Risk Management Framework (RMF) Expert

About The Position

Requirements

• Demonstrated hands-on experience applying the NIST RMF (based on NIST SP 800-37 Rev. 2) across multiple RMF steps, including support for A&A/ATO outcomes.
• Proven experience producing and/or reviewing core RMF artifacts and evidence packages—SSP, SAP, SAR, POA&M (and related documentation)—and driving them to completion with stakeholders.
• Experience planning and executing (or leading) security control assessments using NIST 800-53/800-53A-aligned methods; ability to identify deficiencies, determine severity, and recommend corrective actions.
• Working knowledge of security categorization and control selection concepts (e.g., risk levels/impact-based categorization and tailoring controls) and how those choices affect the authorization package.
• Familiarity with maintaining RMF artifacts in a formal repository/GRC system (e.g., eMASS) and managing versioning, audit trails, and stakeholder reviews.
• Strong written and verbal communication skills—able to produce clear, defensible documentation and brief technical and executive audiences on risk posture and decisions.
• Bachelor’s degree (or equivalent practical experience) in cybersecurity, information assurance, information systems, or a related field (typical for RMF-focused roles).

Nice To Haves

• Experience supporting federal environments and common compliance regimes that leverage RMF (e.g., FISMA/FedRAMP-style documentation and A&A workflows).
• Experience with cloud authorization approaches and documentation expectations (including reviewing SSPs and supporting authorization decisions for cloud instantiations).
• Familiarity with vulnerability management and configuration compliance inputs that often serve as RMF evidence (e.g., scanning outputs and remediation tracking), and how those map to controls and POA&Ms.
• Professional certifications such as CISSP, CISM, CISA, CCSP, Security+, or similar (commonly requested for RMF/assessment roles).
• Experience leading small teams or acting as a workstream lead for RMF/A&A efforts (planning deliverables, setting cadence, and coordinating cross-functional contributors).
• Active security clearance or ability to obtain/maintain one (if required by the client environment).

Responsibilities

• Lead and advise teams through the full NIST Risk Management Framework (RMF) lifecycle
• Serve as the go-to Subject Matter Expert (SME) on RMF concepts
• Develop, review, and maintain RMF artifacts and authorization package documentation
• Coordinate and/or perform security control assessment activities
• Partner with system owners, engineers, ISSOs/ISSMs, assessors, and governance stakeholders
• Track remediation and risk posture over time
• Maintain RMF records in approved repositories and GRC tooling
• Facilitate working sessions and communicate clearly with both technical and non-technical audiences

Benefits

• Medical, Rx, Dental & Vision Insurance
• Personal and Family Sick Time & Company Paid Holidays
• Position may be eligible for a discretionary variable incentive bonus
• Parental Leave and Adoption Assistance
• 401(k) Retirement Plan
• Basic Life & Supplemental Life
• Health Savings Account, Dental/Vision & Dependent Care Flexible Spending Accounts
• Short-Term & Long-Term Disability
• Student Loan PayDown
• Tuition Reimbursement, Personal Development & Learning Opportunities
• Skills Development & Certifications
• Employee Referral Program
• Corporate Sponsored Events & Community Outreach
• Emergency Back-Up Childcare Program
• Mobility Stipend