Program Manager (C-SCRM)

Program Manager (C-SCRM) Information Technology Houston, TX This position will be based full-time in our Houston, TX office located at 990 Town & Country Blvd in CityCentre.

POSITION SUMMARY

This position establishes, leads, and governs the enterprise-wide Cybersecurity Supply Chain Risk Management (C SCRM) program for both Operational Technology (OT or digital instrumentation and controls) and Information Technology (IT). The C-SCRM Program Manager reports to the Supervisor, Information Security and leads an interdisciplinary team of subject matter experts from Information Security, Instrumentation and Controls Engineering and Manufacturing (i.e., Supply Chain), and Plant Services Cyber Security to deliver a scalable, defensible, andpliant supply chain assurance program for digital assets and software systems that are safety-related, augmented requirements, physical security-related, or emergency preparedness related in accordance with

NIST SP 800-161, NIST SP 800-53

(SR/SA/RA/PM), NIST SP 800-82, and nuclear sector guidance (NEI 08-09, Regulatory Guide 5.71, RIS 2015-08 Rev 1).

ESSENTIAL DUTIES AND RESPONSIBILITIES

The C-SCRM Program Manager will perform the following duties and have overall responsibility for the administration and implementation of the C-SCRM Program. Will be required to perform other duties as assigned. Program Governance and Strategy Develop and manage the enterprise C‑SCRM program for OT (digital I&C platforms, field devices, PLCs, networked sensors, safety‑related cyber systems) and IT mercial software, COTS hardware, servers, cloud services, network equipment). Create and maintain policies, standards, and procedures aligned to

NIST SP 800

‑161 and

NIST SP 800

‑53 SR, SA, RA, PM control families. Integrate nuclear sector guidance (NEI 08‑09, RG-5.71, RIS 2015‑08 Rev 1) into supply chain expectations for safety‑related and security‑related digital systems. Establish supplier risk tiering and criticality criteria covering safety‑related functions, digital asset categorization, and impacts on plant operations and corporate environments. Lead the C‑SCRM Steering Committee and drive alignment between Supply Chain, Engineering, Plant Services Cyber Security, Legal, QA, and Supplier Quality Assurance Supplier Lifecycle Management Oversee theplete supplier lifecycle: innt risk assessments, due diligence, technical evaluation, contracting, onboarding, continuous monitoring, reassessment, and offboarding. Ensure contractual language includes security requirements, SBOM/MBOM deliverables, secure SDLC expectations, vulnerability disclosure procedures, and sub‑tier supplier transparency. Implement structured workflows for third‑party risk assessments that incorporate

NIST SP 800

‑53 SR/SA obligations, NEI 08‑09 defensive architecture principles, and

NIST SP 800

‑82 OT constraints. Coordinate supplier audits and assessments, ensuring traceability of securitymitments and evidence of control effectiveness. Technical Assurance for OT and IT Define and enforce minimum security requirements for suppliers, including software integrity controls, code signing, firmware assurance, and supply chain provenance. Evaluate SBOMs for software, firmware, and embedded systemponents; drive vulnerability assessment and remediation plans based on exploitability in OT/ICS contexts. Oversee technical acceptance processes such as Factory Acceptance Testing (FAT), Site Acceptance Testing (SAT), configuration verification, deterministicmunication requirements, and architecturepliance checks for digital I&Cponents. Support secure engineering design reviews for systems that integrate COTS hardware, virtualized servers, network infrastructure, and embedded digitalponents. Coordinate risk analysis andpensating control strategies w patching or upgrading is constrained in OT environments. Risk Analysis and Decision Support Perform qualitative and quantitative supply chain risk assessments covering vendor security posture,ponent integrity, lifecycle support, and cyber threat exposure. Document risk findings, residual risk calculations, and rmended mitigations; present clear decision options to executive leadership. Develop Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to track program maturity and supplier health. Maintain centralized risk evidence repositories supportingpliance and audit readiness. Compliance, Audit, and Regulatory Engagement Ensure the C‑SCRM program ads to

NIST SP 800

‑161, NIST SP 800‑53, NIST SP 800‑82, NEI 08‑09, RG 5.71, and

RIS 2015

‑08 Rev 1 requirements. Prepare for internal audits, external assessments, and US NRC reviews; provide documentation showing controlpliance and technical baselines. Coordinate with Engineering and Plant Services Cyber Security to ensure digital I&C assets meet expectations for secure procurement, configuration control, and lifecycle management. Training, Communications, and Stakeholder Engagement Develop training andmunication materials to improve supply chain security awareness across engineering, operations, IT, and procurement teams. Coach project managers, system owners, and procurement professionals on secure supplier interactions and risk evaluation processes. Communicate supply chain threats, vulnerabilities, mitigations, and accepted risks to senior leadership in clear, actionable terms.

CORE COMPETENCIES

To perform the job successfully, the individual should demonstratepetencies in performing the essential functions of this position by performing satisfactorily in each of thesepetencies.

Problem solving:

Identifies and resolves problems in a timely manner, gathers and reviews information appropriately. Uses own judgment and acts independently; seeks input from other team members as appropriate forplex or sensitive situations.

Oral/writtenmunication:

Listens carefully and speaks clearly and professionally in all situations. Edits work for accuracy and clarity, is able to create, read and interpretplex written information. Ability to develop strong interpersonal networks within theanization.

Planninganizing:

Prioritizes and plans work activities,anizes personal and project timelines and deadlines, tracks project timelines and deadlines, and uses time efficiently.

Adaptability:

Adapts to changes in the work environment, managespeting demands and is able to deal with frequent interruptions, changes, delays, or unexpected events.

Dependability:

Consistently on time and at work, responds to management expectations and solicits feedback to improve performance.

Team Building:

Capable of developing strong interpersonal networks and trust within theanization.

Safety Culture:

Ads to the NuScale safety culture and is expected to model safe behavior and influence peers to meet high standards.

Quality Assurance:

Commits to the understanding and implementation of quality assurance regulations, standards and guidelines of 10 CFR 50 Appendix

B, 10 CFR

21, and NQA-1.

MINIMUM SKILLS, QUALIFICATIONS AND ABILITIES

Education/Certification:

A minimum of a bachelor's degree in Cybersecurity, Computer Science, Engineering, or related field is required. Alternatively, an additional 4 years (12 years total) of equivalent full-time nuclear industry cyber security experience may be considered in lieu of a degree.

NSCP 800-161

Foundation Certificate or equivalent is required. Professional certifications such as CISSP, CISM, CRISC, GICSP, CISA, or

ISA/IEC 62443

certificates are preferred.

Experience:

A minimum of 8 years of full-time cybersecurity experience with a focus on supply chain risk, vendor management, or secure procurement is required. Must have experience across OT/ICS and IT cybersecurity, including digital I&C systems, embedded controllers, industrial networking, and enterprise IT infrastructure.

Additional required experience included:

Detailed knowledge of

NIST SP 800

‑161, NIST SP 800‑82, and

NIST SP 800

‑53 control families related to supply chain, assurance, and risk assessment (SR/SA/RA/PM) . Familiarity with nuclear regulatory guidance including NEI 08‑09, RG 5.71, and

RIS 2015

‑08 Rev 1. Demonstrated ability to lead cross‑disciplinary teams and manageplex supplier ecosystems. Strong written and verbalmunication skills; ability to influence at allanizational levels. Experience in nuclear energy, critical infrastructure, or similarly regulated sectors preferred. Working knowledge of SBOM formats (SPDX, CycloneDX) and secure software development lifecycle (SSDLC) practices (e.g., NIST

SP 800-218

). Understanding of OT protocols, deterministic network architectures, physical/functional separation concepts, and secure digital I&C implementation (e.g., Regulatory Guide 1.152, Revision 3, Regulatory Position C.2).

Industry Requirements:

Eligible to work under Department of Energy 10 CFR Part 810.

PHYSICAL DEMANDS

The physical demands described are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable amodations may be made to enable individuals with disabilities to perform the essential functions. Ability to understand andmunicate clearly using a phone, personal interaction, andputers. Ability to learn new job functions andprehend and understand new concepts quickly and them accurately in a rapidly evolving environment. The employee frequently is required; to sit and stand; walk; bend, use hands to operate office equipment; and reach with hands and arms. Ability to lift ten to fifteen pounds.

Disclaimer:

Employee(s) must perform the essential duties and responsibilities with or without reasonable amodation efficiently and accurately without causing significant safety threat to self or others. The above statements are intended to describe the general nature and level of work being performed by employee(s) assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and/or skills required of all employees in this classification. NuScale Power, LLC is an equal opportunity employer and does not discriminate against otherwise qualified applicants on the basis of race, color, creed, religion, ancestry, age, sex, marital status, national origin, disability or handicap, or veteran status.

Pay and Benefits:

The target pay range for this position is $165,576 - $199,833 annually. The full pay range is $148,447 - $232,188 annually. At NuScale,pensation decisions are determined using factors such as relevant job-related skills, full-time working experience, education and training, equity within the department.