Cyber Risk Management Lead Specialist

Position Summary

Our Deloitte Cyber team understands the unique challenges and opportunities businesses face in cybersecurity. Join our team to deliver powerful solutions to help our clients navigate the ever-changing threat landscape. Through powerful solutions and managed services that simplify complexity, we enable our clients to operate with resilience, grow with confidence, and proactively manage to secure success.

Work You'll Do

• Authority to Operate (ATO) Lead
  • Extensive experience conducting risk analysis of USPS applications to assess potential impact of disruptions on critical business functions, including financial, operational, and reputational consequences.
  • Experience with and understanding of USPS processes to retire applications/systems across large organizations, including verification of remnant removal, to minimize security risks to the organization, and ability to advise application stakeholders through the process.
  • Knowledge of and demonstrated experience leading USPS site security reviews at various types of facilities to assess risk, and documenting findings, observations, and recommendations.
  • In-depth understanding of USPS Authorization & Assessment (A&A) requirements, standards, and best practices (e.g., NIST, FISMA) to advise security and IT professionals, application stakeholders, managers, and executives.
  • Demonstrated ability to develop, track, analyze and regularly report status of goals, milestones, and metrics using complex and large data sets to measure the effectiveness of USPS A&A processes.
  • Knowledge and understanding of USPS cybersecurity policies and processes sufficient to review, understand and provide inputs to internal security policies, SOPs and training documents.
  • Demonstrated proficiency in using USPS's Governance, Risk, and Compliance (GRC) tools.
  • Ability to serve as subject matter expert (SME) for the USPS A&A process.
  • Knowledge of or experience with the USPS SDLC Retirement/Decommission process.
  • Ability to effectively manage compliance documentation, security plans, risk assessments, and other related documents within the USPS GRC tool, ServiceNow, and SharePoint environments.
  • Effective communication and collaboration skills to work with cross-functional teams, stakeholders, and IT professionals.
  • Own the full lifecycle of ATO packages-from boundary definition, control tailoring, and required documentation through security testing, risk acceptance, and formal authorization.
  • Facilitate stakeholder workshops to map applicable NIST 800-53 controls, assign ownership, and collect evidence.
  • Plan, coordinate, and track independent security assessments (penetration tests, ST&E, red/blue team exercises).
  • Develop and maintain Plan of Action & Milestones (POA&M) artifacts; monitor status, escalate delays, and validate closure.
  • Brief executive sponsors and Authorizing Officials (AOs) on residual risks, mitigations, and go-forward plans.
  • Champion Continuous Monitoring (ConMon) to preserve the authorization-defining metrics, reporting cadences, and triggering re-accreditation activities when material changes occur.
• Vulnerability Management & Remediation

• Architect and manage an enterprise vulnerability management program covering network, cloud, container, and application layers.
• Integrate multiple scanning tools (e.g., Tenable, Qualys, Rapid7, Wiz, Snyk) into a unified workflow; ensure accurate asset inventory and risk scoring.
• Prioritize findings using CVSS, exploitability data, and mission impact; align remediation timelines with policy (e.g., critical fixes within 15 days).
• Coordinate cross-functional "patch sprints," configuration hardening, and compensating control implementation.
• Track remediation KPIs (e.g., mean time to remediate, percent critical vulnerabilities patched) and present trend analysis to leadership.
• Continuously refine detection logic and scanning coverage to reduce false positives and blind spots.

• Master's degree required
• Must be legally authorized to work in the United States without the need for employer sponsorship, now or at any time in the future.
• Must possess the following certifications:
• Certified Expert Risk Management Framework Professional
• Certified Expert Cloud Security (CECS)
• Certified Continuity Manager (CCM)
• Certified Expert Independent Assessor
• FEMA Homeland Security Exercise and Evaluation Program (HSEEP)
• 12+ years in information security with at least 3 years leading ATO/RMF or FedRAMP initiatives.
• Deep familiarity with NIST 800-53, 800-37, 800-137, FedRAMP Moderate/High, STIGs, SOX, GLBA, PCI-DSS, SOC, and RMM
• Hands-on experience with vulnerability scanners, SIEM/SOAR platforms, asset discovery, and ticketing systems (e.g., ServiceNow).
• Understanding of cloud services (AWS, Azure, GCP) and container security (Kubernetes, Docker) controls.
• Competence interpreting penetration-test results and aligning remediation with DevSecOps pipelines.
• Prior USPS CISO experience required