Cyber Security & Compliance Specialist

The Cybersecurity and Compliance Specialist is responsible for protecting Melwood's information systems, data, and technology infrastructure through the ongoing implementation, monitoring, and management of enterprise cybersecurity controls and regulatory compliance programs. This role serves as the organization's primary internal subject matter expert on cybersecurity frameworks applicable to federal contractors and regulated nonprofit environments, working in close coordination with IT leadership and external compliance advisors to build and sustain a compliant, resilient, and continuously improving security posture. The Cybersecurity and Compliance Specialist supports the preparation and maintenance of required compliance documentation, manages the organization's security operations practices, and ensures that Melwood's technology environment meets its obligations to employees, program participants, funders, and government partners. This position requires an individual with both the technical hands-on capability to implement and monitor security controls and the analytical discipline to manage compliance programs, track remediation commitments, and communicate risk clearly and accurately to leadership.

Responsibilities:

• Manage the Cybersecurity Compliance Program: Develop, implement, and maintain the organization's cybersecurity compliance program across all applicable regulatory, contractual, and industry standards frameworks. Current primary obligations include federal contractor cybersecurity requirements, healthcare privacy and security standards, federal grants management requirements, and commercial assurance standards. Maintain required compliance documentation including the System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Track remediation commitments, coordinate with IT staff and technology partners on control implementation, and prepare the organization for third-party assessments and audits across all applicable compliance domains.
• Conduct Security Assessments and Gap Analysis: Perform ongoing assessments of the organization's security posture against all applicable regulatory, contractual, and standards frameworks. Identify control gaps, document findings, assign remediation ownership, and track closure through to completion. Support external assessors, auditors, and certification bodies with documentation, evidence, and technical response regardless of which framework or standard is driving the review
• Manage Vulnerability and Patch Programs: Administer the organization's vulnerability management program including scheduled scanning, findings triage, remediation coordination, and reporting. Work with IT infrastructure and application teams to ensure security patches are applied within required timeframes consistent with applicable framework obligations and organizational risk tolerance. Ensure that exceptions are documented, justified, and approved by appropriate authority
• Support Continuous Security Monitoring and Incident Response: Support continuous security monitoring through the organization's security platforms and endpoint protection tools. Investigate alerts, analyze anomalies, and coordinate incident response activities. Maintain the organizational incident response plan and ensure it reflects current regulatory reporting obligations. Prepare and submit required incident reports in accordance with all applicable federal, state, contractual, and regulatory requirements, which may include healthcare privacy laws, federal contractor obligations, and grants management standards.
• Manage Data Classification and Regulated Data Protection: Support the identification, classification, and protection of all regulated information categories across organizational systems. Current regulated categories include Controlled Unclassified Information, Protected Health Information, and Personally Identifiable Information subject to federal and state privacy requirements. Implement and maintain appropriate data classification controls, access restrictions, and monitoring in coordination with IT and business stakeholders. Monitor applicable state and federal privacy regulations for changes that affect organizational obligations and bring material changes to the attention of IT leadership
• Manage Third-Party and Vendor Risk: Evaluate technology vendors and third-party service providers for cybersecurity compliance and risk posture across all applicable frameworks. Review vendor agreements for appropriate security, data handling, and regulatory flow-down obligations including Business Associate Agreements for vendors handling Protected Health Information. Assess software configurations and embedded technology features for compliance with organizational data classification policies and all applicable regulatory requirements, not limited to federal contractor standards.
• Deliver Security Training and Awareness: Develop and deliver cybersecurity awareness training for all staff covering responsible technology use, data protection obligations across all applicable regulatory categories, threat recognition, and incident reporting procedures. Ensure training content reflects the full scope of the organization's regulatory environment and is accessible to staff across all roles and technical literacy levels. Maintain documented training completion records and coordinate role-specific training for IT staff and employees with access to regulated data.
• Maintain Security Documentation and Reporting: Produce accurate and timely security documentation and reporting for internal leadership and external reviewers across all applicable compliance domains. Documentation may include compliance status reports, risk registers, audit evidence packages, remediation tracking, and regulatory submissions. Communicate security, risk and compliance status clearly and concisely to non-technical audiences including organizational leadership, legal counsel, and program leadership. Ensure that reporting reflects the full scope of the organization's compliance obligations and does not treat any single framework as the exclusive measure of the organization's security posture

Qualifications:

• Bachelors degree in information Technology, Information technology, computer science or a related field is required.
• 5+ years in a cyber security or related position is required
• Certified information systems security professional and 5 years of experience will be considered if the candidate does not have a degree.
• Experience in a federal contracting environment is preferred.