NuScale Power, LLC Careers

This position will be based full-time in our Houston, TX office located at 990 Town & Country Blvd in CityCentre. 

POSITION SUMMARY: This position establishes, leads, and governs the enterprise-wide Cybersecurity Supply Chain Risk Management (C SCRM) program for both Operational Technology (OT or digital instrumentation and controls) and Information Technology (IT). The C-SCRM Program Manager reports to the Supervisor, Information Security and leads an interdisciplinary team of subject matter experts from Information Security, Instrumentation and Controls Engineering and Manufacturing (i.e., Supply Chain), and Plant Services Cyber Security to deliver a scalable, defensible, and compliant supply chain assurance program for digital assets and software systems that are safety-related, augmented requirements, physical security-related, or emergency preparedness related in accordance with NIST SP 800-161, NIST SP 800-53 (SR/SA/RA/PM), NIST SP 800-82, and nuclear sector guidance (NEI 08-09, Regulatory Guide 5.71, RIS 2015-08 Rev 1).

ESSENTIAL DUTIES AND RESPONSIBILITIES:

The C-SCRM Program Manager will perform the following duties and have overall responsibility for the administration and implementation of the C-SCRM Program.  Will be required to perform other duties as assigned.

Program Governance and Strategy 

• Develop and manage the enterprise C‑SCRM program for OT (digital I&C platforms, field devices, PLCs, networked sensors, safety‑related cyber systems) and IT (commercial software, COTS hardware, servers, cloud services, network equipment).
• Create and maintain policies, standards, and procedures aligned to NIST SP 800‑161 and NIST SP 800‑53 SR, SA, RA, PM control families.
• Integrate nuclear sector guidance (NEI 08‑09, RG-5.71, RIS 2015‑08 Rev 1) into supply chain expectations for safety‑related and security‑related digital systems.
• Establish supplier risk tiering and criticality criteria covering safety‑related functions, digital asset categorization, and impacts on plant operations and corporate environments.
• Lead the C‑SCRM Steering Committee and drive alignment between Supply Chain, Engineering, Plant Services Cyber Security, Legal, QA, and Supplier Quality Assurance 

Supplier Lifecycle Management

• Oversee the complete supplier lifecycle: inherent risk assessments, due diligence, technical evaluation, contracting, onboarding, continuous monitoring, reassessment, and offboarding.
• Ensure contractual language includes security requirements, SBOM/MBOM deliverables, secure SDLC expectations, vulnerability disclosure procedures, and sub‑tier supplier transparency.
• Implement structured workflows for third‑party risk assessments that incorporate NIST SP 800‑53 SR/SA obligations, NEI 08‑09 defensive architecture principles, and NIST SP 800‑82 OT constraints.
• Coordinate supplier audits and assessments, ensuring traceability of security commitments and evidence of control effectiveness.

Technical Assurance for OT and IT

• Define and enforce minimum security requirements for suppliers, including software integrity controls, code signing, firmware assurance, and supply chain provenance.
• Evaluate SBOMs for software, firmware, and embedded system components; drive vulnerability assessment and remediation plans based on exploitability in OT/ICS contexts.
• Oversee technical acceptance processes such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), configuration verification, deterministic communication requirements, and architecture compliance checks for digital I&C components.
• Support secure engineering design reviews for systems that integrate COTS hardware, virtualized servers, network infrastructure, and embedded digital components.
• Coordinate risk analysis and compensating control strategies where patching or upgrading is constrained in OT environments.

Risk Analysis and Decision Support

• Perform qualitative and quantitative supply chain risk assessments covering vendor security posture, component integrity, lifecycle support, and cyber threat exposure.
• Document risk findings, residual risk calculations, and recommended mitigations; present clear decision options to executive leadership.
• Develop Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to track program maturity and supplier health.
• Maintain centralized risk evidence repositories supporting compliance and audit readiness. 

Compliance, Audit, and Regulatory Engagement

• Ensure the C‑SCRM program adheres to NIST SP 800‑161, NIST SP 800‑53, NIST SP 800‑82, NEI 08‑09, RG 5.71, and RIS 2015‑08 Rev 1 requirements.
• Prepare for internal audits, external assessments, and US NRC reviews; provide documentation showing control compliance and technical baselines.
• Coordinate with Engineering and Plant Services Cyber Security to ensure digital I&C assets meet expectations for secure procurement, configuration control, and lifecycle management.

Training, Communications, and Stakeholder Engagement

• Develop training and communication materials to improve supply chain security awareness across engineering, operations, IT, and procurement teams.
• Coach project managers, system owners, and procurement professionals on secure supplier interactions and risk evaluation processes.
• Communicate supply chain threats, vulnerabilities, mitigations, and accepted risks to senior leadership in clear, actionable terms.

CORE COMPETENCIES: To perform the job successfully, the individual should demonstrate competencies in performing the essential functions of this position by performing satisfactorily in each of these competencies. 

• Problem solving: Identifies and resolves problems in a timely manner, gathers and reviews information appropriately. Uses own judgment and acts independently; seeks input from other team members as appropriate for complex or sensitive situations.
• Oral/written communication: Listens carefully and speaks clearly and professionally in all situations. Edits work for accuracy and clarity, is able to create, read and interpret complex written information.  Ability to develop strong interpersonal networks within the organization. 
• Planning/organizing: Prioritizes and plans work activities, organizes personal and project timelines and deadlines, tracks project timelines and deadlines, and uses time efficiently.
• Adaptability: Adapts to changes in the work environment, manages competing demands and is able to deal with frequent interruptions, changes, delays, or unexpected events.
• Dependability: Consistently on time and at work, responds to management expectations and solicits feedback to improve performance.
• Team Building: Capable of developing strong interpersonal networks and trust within the organization. 
• Safety Culture: Adheres to the NuScale safety culture and is expected to model safe behavior and influence peers to meet high standards.
• Quality Assurance: Commits to the understanding and implementation of quality assurance regulations, standards and guidelines of 10 CFR 50 Appendix B, 10 CFR 21, and NQA-1.

MINIMUM SKILLS, QUALIFICATIONS AND ABILITIES:

• Education/Certification: A minimum of a bachelor’s degree in Cybersecurity, Computer Science, Engineering, or related field is required.  Alternatively, an additional 4 years (12 years total) of equivalent full-time nuclear industry cyber security experience may be considered in lieu of a degree.  NSCP 800-161 Foundation Certificate or equivalent is required.  Professional certifications such as CISSP, CISM, CRISC, GICSP, CISA, or ISA/IEC 62443 certificates are preferred. 
• Experience: A minimum of 8 years of full-time cybersecurity experience with a focus on supply chain risk, vendor management, or secure procurement is required.  Must have experience across OT/ICS and IT cybersecurity, including digital I&C systems, embedded controllers, industrial networking, and enterprise IT infrastructure.  Additional required experience included:
  • Detailed knowledge of NIST SP 800‑161, NIST SP 800‑82, and NIST SP 800‑53 control families related to supply chain, assurance, and risk assessment (SR/SA/RA/PM) .
  • Familiarity with nuclear regulatory guidance including NEI 08‑09, RG 5.71, and RIS 2015‑08 Rev 1.
  • Demonstrated ability to lead cross‑disciplinary teams and manage complex supplier ecosystems.
  • Strong written and verbal communication skills; ability to influence at all organizational levels. Experience in nuclear energy, critical infrastructure, or similarly regulated sectors preferred.
  • Working knowledge of SBOM formats (SPDX, CycloneDX) and secure software development lifecycle (SSDLC) practices (e.g., NIST SP 800-218).
  • Understanding of OT protocols, deterministic network architectures, physical/functional separation concepts, and secure digital I&C implementation (e.g., Regulatory Guide 1.152, Revision 3, Regulatory Position C.2).
• Industry Requirements: Eligible to work under Department of Energy 10 CFR Part 810.

PHYSICAL DEMANDS: The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Ability to understand and communicate clearly using a phone, personal interaction, and computers.
• Ability to learn new job functions and comprehend and understand new concepts quickly and apply them accurately in a rapidly evolving environment.
• The employee frequently is required; to sit and stand; walk; bend, use hands to operate office equipment; and reach with hands and arms.  Ability to lift ten to fifteen pounds.

Disclaimer: Employee(s) must perform the essential duties and responsibilities with or without reasonable accommodation efficiently and accurately without causing significant safety threat to self or others.  The above statements are intended to describe the general nature and level of work being performed by employee(s) assigned to this classification.  They are not intended to be construed as an exhaustive list of all responsibilities, duties and/or skills required of all employees in this classification.

NuScale Power, LLC is an equal opportunity employer and does not discriminate against otherwise qualified applicants on the basis of race, color, creed, religion, ancestry, age, sex, marital status, national origin, disability or handicap, or veteran status.

Pay and Benefits: 

At NuScale, compensation decisions are determined using factors such as relevant job-related skills, full-time working experience, education and training, equity within the department. 

For information on employee benefits, please visit our Careers Overview page:  Employee Benefits | NuScale Power