Sr. Manager, CMMC Governance
Lenovo · North Carolina, United States · 6 days ago
RemoteRemoteInformation Technology$160k–$190k/yrFull-time
Key Responsibilities
- Enterprise CMMC Program Ownership
- Serve as Lenovo’s authority for the CMMC Level 2 program, with end-to-end accountability for compliance posture, audit readiness, and operational sustainability.
- Establish, maintain, and enforce the governance model for the CMMC environment, ensuring consistent execution across internal teams and external providers.
- Enclave Boundary Scope Authority
- Define, approve, and enforce the CMMC enclave boundary, including authoritative decisions on system inclusion, exclusion, segmentation, and architectural constraints.
- Approve and formally accept control scoping decisions, limitations, and exceptions, ensuring they are documented, justified, and defensible to third-party assessors.
- System Security Plan (SSP) Ownership
- Act as the authoritative owner and approver of the System Security Plan (SSP) for the CMMC environment.
- Approve all material changes to system scope, architecture, policies, procedures, or control implementation.
- Ensure SSP and programmatic adherence to expectations set by Certified Third Party Assessor Organizations (C3PAOs).
- Risk Accountability
- Hold accountability for CMMC-scoped risk decisions, including acceptance, mitigation, or escalation of residual risk.
- Ensure all risk decisions are explicitly documented and aligned with Lenovo’s enterprise risk management framework.
- Escalate material risks to leadership with clear impact analysis and recommendations.
- Incident Governance
- Regulatory Oversight
- Serve as the governing authority for CMMC-scoped security incidents, including incident declaration, coordination of response, and oversight of external notification obligations.
- Ensure incident handling aligns with SSP commitments, contractual obligations, and regulatory expectations.
- Audit Leadership
- External Representation
- Act as Lenovo’s primary representative for CMMC audits and assessments, including direct engagement with C3PAOs.
- Lead audit strategy, readiness reviews, evidence validation, assessor engagement, and audit defense activities.
- Respond to regulator, customer, and partner inquiries related to Lenovo’s CMMC posture.
- Cross-Functional Vendor Governance
- Direct and govern execution across IT, managed service providers, and compliance partners while enforcing clear separation of responsibilities.
- Ensure vendor engagements align with established governance models while maintaining ownership and authority over security and risk decisions.
- Ensure operational decisions align with compliance requirements, supporting audit defensibility and sound risk management.
- Executive Reporting
- Strategic Enablement
- Provide regular reporting on CMMC program status, risks, resource needs, and certification readiness.
- Enable North American Federal sales by ensuring the CMMC environment remains credible, scalable, and audit-ready.
- Contribute senior expertise to related Security Governance and Assurance initiatives as required.
Required Skills
- Senior-level expertise in cybersecurity governance, regulatory compliance, and enterprise risk management.
- Deep, practical mastery of CMMC Level 2 and NIST SP 800-171, including assessment objectives and evidence expectations.
- Proven authority in defining and defending system boundaries, control scope, and governance models in regulated environments.
- Demonstrated experience leading high-stakes audits and regulatory assessments.
- Strong judgment with comfort making risk acceptance and escalation decisions.
- Ability to maintain a continuously audit-ready posture in dynamic operational environments.
- Ability to operate effectively in a non-technical senior governance role while retaining full accountability for outcomes.
Qualifications
- Bachelor’s degree in cybersecurity, information systems, or a related field required.
- 10+ years of progressive experience in cybersecurity governance, risk management, compliance, or regulated security programs.
- Direct experience serving as a program owner, SSP owner, or senior audit lead for CMMC, NIST SP 800-171, or comparable frameworks required.
- Experience supporting U.S. Federal, defense, or defense-industrial-base (DIB) environments strongly preferred.
Citizenship Requirement
- U.S. citizenship required.
Availability
- Travel availability for off-hours engagement during incidents or audits.
- Limited travel may be required for assessments or executive engagements.
Pay Range
- $160k - 190K.
Benefits
- For more information about Lenovo’s benefits, visit www.lenovobenefits.com.
Application Deadline
- The expected application deadline for this position is August 27, 2026.
Equal Opportunity Employer
- We are an Equal Opportunity Employer and do not discriminate against any employee or applicant for employment because of race, color, sex, age, religion, sexual orientation, gender identity, national origin, status as a veteran, and basis of disability or any federal, state, or local protected class.