Risk Management Framework (RMF) Lead

About The Position

Requirements

• 5 years with BS/BA; 3 years with MS/MA; 0 years with PhD
• Active TS/SCI clearance.
• Master’s degree or Ph.D. in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, Software Engineering, or a related field; OR Relevant DoD/military training (examples: 4C‑FA26A; M09CHN1; A‑531‑0009; Information Systems Security Manager (Advanced) Playlist); OR Relevant professional certification or equivalent experience (examples: CISM; CISSP; CISSP‑ISSMP; FITSP‑M; GCIA; GCIH; GICSP; GSLC).
• Cybersecurity, RMF, or systems authorization experience with experience leading RMF/ATO efforts in DoD or large enterprise environments.
• Deep knowledge of NIST SP 800‑53/800‑37, RMF control families, eMASS workflows, evidence collection, and POA&M management.
• Proven ability to lead assessments, adjudicate control findings, produce SSP/SAR artifacts, and brief senior leadership on authorization decisions and risk posture.
• Strong stakeholder coordination skills to drive remediation, validate mitigations, and integrate RMF into development and operations lifecycles.
• Experience implementing RMF automation, dashboards, and process improvements to increase audit readiness and reduce authorization timeframes.

Nice To Haves

• Prior DoD/ARNG RMF lead or ISSM/ISSO leadership experience.
• Familiarity with cloud authorization patterns, continuous monitoring tooling, and integrating RMF into DevSecOps pipelines.
• Advanced certifications (CISM, CISSP, GICSP) and experience with enterprise accreditation programs.

Responsibilities

• Guide enterprise RMF implementation: develop RMF plans, concepts of operations, authorization strategies, and organization‑wide risk management approaches.
• Coordinate selection, implementation, assessment, and continuous monitoring of security controls across system lifecycles and integrate RMF activities with eMASS workflows.
• Lead and conduct RMF assessments and authorization activities with Government leads; prepare quarterly RMF status updates and assessment reports.
• Advise leadership on risk tolerance, residual risk, mitigation options, and authorization decisions; translate RMF findings into actionable remediation roadmaps and POA&Ms.
• Align RMF documentation with cybersecurity artifacts (SSP, SAR, SCA evidence) to present a coherent enterprise risk picture and support accreditation.
• Establish RMF governance processes, control validation practices, evidence collection standards, and automation opportunities to improve repeatability and audit readiness.
• Coordinate cross‑functional stakeholders (engineering, ISSM/ISSO, CIRT, ops, acquisition) to validate controls, verify mitigations, and close authorization actions.
• Produce decision‑grade briefings, RMF metrics/dashboards, and executive summaries for program and senior leadership.

Benefits

• Overtime
• Shift differential
• Discretionary bonus