Risk Management Framework Manager

CACI International•National Harbor, MD

22h•$103,800 - $218,100•Onsite

About The Position

CACI is searching for a Risk Management Framework (RMF) Manager Subject Matter Expert to support the FEMA Office of the Chief Information Security Officer (OCISO) in Washington, D.C. As an RMF Subject Matter Expert, you will play a crucial role in ensuring the security and compliance of FEMA's information systems through expert guidance on security design, development, and Supply Chain Risk Management. You will work in a dynamic environment, collaborating with IT system owners, developers, stakeholders, and cybersecurity professionals to implement robust security controls from the design phase forward. Your efforts will directly contribute to safeguarding FEMA's mission-critical systems and data through advanced automation and integration. The RMF SME will focus on security design, development, and Supply Chain Risk Management, supporting RMF implementation across FEMA systems. This position requires deep knowledge of NIST RMF, NIST Cybersecurity Framework, and DHS 4300 Series. The RMF SME will provide input into security design and development of new and existing systems, support cloud security design and migration strategies, perform code analysis of Government-off-the-shelf (GOTS) applications, and review supply chain logistics of technology within Program Offices. This role is critical for identifying security risks early in the development lifecycle and ensuring systems are designed with security in mind.

Requirements

U.S. Citizenship required
BS/BA + 15 years of applicable experience in information security and RMF
Minimum 7 years of experience in information security and RMF
Deep knowledge of NIST RMF (SP 800-37), NIST Cybersecurity Framework, and DHS 4300 Series
Experience with security architecture and secure system design principles
Experience conducting supply chain risk assessment

Nice To Haves

FEMA EOD suitability or Current DHS or FEMA EOD preferred

Responsibilities

Provide input into security design and development of new and existing systems to ensure security by design and support cloud security design, migration strategies, plans, policies, and procedures.
Perform static and dynamic code analysis of Government-off-the-shelf (GOTS) applications using automated tools and providing technical analysis of source code reviews and vulnerability resolution recommendations.
Generate residual risk reports documenting security risks that cannot be fully mitigated and review and analyze supply chain logistics of technology within Program Offices.
Conduct risk analysis requiring collaboration with multiple internal and external partners, providing technical analysis of supply chain risk, and communicating findings to senior leadership monthly.
Participate in external agency meetings for classified and unclassified networks related to supply chain and using automated tools to view and report on supply chain risks.
Support NIST Cybersecurity Framework, NIST RMF, and DHS cybersecurity requirements implementation, advise system owners on RMF process, and assist in managing risk throughout the system lifecycle.
Identify applicable NIST SP 800-37 RMF requirements for systems and applications and assess security posture of applications and systems to determine compliance and risk levels.
Prepare Static Code Analysis Reports annually or within 30 days after code release.
Generate Risk Analysis Reports within 0 to 15 days after analysis completion.
Develop POA&Ms within 0 to 15 days after issue identification.
Create Cybersecurity Strategy and Policy documents within 30 days after new system identification or significant modifications.
Develop Requirements Traceability Matrix within 10 days after system identification.
Produce Weekly Activity Reports and Monthly Program Reports.