Information Security Project Manager

Location: Rockville, MD

Work Type: Hybrid Work (Minimum 2 days onsite – may extend based on client meetings, delivery needs, and proposal support)

Job Title: Information Security Project Manager

Clearance:
Public Trust

Job Summary: LCG is seeking a Information Security Program Manager will have overall responsibility for contractor performance supporting the Client’s cybersecurity and privacy program, with a particular emphasis on programmatic Quality Assurance (QA). This role supports maturing a risk-based cybersecurity and privacy program that meets federal and HHS mandates and is characterized by repeatable processes and high-quality customer service.

• Own end-to-end delivery quality for SAMHSA’s cybersecurity and privacy support program, ensuring outputs meet FISMA
  , NIST
  , and HHS policy expectations and are audit-ready.
• Establish and enforce program QA practices (peer reviews, checklists, acceptance criteria, schedule control) across security engineering, compliance, and reporting work streams.
• Drive program maturation toward formal, repeatable processes and measurable outcomes aligned to a risk-based posture.

• Lead program risk management: continuously identify, track, and mitigate risks/issues; maintain mitigation plans and validate closure evidence.
• Define and manage measurable, verifiable performance measures for cybersecurity initiatives and contract outcomes; report progress to leadership.
• Oversee governance workflows and ensure consistent execution of compliance, assessment, continuous monitoring, and reporting activities across all supported systems.

• Support CIO/CISO/SAOP strategic planning by translating federal/HHS mandates into executable roadmaps (people/process/technology) and sequencing improvements.
• Lead continuous improvement: recommend security program enhancements (process optimization, governance improvements, automation opportunities) and drive implementation through task leads.

• Direct oversight of security assessment & authorization (SA&A) execution and lifecycle tracking to ensure consistency and readiness for internal/external review.
• Ensure program artifacts and tracking align with agency repository/GRC usage (e.g.,
  RSA Archer or successor GRC) for inventory, POA&Ms, findings, and compliance metrics.
• Ensure program supports required deliverables such as Information Security Program Plan
  , RMF/CSF methodology
  , and other mandated plans with annual review/update cadence.

• Oversee operational cadence for continuous monitoring and enterprise security reporting—ensuring the team produces timely, accurate metrics and evidence packages.
• Govern the program’s vulnerability management lifecycle: scanning coordination, results tracking in GRC, reporting, remediation coordination, and validation evidence expectations.
• Ensure reporting and dashboards support leadership decision-making and demonstrate cybersecurity efficacy (e.g., trends, gaps, control performance).

• Own program readiness for internal/external audits and data calls (e.g., HHS, OIG, GAO): coordinate response development, evidence collection, quality control, and timely submission.
• Ensure evidence chains are complete, consistent, and traceable across artifacts, findings, corrective actions, and status reporting.

• Structure communications that clearly articulate security requirements, timelines, and expectations; coordinate delivery-quality communications and stakeholder updates.
• Oversee intake and responsiveness for stakeholder inquiries to the security/privacy program mailbox, ensuring acknowledgement and appropriate routing.

• Lead required governance cadence including kickoff planning and monthly status meetings, ensuring agendas, minutes, milestones, and actions are produced and…