Compliance and Risk Analyst

About The Position

Requirements

• Bachelor’s degree in Information Assurance, Risk Management, or related field.
• 5+ years of experience in IT compliance and risk assessments.
• Familiarity with OMB A-123, GAO Green Book, and NIST frameworks.
• Strong analytical skills with the ability to translate requirements into actionable control evidence, remediation plans, and stakeholder-ready reporting.
• Strong written and verbal communication skills, including experience producing audit-ready documentation.

Nice To Haves

• Experience supporting RMF/ATO package development or sustainment in a federal environment.
• Experience supporting independent assessments/audits (e.g., OIG/GAO) and managing evidence requests and responses.
• Familiarity with POA&M management, corrective action tracking, and risk acceptance/exception processes.
• Experience supporting continuous monitoring, vulnerability management reporting, and security metrics development.
• Experience working with configuration management/change control processes and documentation repositories.

Responsibilities

• Maintain audit readiness and documentation by developing, organizing, and updating evidence artifacts to support internal reviews and external audits.
• Support Security Assessment & Authorization (RMF/SA&A) activities by assisting with SSP updates, control implementation evidence collection, risk assessments, and POA&M development and maintenance.
• Support FISMA reporting and CDM efforts by validating inputs, maintaining supporting evidence, and tracking submissions and due dates.
• Conduct compliance and risk assessments against applicable frameworks (e.g., NIST) and Agency policies; document findings, recommendations, and required corrective actions.
• Develop and maintain compliance tracking artifacts (e.g., risk registers, control compliance matrices, and corrective action trackers) with clear owners, milestones, and closure evidence.
• Draft, update, and maintain cyber policy and regulatory documentation (policies, procedures, and SOPs) and ensure updates are communicated and incorporated into operational practice.
• Coordinate with stakeholders on configuration management and change control documentation needs to ensure changes remain traceable and auditable.
• Support ongoing compliance oversight by monitoring adherence to administrative controls and required processes; identify gaps and recommend improvements.
• Prepare compliance status summaries and risk briefings for leadership and stakeholders, including progress on remediation and audit observations.