabletop exercises, and crisis communications coordination with Legal/Comms.

• Experience supporting audits and assurance activities (SOC 2 readiness, ISO certification readiness, CMMC third-party assessments as part of a C3PAO or DIBCAC-adjacent engagement).

• High-impact work with sophisticated clients and private equity portfolio companies.

• Opportunity to shape and scale a fast-growing Cybersecurity practice.

• Collaborative culture with autonomy, flexibility, and strong leadership support.

• Competitive compensation, benefits, and career growth trajectory.