[Contingent] Cybersecurity Risk & Compliance Analyst (SCA)

About The Position

Requirements

• Independent Assessor: You take the independence requirement seriously and understand why objective assessment is critical to the integrity of the authorization process.
• NIST 800-53A Expert: You develop assessment procedures from NIST SP 800-53A, select appropriate assessment methods for each control type, and document findings with precision and rigor.
• Classified Systems Experienced: You have assessed classified or National Security System programs and understand the additional requirements and sensitivities involved.
• Evidence-Driven: You back assessment findings with concrete evidence. Your SARs stand up to rigorous government review.
• Tool-Proficient: You use SIEM platforms, vulnerability scanners, and compliance tools to gather real-time control performance data rather than relying solely on documentation review.
• Clear Writer: Your SARs and POA&Ms are readable, technically accurate, and useful.
• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or related field
• 8+ years of cybersecurity expertise
• 5+ years specialized in assessing classified and unclassified programs, National Security Systems, and applying NIST SP 800-53A control assessment procedures
• Minimum one (1) of the following certifications: CISA (ISACA), CRISC (ISACA), CISSP (ISC2), CGRC (ISC2)
• Public Trust / Suitability clearance required
• Must be a U.S. Citizen.

Nice To Haves

• Prior SCA experience for federal agency information systems
• Experience assessing cloud-hosted systems for FedRAMP compliance (SaaS, PaaS, IaaS)
• Experience using federal authorization management platforms for assessment documentation and SAR generation
• Experience with SCAP-compliant scanning tools and automated control evidence collection
• CNSS Instruction 1253 experience for National Security Systems assessment
• Hands-on experience with tools such as Splunk, Nessus/Tenable, and Crowdstrike for assessment evidence gathering

Responsibilities

• Develop comprehensive Security Assessment Test Plans (SATP) defining assessment procedures, scope, methodology, and evidence requirements per NIST SP 800-53A.
• Conduct independent assessments of security and privacy controls - including system-specific, hybrid, and common controls - using examination, interview, and testing assessment methods.
• Collect and analyze control performance evidence using SIEM platforms, vulnerability management tools, and compliance scanning tools.
• Produce Security and Privacy Assessment Reports (SAR) documenting assessment findings, control effectiveness determinations, and remediation recommendations.
• Assess both classified and unclassified information systems, including National Security Systems (NSS), in accordance with applicable NIST and federal standards.
• Review identified weaknesses and deficiencies: determine severity and criticality, assess potential adverse impacts, and identify findings requiring immediate remediation versus POA&M tracking.
• Develop Plans of Action and Milestones (POA&M) for all identified control weaknesses; ensure POA&Ms are technically accurate, risk-prioritized, and compliant with applicable legal requirements.
• Update SSPP and SAR documentation based on remediation actions and subsequent system changes.
• Support ongoing assessment activities during continuous monitoring: assess the designated subset of controls on the applicable annual assessment schedule.
• Maintain strict assessor independence: do not assess systems for which implementation or ISSO activities were performed during the same assessment cycle.

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Life Insurance
• Short Term & Long Term Disability
• 401k Retirement Savings Plan with Company Match
• Paid Holidays
• Paid Time Off (PTO)
• Tuition and Professional Development Assistance