Governance, Risk, and Compliance Lead

Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Risk Management, or related field (Master’s preferred).
• 10+ years of experience in cybersecurity governance, risk, and compliance.
• Deep knowledge of cybersecurity frameworks (NIST, ISO 27001, CIS, COBIT).
• Strong understanding of data privacy regulations and compliance requirements.
• Proven leadership experience with the ability to influence at all levels.
• Professional certifications such as CISSP, CISM, CRISC, CISA, or ISO 27001 Lead Implementer highly desirable.
• US Citizenship.
• Must have the ability to obtain / maintain a Public Trust clearance.

• CISSP, CISM, or CISA
• CRISC, CGRC (formerly CAP), or similar GRC certifications
• PMP or program management certification
• FAA background or aviation/critical infrastructure cyber experience highly desirable

The Governance, Risk and Compliance (GRC) Lead for the FAA BNATC contract provides operational leadership and direction for cybersecurity, compliance, and risk activities supporting FAA mission systems and enterprise services. This role is responsible for establishing and maintaining cybersecurity policies, standards, and procedures tailored to FAA environments. The successful candidate will perform risk assessments, POA&M activities, security control implementation, and monitoring in compliance with NIST SP 800-53 and FAA ISSO guidance as well as ensure full lifecycle support for ATO packages and security authorizations.

The GRC Lead serves as the primary GRC manager to the CISO, ensuring secure operations for critical systems supporting the National Airspace System (NAS) and related FAA infrastructure.

• Establish and maintain cybersecurity policies, standards, and frameworks (ISO 27001, NIST CSF, CIS Controls).
• Drive alignment of cybersecurity initiatives with enterprise risk management and corporate governance.
• Report regularly to executive leadership and the board on cybersecurity posture and compliance status.

• Lead enterprise-wide cyber risk assessments, threat modeling, and vulnerability management.
• Maintain and update the cybersecurity risk register, ensuring mitigation plans are tracked and executed.
• Partner with IT and business units to embed cyber risk awareness into daily operations.

• Ensure compliance with global regulations and standards (GDPR, HIPAA, SOX, PCI-DSS, CCPA).
• Oversee audits, penetration tests, and regulatory reviews.
• Monitor emerging cybersecurity and privacy legislation, advising leadership on potential impacts.

• Collaborate with the Security Operations Center (SOC) and IT teams to strengthen incident response protocols.
• Ensure business continuity and disaster recovery plans are tested and effective.
• Champion a culture of cyber resilience across the organization.

• Build and lead a high-performing cybersecurity GRC team.
• Foster cross-functional collaboration with Legal, IT, Risk, and Compliance departments.
• Promote a culture of security awareness and ethical responsibility.