Senior Enterprise Risk Manager

Your Mission 

We are seeking a Senior Enterprise Risk Manager to build lead and mature two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). This is a foundational leadership role for a seasoned risk professional who thrives in fast-moving mission-critical environments and understands the unique demands of operating at the intersection of defense aerospace and commercial SaaS. 

The ideal candidate brings deep experience navigating regulated government environments—including RMF DoD IL5/IL6 and CMMC—and is fluent in industry-standard risk quantification and assessment methodologies such as FAIR (Factor Analysis of Information Risk) and OCTAVE (Operationally Critical Threat Asset and Vulnerability Evaluation). They pair that expertise with a startup mindset that enables them to build programs from the ground up not just maintain inherited ones. You will work cross-functionally with engineering security legal compliance product and executive leadership to identify assess communicate and mitigate risk across the enterprise and its extended supply chain. 

Responsibilities: 

Enterprise Risk Management 

• Design implement and continuously mature a scalable enterprise risk management program aligned to NIST RMF ISO 31000 and applicable DoD frameworks. 

• Apply FAIR methodology to quantify cyber and operational risk in financial terms enabling data-driven prioritization and executive-level risk decision-making. 

• Leverage OCTAVE or similar threat-centric methodologies to lead structured risk assessments that identify critical assets threat profiles and organizational vulnerabilities. 

• Establish and maintain an enterprise risk register risk appetite statements and risk tolerance thresholds in collaboration with executive leadership and the Board (as applicable). 

• Lead recurring risk identification assessment and prioritization processes across business units ensuring alignment between operational risk posture and strategic objectives. 

• Develop and maintain executive-ready risk dashboards KPI/KRI reporting and program metrics using tools such as Jira Confluence GRC platforms and MS Project. 

• Conduct and coordinate internal audits and risk assessments to ensure adherence to DoD compliance standards including NIST SP 800-53 Rev. 5 NIST SP 800-171 RMF (IL5 and IL6) and CMMC Level 3. 

• Support audit readiness activities including pre-assessment preparation evidence collection POA&M management and post-audit remediation planning. 

• Develop implement and mature information security and enterprise risk policies standards and guidelines based on industry best practices. 

• Serve as a primary point of contact for internal stakeholders executive leadership and external assessors certification bodies and government partners. 

Third-Party Vendor Risk Management 

• Build and lead a formalized Third-Party Vendor Risk Management program establishing vendor classification tiers risk assessment methodologies and ongoing monitoring cadences. 

• Define and operationalize vendor onboarding risk assessments including security questionnaires compliance validations and contractual risk controls (e.g. SLAs right-to-audit clauses data handling requirements). 

• Maintain a vendor risk inventory and lifecycle management process covering initial due diligence through offboarding ensuring continuous visibility into third-party risk exposure. 

• Collaborate with legal procurement and supply chain teams to embed risk criteria into vendor selection contract negotiation and renewal processes. 

• Monitor third-party vendors for changes in risk posture including cybersecurity incidents financial instability regulatory actions and ITAR/export control concerns. 

• Develop vendor risk reporting and executive-level dashboards to provide ongoing transparency into third-party exposure across critical suppliers and technology partners. 

• Ensure TPVRM program alignment with applicable regulatory requirements including CMMC supply chain requirements DFARS clauses and DoD IL environment authorization boundaries. 

Cross-Functional Leadership 

• Build mentor and provide technical guidance to junior risk team members and project contributors across both lines of effort. 

• Drive alignment across engineering security operations product compliance IT operations legal and business operations teams on risk priorities and remediation timelines. 

• Track program milestones identify dependencies and blockers and drive timely course corrections with a bias toward action. 

• Continuously improve program workflows reporting processes and team coordination for scalable repeatable and consistent risk program execution. 

• Proactively track emerging regulatory threat and supply chain risk requirements and update program posture accordingly. 

Qualifications 

• 10+ years of experience in enterprise risk management GRC cybersecurity risk or related disciplines with demonstrated ownership of risk programs at a senior level. 

• Proven track record in startup or high-growth technology environments with demonstrated ability to build risk programs from the ground up under resource and time constraints. 

• Experience applying FAIR for risk quantification and OCTAVE or similar frameworks for threat and asset-centric risk assessments. 

• Direct experience with U.S. government or defense sector programs including working knowledge of DoD RMF (IL5 and IL6) NIST SP 800-53 NIST SP 800-171 and CMMC. 

• Hands-on experience leading or significantly contributing to Third-Party/Vendor Risk Management programs including vendor tiering due diligence workflows and ongoing monitoring. 

• Strong proficiency in risk management and GRC documentation tools including Jira Confluence (Atlassian suite) MS Project enterprise GRC platforms and MS Visio or Lucidchart. 

• Excellent communication and stakeholder management skills with a strong ability to translate technical risk into business language for executives and board-level audiences. 

• Active or ability to obtain SECRET TS/SCI security clearance. 

• Must be a U.S. citizen lawful permanent resident or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Background in aerospace defense technology or SaaS companies operating in regulated government markets; experience with both commercial and government customer bases strongly preferred. 

• Proficient with creating risk programs in a startup environment scaling and adapting to changing organizational structure 

• Experience managing certification or authorization initiatives across one or more of: FedRAMP SOC 2 DoDIN APL ISO 27001 CMMC as it pertains to risk. 

• Industry certifications such as:  

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Auditor (CISA) 

• Certified Information Systems Security Professional (CISSP) 

• Certified in the Governance of Enterprise IT (CGEIT) 

• Certified ScrumMaster (CSM) or Agile PM certification 

• Experience with cloud environments particularly Azure Government and/or AWS GovCloud and understanding of authorization boundary design. 

• Working knowledge of ITAR EAR and export control considerations as they apply to vendor and supply chain risk. 

• Familiarity with Agile/Scrum and hybrid project delivery models. 

• Experience with DFARS FAR and government contracting compliance requirements. 

Compensation 

• Base Salary: Denver - $160000 to $220000 Long Beach - $165000 to $230000 Washington DC - $165000 to $230000 

• Equity + Benefits including Health Dental Vision HRA/HSA options PTO and paid holidays 401K Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills education location and experience. 

Additional Requirements 

• Work Location: This role will be onsite at one of our facilities in Centennial CO Long Beach California or Washington D.C. #LI-Onsite 

• Work Environment: Standard office setting working at a desk or in a production factory environment  

• Physical Demands: May include frequent standing sitting walking bending and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen lawful permanent resident of the U.S. protected individual as defined by 8 U.S.C. 1324b(a)(3) or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience knowledge backgrounds and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex race religion or belief ethnic or national origin disability age citizenship marital domestic or civil partnership status sexual orientation gender identity pregnancy maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation please do not hesitate to let us know. 

What We Do

Space was once the quietest place in the universe. Now it's crowded contested and confrontational.  We are True Anomaly: the only defense company focused exclusively on space defense. Founded in 2022 by ex-U.S. Space Force members True Anomaly designs and builds advanced systems for space superiority: agile and powerful spacecraft platforms mission software engineered for unmatched command and control and payloads tailored for precision sensing and effects.    True Anomaly is headquartered in Centennial CO with regional offices in Colorado Springs CO Long Beach CA and Washington D.C.  We are hiring and seeking exceptional talent to join True Anomaly from any technical industry or background to bring unique talents perspective and solutions. If you embrace complexity lead instead of follow showcase integrity over ego take ownership for outcomes and measure success by impact we want to hear from you.

Why Work With Us

True Anomaly exists to enable a secure stable and sustainable space environment for the US its allies and partners. We design and build spacecraft and software solutions for space superiority. If you are ready to contribute to the future of space defense we’d love to hear from you.

Gallery