Sr. Manager, CMMC Governance
Morrisville, NC, USA
USD 160k-190k / year
Why Work at Lenovo
Description and Requirements
Position Summary
The Senior Manager, CMMC Program Governance serves as Lenovo’s enterprise authority for the Cybersecurity Maturity Model Certification (CMMC) Level 2 program supporting North American Federal sales. This role holds full accountability for the governance, compliance posture, audit readiness, and sustained operation of Lenovo’s CMMC‑scoped enclave environment.
This position functions as the authoritative owner of the CMMC System Security Plan (SSP) and the final decision authority for enclave boundary definition, control scope, and risk acceptance. The role ensures Lenovo’s CMMC posture remains defensible, auditable, and aligned with enterprise risk tolerance, while enabling scalable and compliant participation in the U.S. Federal market.
Operating at a senior governance level, this role provides strategic direction, oversight, and accountability across IT, external service providers, and business stakeholders. While technical controls are implemented by IT teams and approved vendors, this role retains sole ownership of governance decisions, SSP integrity, boundary authority, and risk accountability for the CMMC environment.
Key Responsibilities
Enterprise CMMC Program Ownership
- Serve as Lenovo’s authority for the CMMC Level 2 program, with end‑to‑end accountability for compliance posture, audit readiness, and operational sustainability.
- Establish, maintain, and enforce the governance model for the CMMC environment, ensuring consistent execution across internal teams and external providers.
Enclave Boundary & Scope Authority
- Define, approve, and enforce the CMMC enclave boundary, including authoritative decisions on system inclusion, exclusion, segmentation, and architectural constraints.
- Approve and formally accept control scoping decisions, limitations, and exceptions, ensuring they are documented, justified, and defensible to third‑party assessors.
System Security Plan (SSP) Ownership
- Act as the authoritative owner and approver of the System Security Plan (SSP) for the CMMC environment.
- Approve all material changes to system scope, architecture, policies, procedures, or control implementation.
- Ensure SSP and programmatic adherence to expectations set by Certified Third Party Assessor Organizations (C3PAOs).
Risk Accountability & Decision Authority
- Hold accountability for CMMC‑scoped risk decisions, including acceptance, mitigation, or escalation of residual risk.
- Ensure all risk decisions are explicitly documented and aligned with Lenovo’s enterprise risk management framework.
- Escalate material risks to leadership with clear impact analysis and recommendations.
Incident Governance & Regulatory Oversight
- Serve as the governing authority for CMMC‑scoped security incidents, including incident declaration, coordination of response, and oversight of external notification obligations.
- Ensure incident handling aligns with SSP commitments, contractual obligations, and regulatory expectations.
Audit Leadership & External Representation
- Act as Lenovo’s primary representative for CMMC audits and assessments, including direct engagement with C3PAOs.
- Lead audit strategy, readiness reviews, evidence validation, assessor engagement, and audit defense activities.
- Respond to regulator, customer, and partner inquiries related to Lenovo’s CMMC posture.
Cross‑Functional & Vendor Governance
- Direct and govern execution across IT, managed service providers, and compliance partners while enforcing clear separation of responsibilities.
- Ensure vendor engagements align with established governance models while maintaining ownership and authority over security and risk decisions.
- Ensure operational decisions align with compliance requirements, supporting audit defensibility and sound risk management.
Executive Reporting & Strategic Enablement
- Provide regular reporting on CMMC program status, risks, resource needs, and certification readiness.
- Enable North American Federal sales by ensuring the CMMC environment remains credible, scalable, and audit‑ready.
- Contribute senior expertise to related Security Governance and Assurance initiatives as required.
Required Skills & Competencies
- Senior‑level expertise in cybersecurity governance, regulatory compliance, and enterprise risk management.
- Deep, practical mastery of CMMC Level 2 and NIST SP 800‑171, including assessment objectives and evidence expectations.
- Proven authority in defining and defending system boundaries, control scope, and governance models in regulated environments.
- Demonstrated experience leading high‑stakes audits and regulatory assessments.
- Strong judgment with comfort making risk acceptance and escalation decisions.
- Ability to maintain a continuously audit‑ready posture in dynamic operational environments.
- Ability to operate effectively in a non‑technical senior governance role while retaining full accountability for outcomes.
Qualifications
- Bachelor’s degree in cybersecurity, information systems, or a related field required.
- 10+ years of progressive experience in cybersecurity governance, risk management, compliance, or regulated security programs.
- Direct experience serving as a program owner, SSP owner, or senior audit lead for CMMC, NIST SP 800‑171, or comparable frameworks required.
- Experience supporting U.S. Federal, defense, or defense‑industrial‑base (DIB) environments strongly preferred.
Citizenship Requirement
U.S. citizenship required
Availability & Travel
- Availability for off‑hours engagement during incidents or audits.
- Limited travel may be required for assessments or executive engagements.
The base salary budgeted range for this position is $160k - 190K. Individuals may also be considered for bonus and/or commission.
Lenovo’s various benefits can be found on www.lenovobenefits.com.
In compliance with Colorado's EPEWA, the expected application deadline for this position is August 27, 2026. This applies to both external and internal candidates.
#LI-FL1
#LI-Remote