Cybersecurity Risk Management Analyst

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, or related field (or equivalent experience).
• 2–5 years of experience in cybersecurity, risk management, or A&A within a federal or regulated environment.
• CompTIA Security+ certification
• Working knowledge of the NIST Risk Management Framework (RMF) and associated publications (e.g., SP 800-53, SP 800-37, FIPS 199).
• Experience developing or maintaining A&A documentation (e.g., SSPs, SARs, POA&Ms).
• Familiarity with External Services assessments and/or FedRAMP authorization concepts.
• Demonstrated experience contributing to or reviewing at least one complete ATO package (e.g., SSP, SAR, POA&M lifecycle).
• Proven track record of logical and critical thinking, sophisticated writing skills, superior organizational skills, and excellent planning and time management skills.
• Strong attention to detail
• Must pass pre-employment qualifications of Cherokee Federal

Responsibilities

• Create, manage, maintain, and improve NSF A&A documentation and processes (e.g., SSPs, SARs, POA&Ms, security inventories, PTAs, PIAs, and internal reports to management), ensuring completeness, accuracy, and alignment with NIST RMF (SP 800-37, SP 800-53 Rev. 5) and NSF standards.
• Perform control assessments by analyzing technical, procedural, and operational evidence; document results and support risk determinations, POA&M management, and ongoing authorization activities.
• Collaborate with system owners, ISSOs, and engineers to gather artifacts, validate control implementations, and maintain authorization packages across the system lifecycle.
• Conduct cybersecurity assessments and develop a continuous monitoring plan for cloud services in compliance with FedRAMP and other federal requirements.
• Evaluate External Services (e.g., SaaS, PaaS, IaaS) for inclusion within authorization boundaries by reviewing service documentation, analyzing controls, and documenting risks, dependencies, and shared responsibility models; review authorization packages from FedRAMP to assess applicability and identify gaps.
• Support continuous monitoring and SecCM activities by analyzing vulnerability and configuration data (e.g., scan results), validating remediation actions, and identifying trends or systemic risks across systems.
• Customize DISA STIGs and CIS Benchmarks to create and maintain standardized “gold” audit files for systems in use at NSF; leverage Tenable Security Center to support the Security-Focused Configuration Management process.
• Contribute to broader risk management efforts, including identifying cross-system or program-level risks, supporting audit and compliance activities (e.g., OIG), and incorporating findings from assessments, incidents, and external reviews into risk posture and reporting.
• Perform peer reviews of A&A artifacts and related documentation to ensure technical accuracy, consistency, and adherence to established standards; contribute to team deliverables and coordination across Cybersecurity Oversight and Compliance functions.
• Performs other job-related duties as assigned

Benefits

• Medical
• Dental
• Vision
• 401K