What you get to do in this role:

• Deployment and configuration of vulnerability management solutions (Tenable/Qualys/Nexpose)
• Assess security risks and impact of issues pertaining to Service Now.
• Work with stakeholders to provide triage and remediation recommendations.
• Partner with Compliance teams to ensure proper validation is being performed.
• Develop and implement innovations on the Service Now platform.

To be successful in this role you have:

• 7–8 years of experience in cybersecurity, information security, GRC, or federal compliance roles.

• Deep working knowledge of CMMC 2.0, NIST SP 800-171, NIST SP 800-53, and NIST Cybersecurity Framework (CSF).

• Hands-on experience leading or supporting CMMC assessments, including application scoping, control mapping, gap analysis, and remediation planning.

• Strong understanding of federal contracting compliance requirements, including DFARS 252.204-7012 and CUI (Controlled Unclassified Information) handling.

• Experience developing and maintaining SSPs, POA&Ms, and compliance documentation for federal authorization.

• Proven ability to conduct risk assessments across enterprise environments covering endpoints, identity, cloud, and data protection.

• Working knowledge of the Service Now platform, including familiarity with IRM, Sec Ops, CMDB, or ITSM modules for managing security and compliance workflows.

• Excellent written and verbal communication skills with demonstrated ability to present technical findings to executive audiences.

• Experience working cross-functionally with IT, security, audit, and legal teams in a large enterprise environment.

• Preferred

• Professional certifications such as CISSP, CISM, CISA, CAP (Certified Authorization Professional), or CMMC Registered Practitioner (RP).

• Hands-on experience with Service Now IRM (Integrated Risk Management), including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management modules.

• Experience with broader Service Now platform capabilities including CMDB/APM, Sec Ops (Security Incident Response, Vulnerability Response), ITSM, and IT Asset Management for integrated security and compliance workflows.

• Familiarity with Service Now reporting, dashboards, Performance Analytics, and workflow automation to drive GRC program efficiency and executive visibility.

• Familiarity with FedRAMP, FISMA, FIPS 140-2/3 encryption requirements, and DoD cybersecurity policies.

• Background in evaluating dual-environment architectures (e.g., O365 commercial vs. GCC High) for compliance alignment.

• Experience with SIEM, EDR (e.g., Crowd Strike), vulnerability management tools, and security architecture review processes.

• Knowledge of identity and access management frameworks, including Okta, Active Directory, and Sail Point integrations.

• Prior experience in enterprise-scale assessment campaigns involving 50+ applications or business units.

• Experience in building or consuming continuous monitoring, control hygiene, or AI-enabled risk/issue automation workflows (e.g., automated control testing, continuous controls monitoring, risk scoring, AI/ML-driven issue remediation).

Work Personas

We approach our distributed world of work with flexibility and trust. Work personas (flexible, remote, or required in office) are categories that are assigned to ServiceNow employees depending on the nature of their work and their assigned work location. Learn more here. To determine eligibility for a work persona, ServiceNow may confirm the distance between your primary residence and the closest ServiceNow office using a third-party service.

Equal Opportunity Employer

Service Now is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, sex, sexual orientation, national origin or nationality, ancestry, age, disability, gender identity or expression, marital status, veteran status, or any other category protected by law. In addition, all qualified applicants with arrest or conviction records will be considered for employment in accordance with legal requirements.

Accommodations

We strive to create an accessible and inclusive experience for all candidates. If you require a reasonable accommodation to complete any part of the application process, or are unable to use this online application and need an alternative method to apply, please contact globaltalentss@servicenow.com for assistance.

Export Control Regulations

For positions requiring access to controlled technology subject to export control regulations, including the U.S. Export Administration Regulations (EAR), Service Now may be required to obtain export control approval from government authorities for certain individuals. All employment is contingent upon Service Now obtaining any export license or other approval that may be required by relevant export control authorities.

From Fortune. ©2025 Fortune Media IP Limited. All rights reserved. Used under license.

As the Risk Manager on the Digital Technology GRC team, you will play a central role in advancing our federal compliance posture and GRC program maturity. You will guide initiatives related to CMMC (Cybersecurity Maturity Model Certification) Level 2 readiness, NIST framework implementation, and enterprise-wide risk assessment across infrastructure, endpoints, identity, cloud, and data protection domains.

You will partner closely with Security Architecture, IT Operations, Sec Ops, Internal Audit, Legal & Compliance, and Executives to assess risk, implement controls, and ensure our organization meets the rigorous standards required for federal contracting.

You will drive compliance and risk management across key areas such as:

• CMMC 2.0 Level 2 Assessment Readiness & Certification
• NIST SP 800-171 / NIST CSF Control Mapping & Implementation
• Enterprise Risk Assessment & Remediation Planning
• System Security Plans (SSP) & Plan of Action & Milestones (POA&M)
• GRC Process Maturity & Automation
• Federal Compliance Documentation & Evidence Management
• This is a high-impact, high-visibility role designed for someone who combines deep knowledge of federal cybersecurity frameworks with the ability to translate technical compliance requirements into actionable plans and executive-ready communications.

Risk Assessment & Management

• Conduct comprehensive risk assessments across infrastructure, endpoints, identity management, data protection, and cloud environments.
• Identify, document, and track security gaps and remediation activities in the enterprise risk register.
• Perform control effectiveness testing and support continuous monitoring initiatives to ensure ongoing compliance posture.
• Cross-Functional Collaboration & Communication
• Partner with Security Architecture, IT Operations, Sec Ops, Internal Audit, and Legal & Compliance to align security controls and risk mitigation strategies.
• Translate complex technical findings and compliance status into executive-ready reports, dashboards, and briefings for senior principals.
• Act as a subject matter expert for CMMC and NIST compliance across the organization, providing guidance and training to stakeholders.

GRC Program & Process Maturity

• Support the development and maturation of GRC processes, including policy management, control mapping, audit support, and evidence management workflows.
• Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations.
• Contribute to enterprise-wide assessment campaigns and support regulatory change management activities.

What You Get to Do in This Role Service Now Platform & GRC Tooling

• Leverage Service Now IRM (Integrated Risk Management) modules — including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management — to manage and operationalize compliance workflows.
• Utilize Service Now Sec Ops (Security Incident Response, Vulnerability Response), CMDB/APM, ITSM, and IT Asset Management to support integrated security and compliance operations.
• Build and maintain GRC dashboards, reports, and Performance Data views to provide executive visibility into risk posture, control coverage, and compliance status.
• Drive workflow automation within the Service Now platform to streamline evidence collection, control testing, risk scoring, and remediation tracking.

Risk Assessment & Management

• Conduct comprehensive risk assessments across infrastructure, endpoints, identity management, data protection, and cloud environments.
• Identify, document, and track security gaps and remediation activities in the enterprise risk register.
• Perform control effectiveness testing and support continuous monitoring initiatives to ensure ongoing compliance posture.
• Cross-Functional Collaboration & Communication
• Partner with Security Architecture, IT Operations, Sec Ops, Internal Audit, and Legal & Compliance to align security controls and risk mitigation strategies.
• Translate complex technical findings and compliance status into executive-ready reports, dashboards, and briefings for senior principals
• Act as a subject matter expert for CMMC and NIST compliance across the organization, providing guidance and training to stakeholders.

GRC Program & Process Maturity

• Support the development and maturation of GRC processes including policy management, control mapping, audit support, and evidence management workflows.
• Evaluate and recommend GRC tooling and automation opportunities to increase efficiency and accuracy of compliance operations.
• Contribute to enterprise-wide assessment campaigns and support regulatory change management activities.
• Service Now Platform & GRC Tooling
• Leverage Service Now IRM (Integrated Risk Management) modules — including Risk Management, Policy & Compliance Management, Audit Management, and Vendor Risk Management — to manage and operationalize compliance workflows.
• Utilize Service Now Sec Ops (Security Incident Response, Vulnerability Response), CMDB/APM, ITSM, and IT Asset Management to support integrated security and compliance operations.
• Build and maintain GRC dashboards, reports, and Performance Data views to provide executive visibility into risk posture, control coverage, and compliance status.
• Drive workflow automation within the Service Now platform to streamline evidence collection, control testing, risk scoring, and remediation tracking.