Risk Manager
ServiceNow, Chicago, IL, United States
Company Description
As the Risk Manager on the Digital Technology GRC team, you will play a central role in advancing our federal compliance posture and GRC program maturity. You will guide initiatives related to CMMC (Cybersecurity Maturity Model Certification) Level 2 readiness, NIST framework implementation, and enterprise-wide risk assessment across infrastructure, endpoints, identity, cloud, and data protection domains.
Key Responsibilities
Guide initiatives related to CMMC Level 2 readiness, NIST SP 800‑171, NIST CSF control mapping & implementation, and enterprise-wide risk assessment.
Partner with Security Architecture, IT Operations, SecOps, Internal Audit, Legal & Compliance, and Executives to assess risk, implement controls, and ensure organization meets federal contracting standards.
Drive compliance and risk management across key areas: CMMC 2.0 Level 2 assessment readiness & certification; NIST SP 800‑171 / NIST CSF control mapping & implementation; enterprise risk assessment & remediation planning; System Security Plans (SSP) & Plan of Action & Milestones (POA&M); GRC process maturity & automation; federal compliance documentation & evidence management.
Conduct comprehensive risk assessments across infrastructure, endpoints, identity, data protection, and cloud environments.
Identify, document, and track security gaps and remediation activities in the enterprise risk register.
Perform control effectiveness testing and support continuous monitoring initiatives to maintain ongoing compliance posture.
Collaborate cross‑functionally with IT, security, audit, and legal teams, translating technical findings into executive‑ready reports, dashboards, and briefings.
Act as subject‑matter expert for CMMC and NIST compliance, providing guidance and training to stakeholders.
Support development and maturation of GRC processes, including policy management, control mapping, audit support, and evidence management workflows.
Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations.
Contribute to enterprise‑wide assessment campaigns and support regulatory change management.
Leverage ServiceNow IRM modules (Risk Management, Policy & Compliance Management, Audit Management, Vendor Risk Management) and other ServiceNow modules (SecOps, CMDB/APM, ITSM, IT Asset Management) to support integrated security and compliance operations.
Build and maintain GRC dashboards, reports, and performance data views to provide executive visibility into risk posture, control coverage, and compliance status.
Drive workflow automation within the ServiceNow platform to streamline evidence collection, control testing, risk scoring, and remediation tracking.
Qualifications
7–8 years of experience in cybersecurity, information security, GRC, or federal compliance roles.
Deep working knowledge of CMMC 2.0, NIST SP 800‑171, NIST SP 800‑53, and NIST Cybersecurity Framework (CSF).
Hands‑on experience leading or supporting CMMC assessments, including application scoping, control mapping, gap analysis, and remediation planning.
Strong understanding of federal contracting compliance requirements, including DFARS 252.204‑7012 and CUI (Controlled Unclassified Information) handling.
Experience developing and maintaining SSPs, POA&Ms, and compliance documentation for federal authorization.
Proven ability to conduct risk assessments across enterprise environments covering endpoints, identity, cloud, and data protection.
Working knowledge of the ServiceNow platform, including familiarity with IRM, SecOps, CMDB, and ITSM modules for managing security and compliance workflows.
Excellent written and verbal communication skills, with demonstrated ability to present technical findings to executive audiences.
Experience working cross‑functionally with IT, security, audit, and legal teams in a large enterprise environment.
Preferred: Professional certifications such as CISSP, CISM, CISA, CAP (Certified Authorization Professional), or CMMC Registered Practitioner (RP).
Preferred: Hands‑on experience with ServiceNow IRM modules for risk management, policy & compliance, audit management, and vendor risk management.
Preferred: Experience with broader ServiceNow capabilities (CMDB/APM, SecOps, ITSM, IT Asset Management) for integrated security and compliance workflows.
Preferred: Familiarity with FedRAMP, FISMA, FIPS 140‑2/3 encryption requirements, and DoD cybersecurity policies.
Preferred: Background in evaluating dual‑environment architectures (e.g., O365 commercial vs. GCC High) for compliance alignment.
Preferred: Experience with SIEM, EDR (e.g., CrowdStrike), vulnerability management tools, and security architecture review processes.
Preferred: Knowledge of identity and access management frameworks, including Okta, Active Directory, and SailPoint integrations.
Preferred: Prior experience in enterprise‑scale assessment campaigns involving 50+ applications or business units.
Preferred: Experience building or consuming continuous monitoring, control hygiene, or AI‑enabled risk/issue automation workflows (e.g., automated control testing, continuous controls monitoring, risk scoring, AI/ML‑driven issue remediation).
Equal Opportunity Employer
ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.
Accommodations
We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact globaltalentss@servicenow.com for assistance.
Export Control Regulations
For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities.
#J-18808-Ljbffr
As the Risk Manager on the Digital Technology GRC team, you will play a central role in advancing our federal compliance posture and GRC program maturity. You will guide initiatives related to CMMC (Cybersecurity Maturity Model Certification) Level 2 readiness, NIST framework implementation, and enterprise-wide risk assessment across infrastructure, endpoints, identity, cloud, and data protection domains.
Key Responsibilities
Guide initiatives related to CMMC Level 2 readiness, NIST SP 800‑171, NIST CSF control mapping & implementation, and enterprise-wide risk assessment.
Partner with Security Architecture, IT Operations, SecOps, Internal Audit, Legal & Compliance, and Executives to assess risk, implement controls, and ensure organization meets federal contracting standards.
Drive compliance and risk management across key areas: CMMC 2.0 Level 2 assessment readiness & certification; NIST SP 800‑171 / NIST CSF control mapping & implementation; enterprise risk assessment & remediation planning; System Security Plans (SSP) & Plan of Action & Milestones (POA&M); GRC process maturity & automation; federal compliance documentation & evidence management.
Conduct comprehensive risk assessments across infrastructure, endpoints, identity, data protection, and cloud environments.
Identify, document, and track security gaps and remediation activities in the enterprise risk register.
Perform control effectiveness testing and support continuous monitoring initiatives to maintain ongoing compliance posture.
Collaborate cross‑functionally with IT, security, audit, and legal teams, translating technical findings into executive‑ready reports, dashboards, and briefings.
Act as subject‑matter expert for CMMC and NIST compliance, providing guidance and training to stakeholders.
Support development and maturation of GRC processes, including policy management, control mapping, audit support, and evidence management workflows.
Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations.
Contribute to enterprise‑wide assessment campaigns and support regulatory change management.
Leverage ServiceNow IRM modules (Risk Management, Policy & Compliance Management, Audit Management, Vendor Risk Management) and other ServiceNow modules (SecOps, CMDB/APM, ITSM, IT Asset Management) to support integrated security and compliance operations.
Build and maintain GRC dashboards, reports, and performance data views to provide executive visibility into risk posture, control coverage, and compliance status.
Drive workflow automation within the ServiceNow platform to streamline evidence collection, control testing, risk scoring, and remediation tracking.
Qualifications
7–8 years of experience in cybersecurity, information security, GRC, or federal compliance roles.
Deep working knowledge of CMMC 2.0, NIST SP 800‑171, NIST SP 800‑53, and NIST Cybersecurity Framework (CSF).
Hands‑on experience leading or supporting CMMC assessments, including application scoping, control mapping, gap analysis, and remediation planning.
Strong understanding of federal contracting compliance requirements, including DFARS 252.204‑7012 and CUI (Controlled Unclassified Information) handling.
Experience developing and maintaining SSPs, POA&Ms, and compliance documentation for federal authorization.
Proven ability to conduct risk assessments across enterprise environments covering endpoints, identity, cloud, and data protection.
Working knowledge of the ServiceNow platform, including familiarity with IRM, SecOps, CMDB, and ITSM modules for managing security and compliance workflows.
Excellent written and verbal communication skills, with demonstrated ability to present technical findings to executive audiences.
Experience working cross‑functionally with IT, security, audit, and legal teams in a large enterprise environment.
Preferred: Professional certifications such as CISSP, CISM, CISA, CAP (Certified Authorization Professional), or CMMC Registered Practitioner (RP).
Preferred: Hands‑on experience with ServiceNow IRM modules for risk management, policy & compliance, audit management, and vendor risk management.
Preferred: Experience with broader ServiceNow capabilities (CMDB/APM, SecOps, ITSM, IT Asset Management) for integrated security and compliance workflows.
Preferred: Familiarity with FedRAMP, FISMA, FIPS 140‑2/3 encryption requirements, and DoD cybersecurity policies.
Preferred: Background in evaluating dual‑environment architectures (e.g., O365 commercial vs. GCC High) for compliance alignment.
Preferred: Experience with SIEM, EDR (e.g., CrowdStrike), vulnerability management tools, and security architecture review processes.
Preferred: Knowledge of identity and access management frameworks, including Okta, Active Directory, and SailPoint integrations.
Preferred: Prior experience in enterprise‑scale assessment campaigns involving 50+ applications or business units.
Preferred: Experience building or consuming continuous monitoring, control hygiene, or AI‑enabled risk/issue automation workflows (e.g., automated control testing, continuous controls monitoring, risk scoring, AI/ML‑driven issue remediation).
Equal Opportunity Employer
ServiceNow is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.
Accommodations
We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact globaltalentss@servicenow.com for assistance.
Export Control Regulations
For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), ServiceNow may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon ServiceNow obtaining any export license or other approval that may be required by relevant export control authorities.
#J-18808-Ljbffr