Share this Job

Cyber Compliance, Policy and Risk Lead

Date: Sep 13, 2021

Location: Oak Ridge, TN, US, 37830-8050

Company: Oak Ridge National Laboratory

Requisition Id 6546 

Level: TP04


Oak Ridge National Laboratory is hiring a Cyber Compliance, Policy and Risk Lead to help mature and manage governance, risk, and compliance program initiatives and platform enablement. The successful candidate will collaborate across the lab, to include: Information Technology, Physical Security, Classification Office, Cyber Security, Lab Enterprise Risk, Lab Internal Audit, DOE IT Risk Management, and Office of Science Security initiatives to ensure appropriate identification of risks, leading policy direction for data and network cyber protection while enabling mission and business objectives. The CP&R Lead develops a coordinated approach to policy documents, security control assessments, and risk mitigation strategies to enable metrics and reporting. The position will interact directly with all levels within the organization including senior managers, Group and Team Leaders, Enterprise and Data Architects, Cyber Operations, Researchers and external.  Additionally, the role represents ORNL in working groups across DOE OCIO and Office of Science cyber initiatives.


Primary Responsibilities:

  • Lead ORNL’s Compliance, Policy and Risk Program (people, process, technology) across all functions and disciplines
  • Identify, review, and provide analysis and recommendations to meet requirements of applicable laws, regulations, orders, and the contract and translate into policies, procedures, suggested control structures, analysis/white papers, etc. while aligning with business objectives.
  • Provide guidance on policies and controls to support appropriate levels of risk, facilitate risk tolerance discussions and decisions, and recommend controls based on industry standards and practices.
  • Lead initiative to mature the GRC platform capabilities and tools to improve business processes, risk management and enhance compliance.
  • Lead risk management efforts including risk assessment process, identification of risk mitigation strategies, standardized assessment processes, risk management training and mentoring of staff.
  • Participate in internal/external compliance audits, reviews, self-assessments, assessments, and data calls.
  • Develop, maintain, and present risk, compliance metrics, key process indicators (KPIs) reports and remediation tracking to communicate compliance status of all relevant compliance programs.
  • Act as representative with DOE OCIO and Office of Science risk and compliance initiatives.
  • Identify, promote, and implement process improvements.


Qualifications Required  

  • Bachelor’s degree in IT, Cyber, or related field and at least 10 years of experience in cyber policy, risk management, governance and compliance, as well as associated leadership roles, though a combination of education and experience may be considered for exceptional candidates
  • Experience in security control assessment, Master Plans, and Cybersecurity program plans
  • Experience implementing GRC platforms/tools (ServiceNow, SAP); Risk technologies: market analysis, use, implementations, development
  • Strong analytical and organizational skills as well as problem solving capabilities to understand Cyber risk and exposure (legal, regulatory violations, etc.) to ORNL
  • Demonstrated experience implementing compliance frameworks (NIST, others)
  • Facilitation and project management knowledge, skills and abilities; lead program implementations
  • Demonstrated excellent interpersonal, verbal, written and presentation communication skills and demonstrated ability to interact with all levels of internal and external stakeholders
  • Strong customer service, networking, and teamwork skills with all levels of internal and external personnel, demonstrated ability to work with all levels of an organization
  • Thorough understanding of industry standards and regulations including PCI, HIPAA, Privacy Act, NIST 800-53, NIST Risk Management Framework, FAIR
  • Working knowledge of privacy regulations and impacts
  • Experience integrating risk, compliance, and governance groups within an organization; support competing priorities, and provide guidance on how to meet requirements
  • Ability to work independently and meet deadlines
  • Exceptional communication, problem-solving and negotiation skills
  • High ethical standards and operates with integrity and professionalism
  • Must be able to obtain and maintain a DOE security clearance, which requires US Citizenship


Preferred Qualifications: 

  • Master’s Degree in Information Systems, Business, or related field
  • Minimum seven years’ experience working in an information security, information technology or information risk management related field
  • Cyber Security certifications (CISA, CISM, CRISC, CISSP)
  • Project Management certification (PgMP, PMP, PMI-ACP)
  • Six Sigma certification
  • Privacy management, cyber security, evaluating security controls, identifying control gaps, and mitigating measures along with a strong understanding of business practices and technology concepts
  • Highly motivated individual with an enthusiasm for governance, risk and compliance who can communicate benefits and drive success
  • Experience gaining an Authority to Operate (ATO) for a government system
  • Proven track record of managing and prioritizing tasking and meeting established deadlines
  • Active DOE Q or TS clearance


This position will remain open for a minimum of 5 days after which it will close when a qualified candidate is identified and/or hired.

We accept Word (.doc, .docx), Adobe (unsecured .pdf), Rich Text Format (.rtf), and HTML (.htm, .html) up to 5MB in size. Resumes from third party vendors will not be accepted; these resumes will be deleted and the candidates submitted will not be considered for employment.

If you have trouble applying for a position, please email

ORNL is an equal opportunity employer. All qualified applicants, including individuals with disabilities and protected veterans, are encouraged to apply.  UT-Battelle is an E-Verify employer.