GRC CMMC Consultant

Job Summary: 
The Governance, Risk, and Compliance (GRC) CMMC Consultant is a client-facing role that helps build, manage, and maintain cybersecurity compliance programs for clients across various industries, primarily within the government sector where most clients will be government contractors or sub-contractor providers that need to comply with government regulations.

The GRC Consultant supports the Assessment, Program Establishment, and Support work required for Abacode’s clients to become and remain compliant with their respective cybersecurity and privacy frameworks.  The GRC Consultant develops client reporting and metrics, updates dashboards, and collects and validates evidence/artifacts.
 
Duties/Responsibilities: 

• Participates in day-to-day operations and client engagement activities across various client projects involving compliance readiness and assessment.
• Supports the Abacode GRC team with conducting on-going and new assessments of controls, processes, and procedures across multiple compliance standards:
  • Primary standards and frameworks: NIST 800-171, NIST 800-53, and NIST CSF
  • Secondary standards and frameworks: SOC 2, ISO 27001, HIPAA, PCI DSS and CIS
• Supports clients with maintaining compliance with such frameworks by guiding them through control execution and evidence collection and review. 
• Supports compliance, policy, procedural, and technical review of client information security and/or compliance program(s), providing maturity and improvement recommendations based on experience and industry best practices.
• Performs security controls gap analysis and identification based on compliance mandates, standards, and security benchmarks.
• Documents security controls inventory of client systems within the GRC portals.
• Provides tactical guidance aimed at helping clients meet compliance requirements across applicable security standards and frameworks.
• Performs audit liaison activities, guiding and assisting clients with audit preparation, evidence identification and gathering, and responding to audit questions.
• Manages continual compliance requirements for multiple clients. Works with clients to identify opportunities for improvement for client’s security controls.
• Builds internal company partnerships and collaborates with team leaders to determine the company's services, delivery criteria, and solutions for issues that may arise.
• Supports evidence collection for internal audits.
• Identifies and makes suggestions for improvements when problems and/or opportunities arise.
• Keeps up to date with developments in the cybersecurity, privacy, and GRC areas of specialization.
• Performs other duties as assigned.

 
Supervisory Responsibilities: 
This position has no direct supervisory responsibility. 
 
Education, Experience, Basic Qualifications: 

• Bachelor's Degree in related field or relevant work experience.
• 2-4 years of experience conducting and documenting security risk assessments
• Experience working in a client-facing consulting or service delivery capacity
• Demonstrated understanding of control frameworks and regulatory requirements for NIST 800-171, NIST 800-53, and NIST-CSF
  • Preferred experience with: ISO 27001, SOC 2, HIPAA, PCI-DSS.
• Good understanding of the Department of Defense CMMC ruling and implications for the Defense Industrial Base.
• Preferred prior experience working with GRC systems/tools.
• Broad knowledge of information technology (basic networking principles), information security (such as identity and access management), and critical data protection practices (basic principles of encryption and sensitive data protection).
• Proven ability to assess risks and controls and identify opportunities for improvement.
• Excellent written and verbal communication skills along with excellent interpersonal skills. Able to communicate confidently in a clear, concise, and articulate manner - verbally and written in the documentation produced.
• Self-motivated, positive attitude, and a team player.
• Ability to work independently and with minimal supervision.

 
Physical Requirements: 
Must be able to remain in a stationary position most of the time. Occasionally required to lift/push/carry items less than 25 pounds.  
 
Expected Hours of Work: 
This position is intended to be full-time, 40 hours/week. 
 
Travel: 
Little to no travel is expected for this position. 
 
Other Duties: 
Please note that this job description is not designed to cover or contain a comprehensive list of activities, duties, or responsibilities that are required of the employee for this position. Duties, responsibilities, and activities may change at any time with or without notice.