Lead Cybersecurity Compliance Engineer

The Urban Institute is a research-to-impact institution founded on one simple idea: To improve lives and strengthen communities, we need practices and policies that work. From advancing well-being to fostering shared prosperity, leaders across sectors are working every day to create brighter futures for all people and communities. For more than 50 years, Urban has delivered evidence and solutions that drive meaningful change, and this remains our charge today.

To drive impact by equipping changemakers with evidence and solutions.

Our Values
Collaboration, Fairness Inclusivity, Independence, and Integrity

For more information on the Urban Institute, please visit https://www.urban.org.

The Lead Cybersecurity Compliance Engineer is a senior role within Urban
Institute’s Technology & Data Science (TECH) department. This position is responsible for ensuring that key Urban IT systems and cloud services meet federal cybersecurity compliance requirements. In practice, the engineer will manage the FedRAMP Moderate Authority to Operate (ATO) compliance process for designated cloud systems, coordinate security requirements into contracts and procurements, and oversee vendor management, security assessments and audits.

The role also involves performing regular compliance activities (such as risk assessments, vulnerability scans, and third-party audits), updating and maintaining security policies and procedures, and monitoring evolving regulatory standards. The Lead Cybersecurity Compliance Engineer will sit on the Infrastructure and Security team and report directly to the Senior Director, Infrastructure and Security.

Responsibilities
• Manage the FedRAMP Moderate ATO process for designated Urban cloud systems. This includes coordinating security documentation (e.g. System Security Plans (SSPs), Gap Analysis, Privacy Impact Assessments (PIAs)), security assessment reports (SARs), continuous monitoring and required audit activities to meet the NIST-based FedRAMP baseline.
• Ensure that system architectures and configurations are designed to align with the required security controls for moderate-impact information.
• Lead cybersecurity contract reviews for all relevant IT procurements. Analyze and update agreements to include necessary security clauses, controls, and compliance requirements. Report on Urban’s ability to comply with contractual cybersecurity requirements and level of effort needed to comply where current systems do not meet contractual requirements.
• Procure and oversee third-party vendor activities. Organize and conduct vendor risk assessments and audits (including cloud providers and SaaS vendors), coordinate cross-functional vendor review meetings, and validate that vendors implement agreed-upon security controls. Maintain strong vendor relationships and verify third-party adherence to Urban’s security policies.
• Schedule and manage regular security testing and auditing activities for Urban’s FedRAMP environment. This includes arranging annual 3PAO audits, external penetration tests and vulnerability assessments, tracking remediation efforts, and reviewing internal audit findings.
• Develop, update, and maintain cybersecurity policies, standards, procedures, and playbooks with support from the Infrastructure and Security team and other Technology and Data Science team members, as necessary.
• Support incident response activities, root cause analysis, and reporting requirements.
• Ensure that all compliance documentation (e.g. plans of action and milestones (POA&Ms), security checklists) is up-to-date and accessible.
• Stay current with federal and industry cybersecurity regulations and frameworks (such as updates to FedRAMP, NIST guidelines, FISMA, etc.). Translate new requirements into actionable guidance for Urban.
• Coordinate briefings so that Urban teams understand their compliance obligations.
• Work closely with Technology and Data Science leadership, project managers, and stakeholders to integrate compliance requirements into projects and update or modify compliant systems as needed.
• Provide regular status updates on compliance efforts and report any security or compliance gaps to senior management. Serve as a subject-matter expert on compliance topics within the organization.
• Support the Infrastructure and Security team as needed for general cybersecurity needs and initiatives.

Requirements
• Experience: At least 5 years of experience in cybersecurity or IT compliance, with a strong focus on federal security frameworks. Demonstrated experience preparing for and/or maintaining FedRAMP authorizations (especially Moderate or higher).
• Bachelor’s degree in Computer Science, Information Security, or a related field or equivalent experience.
• Prior experience creating and/or managing system security documentation (SSPs, SARs, POA&Ms) and implementing continuous monitoring programs.
• In-depth understanding of the NIST SP 800-53 Rev 5 security control framework, as well as familiarity with FISMA, OMB policies, and other relevant federal cybersecurity standards.
• Proven ability to conduct security reviews of contracts, identify required cybersecurity clauses, and manage vendor risk assessments.
• Strong written and verbal communication skills. Able to articulate complex security and compliance concepts clearly to technical and non-technical audiences. Experience writing policies, procedures, and/or playbooks.
 

No matter your role with Urban, you will contribute to meaningful work that makes a difference for people and communities across the country. We are committed to working in a manner defined by our mission and values.

Urban’s greatest asset is our people.

The target salary range for this position is $130,000 - $160,000. Salary offered is commensurate with experience and considers internal comparisons. Salaries are just one component of Urban Institute’s total compensation package. Urban is committed to supporting our staff’s physical, emotional, and financial well-being through a robust benefits package for yourself, eligible dependents, and domestic partners. It includes generous paid time off, including nine federal holidays, medical (including prescription), dental and vision insurance, and transit benefits. Urban is unique in that we offer 403(b) retirement plan participation immediately after you’re hired and a generous employer contribution after six months of service and 500 hours, with immediate vesting. You’ll also have access to a health advocate, personal finance coaching, an Employee Assistance Program, and educational assistance for undergraduate and graduate degree programs.

The Urban Institute has formally recognized the Urban Institute Employees’ Union, which is part of the Nonprofit Professional Employees Union (NPEU). Urban management and the Union work together in good faith and are motivated by a shared commitment to this institution. This position is included in the Union-represented collective bargaining unit, and specific employment terms and conditions are subject to collective bargaining negotiations.

The above statements are intended to describe the general nature and level of the work being performed by the people assigned. This posting is not an exhaustive list of all duties, responsibilities, and requirements. Urban management reserves the right to amend and change duties, responsibilities, and requirements to meet business and organizational needs as necessary.

The Urban Institute is an equal opportunity employer. All qualified candidates will receive consideration without regard to race, color, religion, national origin, gender or gender identity, age, marital status, personal appearance, sexual orientation, veteran status, pregnancy or family responsibilities, matriculation, disability, political affiliation, or any other protected status under applicable law.

We are committed to equal employment opportunity and providing reasonable accommodations to applicants with physical and/or mental disabilities. If you have a physical and/or mental disability and are interested in applying for employment and need special accommodations to use our website to apply for a position, please contact Human Resources at [email protected].  Reasonable accommodation requests are considered on a case-by-case basis.