• Create, manage, maintain, and improve NSF A&A documentation and processes (e.g., SSPs, SARs, POA&Ms, security inventories, PTAs, PIAs, and internal reports to management), ensuring completeness, accuracy, and alignment with NIST RMF (SP 800-37, SP 800-53 Rev. 5) and NSF standards • Perform control assessments by analyzing technical, procedural, and operational evidence; document results and support risk determinations, POA&M management, and ongoing authorization activities • Collaborate with system owners, ISSOs, and engineers to gather artifacts, validate control implementations, and maintain authorization packages across the system lifecycle • Conduct cybersecurity assessments and develop a continuous monitoring plan for cloud services in compliance with FedRAMP and other federal requirements • Evaluate External Services (e.g., SaaS, PaaS, IaaS) for inclusion within authorization boundaries by reviewing service documentation, analyzing controls, and documenting risks, dependencies, and shared responsibility models; review authorization packages from FedRAMP to assess applicability and identify gaps • Support continuous monitoring and SecCM activities by analyzing vulnerability and configuration data (e.g., scan results), validating remediation actions, and identifying trends or systemic risks across systems • Customize DISA STIGs and CIS Benchmarks to create and maintain standardized “gold” audit files for systems in use at NSF; leverage Tenable Security Center to support the Security-Focused Configuration Management process • Contribute to broader risk management efforts, including identifying cross-system or program-level risks, supporting audit and compliance activities (e.g., OIG), and incorporating findings from assessments, incidents, and external reviews into risk posture and reporting • Perform peer reviews of A&A artifacts and related documentation to ensure technical accuracy, consistency, and adherence to established standards; contribute to team deliverables and coordination across Cybersecurity Oversight and Compliance functions • Performs other job-related duties as assigned

Role Description The Senior Cyber Governance, Risk & Compliance Analyst is a senior level security professional whose primary responsibility is to design, operate, and continuously mature the organization’s Third‑Party / Vendor Risk Management (TPRM) program. In this role, the analyst serves as an embedded risk partner to the business, driving consistent, high‑quality vendor risk outcomes across the full third‑party lifecycle. While TPRM is the core focus of this role, the analyst is also expected to contribute meaningfully across other Information Security and Privacy domains as needed, including privacy operations, cyber governance, risk and compliance (GRC), and security operations. This role is ideal for a practitioner who enjoys vendor risk but is comfortable flexing across adjacent security functions in a fast-moving environment. What you'll get to do: - Third‑Party / Vendor Risk Management (Primary Focus) - Design, implement, operate, and continuously mature the Third‑Party Risk Management program, evolving it from a reactive, compliance driven function into a proactive, risk-based capability. - Execute and oversee the full third-party risk lifecycle, including onboarding, inherent and residual risk assessments, due diligence, periodic reviews, contract risk review, issue management, remediation tracking, and ongoing monitoring. - Perform deep technical security and risk assessments of third parties, including cloud services, SaaS platforms, infrastructure providers, and technology vendors. - Review and interpret security assurance artifacts such as SOC 2 Type II reports, penetration test reports, CAIQ, SIG, ISO certifications, and other compliance attestations. - Evaluate complex vendor solutions, including API integrations with critical internal systems, cloud native architectures (AWS, Azure, GCP), and AI/ML platforms. - Assess and manage emerging third-party risks, including artificial intelligence risks such as data provenance, model integrity, data leakage, and secure handling of proprietary or regulated data. - Lead end-to-end issue and remediation management, ensuring accountability, effectiveness, and timely closure of identified control gaps. - Develop and maintain TPRM standards, playbooks, governance models, escalation paths, and operating procedures aligned with regulatory expectations and business needs. - Build and deliver meaningful reporting, dashboards, and metrics that provide leadership with clear visibility into third-party risk posture, trends, and decision points. - Privacy & Data Protection (Primary Focus) - Support privacy operations, including Data Subject Requests (DSRs), Data Protection Impact Assessments (DPIAs), and data mapping initiatives. - Partner with Privacy and Legal stakeholders to assess vendor and internal data processing risks and ensure appropriate safeguards are in place. - Contribute to privacy related risk assessments, controls validation, and remediation tracking as needed. - Cyber Governance, Risk & Compliance (Supporting Responsibility) - Support cyber GRC activities, including tracking information security risks, risk exceptions, and remediation plans. - Assist with the implementation and ongoing operation of security and risk management frameworks (e.g., NIST, ISO, SOC 2). - Contribute to audit and assurance activities by providing risk assessments, evidence, and clear articulation of control posture. - Security Operations & Enablement (Supporting Responsibility) - Provide support to information security operations as needed, including incident response activities, impact analysis, and post incident follow‑up. - Contribute to security awareness and training initiatives, helping translate risk themes into actionable guidance for the business. - Assist with cross functional security initiatives during periods of increased demand or emerging risk. - Business Partnership & Advisory - Serve as a trusted risk advisor to vendor relationship owners and senior stakeholders, reducing their operational burden while preserving clear risk ownership and accountability. - Partner closely with Legal, Compliance, Procurement, Technology, and Security teams to synthesize requirements and deliver practical, risk‑appropriate solutions. - Review vendor contracts and summarize risk‑relevant provisions, control obligations, and gaps, partnering with Legal to support risk‑informed contract decisions. - Escalate material risks, delays, or control gaps thoughtfully and early, framing issues in clear business terms and presenting well‑defined options for decision‑making. Qualifications - 7+ years of progressive experience in Information Security, Third‑Party Risk Management, Vendor Risk Management, GRC, or Operational Risk. - Demonstrated experience owning, building, or leading a Third‑Party / Vendor Risk Management program. - Bachelor's degree in information security, Computer Science, Business Administration, or a related field or equivalent practical experience. - Strong experience conducting security risk assessments, assurance reviews, audits, and remediation management. - Deep technical understanding of cloud, SaaS, infrastructure, and AI vendor risk. - Hands on experience reviewing SOC 2, ISO 27001, penetration test reports, CAIQ, SIG, and similar security documentation. - Strong written and verbal communication skills, with the ability to translate technical risk into a clear business context for diverse audiences, including senior leadership. - Proven ability to work autonomously, manage competing priorities, and drive outcomes in a fast paced environment. Benefits - Health Insurance - Savings and Retirement Plan - Employee Assistance Program - Generous Vuori Discount & Industry Perks - Paid Time Off - Wellness & Fitness benefits

Role Description The Senior Information Security Analyst is a senior level security professional whose primary responsibility is to design, operate, and continuously mature the organization’s Third‑Party / Vendor Risk Management (TPRM) program. In this role, the analyst serves as an embedded risk partner to the business, driving consistent, high‑quality vendor risk outcomes across the full third‑party lifecycle. While TPRM is the core focus of this role, the analyst is also expected to contribute meaningfully across other Information Security and Privacy domains as needed, including privacy operations, cyber governance, risk and compliance (GRC), and security operations. This role is ideal for a practitioner who enjoys vendor risk but is comfortable flexing across adjacent security functions in a fast-moving environment. What you'll get to do: - Third‑Party / Vendor Risk Management (Primary Focus) - Design, implement, operate, and continuously mature the Third‑Party Risk Management program, evolving it from a reactive, compliance driven function into a proactive, risk-based capability. - Execute and oversee the full third-party risk lifecycle, including onboarding, inherent and residual risk assessments, due diligence, periodic reviews, contract risk review, issue management, remediation tracking, and ongoing monitoring. - Perform deep technical security and risk assessments of third parties, including cloud services, SaaS platforms, infrastructure providers, and technology vendors. - Review and interpret security assurance artifacts such as SOC 2 Type II reports, penetration test reports, CAIQ, SIG, ISO certifications, and other compliance attestations. - Evaluate complex vendor solutions, including API integrations with critical internal systems, cloud native architectures (AWS, Azure, GCP), and AI/ML platforms. - Assess and manage emerging third-party risks, including artificial intelligence risks such as data provenance, model integrity, data leakage, and secure handling of proprietary or regulated data. - Lead end-to-end issue and remediation management, ensuring accountability, effectiveness, and timely closure of identified control gaps. - Develop and maintain TPRM standards, playbooks, governance models, escalation paths, and operating procedures aligned with regulatory expectations and business needs. - Build and deliver meaningful reporting, dashboards, and metrics that provide leadership with clear visibility into third-party risk posture, trends, and decision points. - Privacy & Data Protection (Primary Focus) - Support privacy operations, including Data Subject Requests (DSRs), Data Protection Impact Assessments (DPIAs), and data mapping initiatives. - Partner with Privacy and Legal stakeholders to assess vendor and internal data processing risks and ensure appropriate safeguards are in place. - Contribute to privacy related risk assessments, controls validation, and remediation tracking as needed. - Cyber Governance, Risk & Compliance (Supporting Responsibility) - Support cyber GRC activities, including tracking information security risks, risk exceptions, and remediation plans. - Assist with the implementation and ongoing operation of security and risk management frameworks (e.g., NIST, ISO, SOC 2). - Contribute to audit and assurance activities by providing risk assessments, evidence, and clear articulation of control posture. - Security Operations & Enablement (Supporting Responsibility) - Provide support to information security operations as needed, including incident response activities, impact analysis, and post incident follow‑up. - Contribute to security awareness and training initiatives, helping translate risk themes into actionable guidance for the business. - Assist with cross functional security initiatives during periods of increased demand or emerging risk. - Business Partnership & Advisory - Serve as a trusted risk advisor to vendor relationship owners and senior stakeholders, reducing their operational burden while preserving clear risk ownership and accountability. - Partner closely with Legal, Compliance, Procurement, Technology, and Security teams to synthesize requirements and deliver practical, risk‑appropriate solutions. - Review vendor contracts and summarize risk‑relevant provisions, control obligations, and gaps, partnering with Legal to support risk‑informed contract decisions. - Escalate material risks, delays, or control gaps thoughtfully and early, framing issues in clear business terms and presenting well‑defined options for decision‑making. Qualifications - 7+ years of progressive experience in Information Security, Third‑Party Risk Management, Vendor Risk Management, GRC, or Operational Risk. - Demonstrated experience owning, building, or leading a Third‑Party / Vendor Risk Management program. - Bachelor's degree in information security, Computer Science, Business Administration, or a related field or equivalent practical experience. - Strong experience conducting security risk assessments, assurance reviews, audits, and remediation management. - Deep technical understanding of cloud, SaaS, infrastructure, and AI vendor risk. - Hands on experience reviewing SOC 2, ISO 27001, penetration test reports, CAIQ, SIG, and similar security documentation. - Strong written and verbal communication skills, with the ability to translate technical risk into a clear business context for diverse audiences, including senior leadership. - Proven ability to work autonomously, manage competing priorities, and drive outcomes in a fast paced environment. Benefits - Health Insurance - Savings and Retirement Plan - Employee Assistance Program - Generous Vuori Discount & Industry Perks - Paid Time Off - Wellness & Fitness benefits

Review and remediate cyber incidents and vulnerabilities, maintain data confidentiality and integrity, and collaborate with IT security specialists to enhance security operations within the organization.