We use cookies. Find out more about it here. By continuing to browse this site you are agreeing to our use of cookies.
#alert
Back to search results
New

Sr. Manager, CMMC Governance

Lenovo
United States, North Carolina, Morrisville
Jul 09, 2026


General Information
Req #
WD00100970
Career area:
Information Technology
Country/Region:
United States of America
State:
North Carolina
City:
Morrisville
Date:
Thursday, July 9, 2026
Working time:
Full-time
Additional Locations:
* United States of America - North Carolina - Morrisville

Why Work at Lenovo
We are Lenovo. We do what we say. We own what we do. We WOW our customers.
Lenovo is a US$83 billion revenue global technology powerhouse, ranked #196 in the Fortune Global 500, and serving millions of customers every day in 180 markets. Focused on a bold vision to deliver Smarter Technology for All, Lenovo has built on its success as the world's largest PC company with a full-stack portfolio of AI-enabled, AI-ready, and AI-optimized devices (PCs, workstations, smartphones, tablets), infrastructure (server, storage, edge, high performance computing and software defined infrastructure), software, solutions, and services. Lenovo's continued investment in world-changing innovation is building a more equitable, trustworthy, and smarter future for everyone, everywhere. Lenovo is listed on the Hong Kong stock exchange under Lenovo Group Limited (HKSE: 992) (ADR: LNVGY).
This transformation together with Lenovo's world-changing innovation is building a more inclusive, trustworthy, and smarter future for everyone, everywhere. To find out more visit www.lenovo.com, and read about the latest news via our StoryHub.

Description and Requirements

Position Summary

The Senior Manager, CMMC Program Governance serves as Lenovo's enterprise authority for the Cybersecurity Maturity Model Certification (CMMC) Level 2 program supporting North American Federal sales. This role holds full accountability for the governance, compliance posture, audit readiness, and sustained operation of Lenovo's CMMCscoped enclave environment.

This position functions as the authoritative owner of the CMMC System Security Plan (SSP) and the final decision authority for enclave boundary definition, control scope, and risk acceptance. The role ensures Lenovo's CMMC posture remains defensible, auditable, and aligned with enterprise risk tolerance, while enabling scalable and compliant participation in the U.S. Federal market.

Operating at a senior governance level, this role provides strategic direction, oversight, and accountability across IT, external service providers, and business stakeholders. While technical controls are implemented by IT teams and approved vendors, this role retains sole ownership of governance decisions, SSP integrity, boundary authority, and risk accountability for the CMMC environment.

Key Responsibilities

Enterprise CMMC Program Ownership

  • Serve as Lenovo's authority for the CMMC Level 2 program, with endtoend accountability for compliance posture, audit readiness, and operational sustainability.
  • Establish, maintain, and enforce the governance model for the CMMC environment, ensuring consistent execution across internal teams and external providers.

Enclave Boundary & Scope Authority

  • Define, approve, and enforce the CMMC enclave boundary, including authoritative decisions on system inclusion, exclusion, segmentation, and architectural constraints.
  • Approve and formally accept control scoping decisions, limitations, and exceptions, ensuring they are documented, justified, and defensible to thirdparty assessors.

System Security Plan (SSP) Ownership

  • Act as the authoritative owner and approver of the System Security Plan (SSP) for the CMMC environment.
  • Approve all material changes to system scope, architecture, policies, procedures, or control implementation.
  • Ensure SSP and programmatic adherence to expectations set by Certified Third Party Assessor Organizations (C3PAOs).

Risk Accountability & Decision Authority

  • Hold accountability for CMMCscoped risk decisions, including acceptance, mitigation, or escalation of residual risk.
  • Ensure all risk decisions are explicitly documented and aligned with Lenovo's enterprise risk management framework.
  • Escalate material risks to leadership with clear impact analysis and recommendations.

Incident Governance & Regulatory Oversight

  • Serve as the governing authority for CMMCscoped security incidents, including incident declaration, coordination of response, and oversight of external notification obligations.
  • Ensure incident handling aligns with SSP commitments, contractual obligations, and regulatory expectations.

Audit Leadership & External Representation

  • Act as Lenovo's primary representative for CMMC audits and assessments, including direct engagement with C3PAOs.
  • Lead audit strategy, readiness reviews, evidence validation, assessor engagement, and audit defense activities.
  • Respond to regulator, customer, and partner inquiries related to Lenovo's CMMC posture.

CrossFunctional & Vendor Governance

  • Direct and govern execution across IT, managed service providers, and compliance partners while enforcing clear separation of responsibilities.
  • Ensure vendor engagements align with established governance models while maintaining ownership and authority over security and risk decisions.
  • Ensure operational decisions align with compliance requirements, supporting audit defensibility and sound risk management.

Executive Reporting & Strategic Enablement

  • Provide regular reporting on CMMC program status, risks, resource needs, and certification readiness.
  • Enable North American Federal sales by ensuring the CMMC environment remains credible, scalable, and auditready.
  • Contribute senior expertise to related Security Governance and Assurance initiatives as required.

Required Skills & Competencies

  • Seniorlevel expertise in cybersecurity governance, regulatory compliance, and enterprise risk management.
  • Deep, practical mastery of CMMC Level 2 and NIST SP 800171, including assessment objectives and evidence expectations.
  • Proven authority in defining and defending system boundaries, control scope, and governance models in regulated environments.
  • Demonstrated experience leading highstakes audits and regulatory assessments.
  • Strong judgment with comfort making risk acceptance and escalation decisions.
  • Ability to maintain a continuously auditready posture in dynamic operational environments.
  • Ability to operate effectively in a nontechnical senior governance role while retaining full accountability for outcomes.

Qualifications

  • Bachelor's degree in cybersecurity, information systems, or a related field required.
  • 10+ years of progressive experience in cybersecurity governance, risk management, compliance, or regulated security programs.
  • Direct experience serving as a program owner, SSP owner, or senior audit lead for CMMC, NIST SP 800171, or comparable frameworks required.
  • Experience supporting U.S. Federal, defense, or defenseindustrialbase (DIB) environments strongly preferred.

Citizenship Requirement

U.S. citizenship required

Availability & Travel

  • Availability for offhours engagement during incidents or audits.
  • Limited travel may be required for assessments or executive engagements.

The base salary budgeted range for this position is $160k - 190K. Individuals may also be considered for bonus and/or commission.

Lenovo's various benefits can be found on www.lenovobenefits.com.

In compliance with Colorado's EPEWA, the expected application deadline for this position is August 27, 2026. This applies to both external and internal candidates.

#LI-FL1

#LI-Remote

We are an Equal Opportunity Employer and do not discriminate against any employee or applicant for employment because of race, color, sex, age, religion, sexual orientation, gender identity, national origin, status as a veteran, and basis of disability or any federal, state, or local protected class.
Additional Locations:
* United States of America - North Carolina - Morrisville
* United States of America
* United States of America - North Carolina
* United States of America - North Carolina - Morrisville

Applied = 0

(web-77cf7d65c7-rcc7h)