GRC and CMMC Assessment Lead - Senior Manager

CFGI is seeking a Cybersecurity GRC & CMMC Assessment Subject Matter Expert to lead and deliver strategic advisory engagements that strengthen clients' security governance, risk management, and compliance posture—with a primary focus on CMMC Level 2 and Level 3 assessment preparation, gap analysis, and remediation support. This role blends hands-on delivery, executive communication, and practice leadership. You will work directly with CISOs, CIOs, CFOs, Program Security Officers, Facility Security Officers, Risk Leaders, and PE deal teams to design pragmatic CMMC compliance programs, build operating models, and drive measurable outcomes.

The ideal candidate brings deep expertise in CMMC assessment methodology (NIST SP 800-171/800-172, DFARS 252.204-7012/7021), GRC frameworks, and regulatory compliance, with strong consulting instincts and a proven ability to lead teams and manage multiple client workstreams.

Key Responsibilities:

Client Advisory & Delivery:

• Lead end-to-end CMMC assessment and GRC engagements, including scoping, gap analysis, SSP/POAM development, remediation planning, and executive reporting.
• Design and operationalize cybersecurity governance models (policies, standards, risk appetite, committees, reporting KPIs/KRIs).
• Build and mature enterprise risk programs: risk assessments, risk registers, control libraries, and control testing approaches.
• Conduct CMMC readiness assessments and mock assessments against NIST SP 800-171 practice domains; develop and implement security policies, standards, and procedures aligned to applicable frameworks (CMMC, NIST CSF, ISO 27001/27002, CIS, SOC 2, FedRAMP).
• Support regulatory readiness and compliance initiatives (e.g., SEC cyber disclosure support, NYDFS 500, GDPR/UK GDPR, CCPA/CPRA, HIPAA, PCI DSS, SOX ITGC, CMMC, FedRAMP alignment where applicable).
• Advise defense industrial base (DIB) clients on Controlled Unclassified Information (CUI) scoping, CUI registry management, and system boundary definition to support CMMC Level 2 and Level 3 compliance.
• Perform vendor/third-party risk assessments and implement scalable TPRM operating models, including supply chain risk assessments in the context of DFARS and CMMC flow-down requirements.
• Support clients in developing and maintaining SPRS scores, POA&Ms, and System Security Plans (SSPs) to demonstrate assessment readiness.
• Coordinate cross-functional stakeholders (Legal, IT, Security, Compliance, Product, HR) to drive outcomes and adoption.

Executive Communication & Stakeholder Management:

• Translate complex technical, regulatory, and privacy requirements into business-oriented recommendations.
• Deliver executive-ready artifacts: board/audit committee materials, roadmaps, operating models, heatmaps, and risk dashboards.
• Serve as a trusted advisor to senior leadership; confidently present findings and influence decisions.

Practice Development & Leadership:

• Contribute to go-to-market development: offerings, templates, accelerators, methodologies, and points of view.
• Support business development through proposal writing, SOW development, client presentations, and solution shaping.
• Mentor and develop consultants and managers; lead teams across multiple engagements while maintaining quality and delivery rigor.
• Partner with other CFGI service lines (Accounting Advisory, CFO Advisory, Technology Enablement) to deliver integrated solutions.

Required Qualifications:

• 8–12+ years of relevant experience in cybersecurity GRC, CMMC assessment, risk management, compliance, or consulting (level will map to experience); hands-on CMMC assessment or readiness support experience strongly preferred.
• Bachelor’s degree in a related field is required.
• Demonstrated expertise implementing and operationalizing cybersecurity frameworks and control programs: CMMC Level 2 & Level 3, NIST SP 800-171 / 800-172 (required); NIST CSF / NIST 800-53, ISO 27001/27002, SOC 2, CIS, FedRAMP Controls (supporting experience valued)
• Familiarity with privacy fundamentals as they intersect with CUI handling and federal compliance (e.g., NIST SP 800-171 Practice 3.13 – System and Communications Protection); deep privacy program expertise is not required but is a plus. Experience performing or leading: CMMC readiness assessments and mock assessments (Level 2 and/or Level 3), NIST SP 800-171 gap assessments and remediation planning, SSP and POA&M development and maintenance, enterprise/security risk assessments, control design/testing, policy and standards development aligned to CMMC practice domains, DFARS clause compliance reviews and supply chain flow-down assessments, compliance/regulatory readiness programs
• Exceptional written and verbal communication skills with a track record of producing executive-level deliverables.
• Proven ability to lead teams, manage timelines/budgets, and deliver in a client-facing environment.

Preferred Qualifications (Nice-to-Have):

• Certifications: Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), CISM, CISSP, CRISC, CISA.
• PE/portfolio company experience: rapid maturity uplift, integration, carve-out/stand-up, and pragmatic road mapping.
• Exposure to incident readiness, tabletop exercises, and crisis communications coordination with Legal/Comms.
• Experience supporting audits and assurance activities (SOC 2 readiness, ISO certification readiness, CMMC third-party assessments as part of a C3PAO or DIBCAC-adjacent engagement).

Why CFGI:

• High-impact work with sophisticated clients and private equity portfolio companies.
• Opportunity to shape and scale a fast-growing Cybersecurity practice.
• Collaborative culture with autonomy, flexibility, and strong leadership support.
• Competitive compensation, benefits, and career growth trajectory.