Compliance and Privacy Specialist

Location: Rockville, MD

Work Type: Hybrid Work (Minimum 2 days onsite – may extend based on client meetings, delivery needs, and proposal support)

Job Title: Compliance and Privacy Specialist

Clearance: Public Trust

Job Summary: LCG is seeking multiple Compliance and Privacy Specialist supports Client’s Information Security and Privacy Program by performing hands‑on privacy compliance activities that align with federal mandates including FISMA, the Privacy Act of 1974, and related HHS policy requirements. The role focuses on maintaining accurate PII system inventory, supporting Privacy Impact Assessments (PIAs) and Privacy Threshold Analyses (PTAs), assisting with SORN lifecycle activities, coordinating privacy‑related evidence for audits/data calls, and ensuring privacy requirements are integrated into operational and system workflows—especially for FedRAMP cloud environments

Support Client privacy program operations (SAOP support)

• Provide privacy subject matter support to Client’s Senior Agency Official for Privacy (SAOP) to help implement organization‑wide approaches for privacy risk management.
• Maintain a privacy program posture that protects sensitive information and aligns with federal privacy compliance requirements and Client operational needs.

Maintain and update the agency PII system inventory (system‑of‑record visibility)

• Identify and maintain an accurate inventory of Client systems that contain Personally Identifiable Information (PII), including which systems require PIAs under the E‑Government Act and which systems require SORNs under the Privacy Act.
• Coordinate with System Owners/ISSO stakeholders to validate inventory accuracy when applications are onboarded, modified, migrated, or decommissioned (including third‑party hosted systems).
• Record inventory updates within tracking systems and governance repositories (e.g., RSA Archer or agency‑defined tools), ensuring traceability for audit readiness.

Support PTA/PIA development, review, publication tracking, and lifecycle compliance

• Develop Privacy Threshold Analyses (PTAs) and/or PIAs within required timelines for new IT projects, major changes, or system modernization activities.
• Ensure PIAs are reviewed and updated on a defined cadence (e.g., reviewed/updated every 3 years), coordinating with system stakeholders to refresh system descriptions, data flows, and privacy risks.
• Ensure PIAs required for public posting are available via Client public sites in accordance with OMB policy requirements.
• Track PIA/PTA status, approvals, and dependencies using privacy tracking logs/compliance trackers and generate status summaries for leadership or privacy governance reviews.

Support SORN creation, modification, and decommission process

• Establish and execute documented processes supporting creation and decommissioning of Systems of Records Notices (SORNs), including tracking when systems move into/out of “system of records” applicability.
• Support review/development of SORNs as directed by the CIO/SAOP, ensuring accuracy of record categories, routine uses, and data handling practices.
• Track status of SORNs requiring publication and confirm alignment to Federal Register publication requirements when applicable.

Align privacy compliance to FISMA system compliance + SA&A artifacts (cross‑functional ISSO support)

• Provide cross‑functional ISSO‑style support by ensuring privacy requirements are reflected in security documentation and governance artifacts (e.g., security categorization impacts, boundary considerations, and required privacy controls).
• Support the overall Client Cybersecurity and Privacy program compliance posture that responds to federal statutory and departmental mandates (FISMA/HHS policies).

Coordinate vulnerability management inputs that impact privacy risk and compliance tracking

• Support coordination of vulnerability management activities by consuming scanning tool outputs (e.g., vulnerability scan reports, compliance scan results, change reports) to identify risks that could elevate privacy exposure.
• Track privacy‑relevant weaknesses and remediation actions as part of enterprise POA&M management and continuous monitoring…