Risk Management Framework (RMF) Analyst

About The Position

Requirements

• Minimum of five (5) years of experience designing and integrating enterprise and system security architectures across the development lifecycle
• Minimum of three (3) years of experience conducting RMF-related assessments of management, operational, and technical security controls within DoD IT systems
• Minimum of three (3) years of experience providing project management, subject matter expertise, and hands-on support for system certification and accreditation efforts in accordance with DoD/DoN cybersecurity policies and RMF guidance
• Eligibility for Top Secret / Sensitive Compartmented Information (TS/SCI).

Responsibilities

• Apply enterprise and system-level security architecture principles to support OPTEVFOR Cyber OT&E missions
• Support RMF activities across all steps, including system categorization, control selection, control implementation, assessment, authorization, and continuous monitoring
• Provide RMF support consistent with the RMF Process Guide (RPG) for the Information Systems Security Engineer (ISSE) role
• Evaluate security architectures and designs to determine adequacy and alignment with mission and enterprise objectives
• Define and document the impact of new systems, interfaces, or changes on overall security posture
• Create, review, update, and validate cybersecurity Standard Operating Procedures (SOPs)
• Maintain inventories of authorized software, Government Furnished Equipment (GFE), and removable media
• Maintain and update all RMF and A&A documentation to ensure accuracy, relevance, and alignment with OPTEVFOR Cyber OT&E assets, including required updates in eMASS
• Ensure traceability across all RMF artifacts, including: A&A Plans Plans of Action and Milestones (POA&Ms) Security Assessment Reports (SARs) Network topologies Software inventories Ports, protocols, and services Test plans
• Maintain system and network documentation in DoD IT Portfolio Repository–DoN (DITPR-DON) / DADMS
• Maintain documentation and registration of network ports, protocols, services, and circuits, including GIAP and SNAP
• Track and report weekly status of all outstanding A&A actions and supporting documentation
• As a member of the Configuration Control Board (CCB), ensure approved changes are accurately and timely reflected in A&A documentation
• Conduct comprehensive annual RMF package reviews to ensure continued compliance of Cyber OT&E toolsets, networks, and systems
• Execute DISA STIG validations in conjunction with RMF/A&A reviews in accordance with DoDI 8510 series
• Audit and validate system and network configurations against STIGs; define and implement compensating controls when required to support mission execution
• Support compliance validation for current and emerging directives (e.g., IAVs, STIGs, TASKORDs, CTOs)
• Provide recommendations for corrective actions to remediate non-compliant security controls
• Prepare and maintain vulnerability scan results, system security assessments, and configuration management findings to inform authorization decisions
• Document assessment activities and results in sufficient detail to support independent external review
• Develop or contribute to security test plans and supporting documentation to verify security control implementation and inform ongoing risk determinations
• Conduct and document semi-annual tabletop exercises (twice per calendar year)
• Review and analyze IT contingency and disaster recovery plans for compliance with NIST and DoN requirements
• Develop system-specific contingency planning checklists and support contingency plan exercises and training
• Work independently or in small teams to resolve tasks with minimal supervision