Risk Management Framework (RMF), Security, and Authorization to Operate (ATO) Manager

i4DM•Millersville, MD

About The Position

We are seeking an experienced and highly motivated Risk Management Framework (RMF), Security, and Authorization to Operate (ATO) Manager to serve as the Contractor’s lead responsible for cybersecurity compliance, RMF lifecycle execution, and authorization activities supporting a mission-critical enterprise platform within the Department of Veterans Affairs (VA) environment. In this role, you will coordinate closely with the Program Manager, Technical Directors, and Government cybersecurity stakeholders (e.g., AO, ISSO, ISO) to ensure continuous compliance with Federal cybersecurity requirements and uninterrupted ATO status across all supported systems and services. The RMF, Security, and ATO Manager will oversee all cybersecurity, compliance, and authorization activities across a complex cloud-hosted platform, ensuring alignment with VA security policies, NIST RMF processes, and continuous monitoring requirements. This position requires deep expertise in Federal cybersecurity frameworks, RMF lifecycle management, and secure cloud or hybrid environments supporting healthcare systems and Protected Health Information (PHI).

Requirements

Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field.
7+ years of experience in cybersecurity, information assurance, or RMF/ATO management roles supporting Federal or mission-critical application environments.
Strong expertise in NIST SP 800-53 controls, RMF lifecycle processes, and Federal cybersecurity compliance frameworks (FISMA, NIST, OMB).
Demonstrated experience managing ATO processes, continuous monitoring programs, and security compliance for cloud or hybrid environments.
Experience supporting enterprise platforms and applications, including containerized or cloud-native architectures.
Active CISSP, CISM, or equivalent advanced cybersecurity certification.
Experience managing vulnerability management programs, POA&M tracking, and security mitigation strategies.
Strong understanding of incident response, contingency planning, and system recovery processes.
Excellent communication and stakeholder management skills, with the ability to interface with Government security leadership.
Experience supporting RMF/ATO activities within VA or similar environments, with awareness of tools like eMASS and SNOWCAM and related governance practices.
Understanding of federal/VA cybersecurity guidelines, including Directive 6500, TRM compliance concepts, and Zero Trust frameworks.
Candidates must be eligible to obtain and maintain a Public Trust clearance.

Nice To Haves

Experience supporting AWS GovCloud or similar Federal cloud environments, including containerized platforms (e.g., Kubernetes/EKS).
Experience managing cybersecurity for systems handling Protected Health Information (PHI), including HIPAA and Business Associate Agreement (BAA) compliance.
Familiarity with continuous monitoring (CONMON), vulnerability scanning tools (e.g., Nessus), and Federal reporting requirements.
Experience supporting large-scale Federal programs with complex, multi-system authorization boundaries.
Experience aligning DevSecOps pipelines with RMF requirements, including automated security testing and compliance validation.

Responsibilities

Lead all Risk Management Framework (RMF) and Authorization to Operate (ATO) activities across the platform and hosted applications.
Manage the full RMF lifecycle (Categorize, Select, Implement, Assess, Authorize, Monitor) to ensure continuous compliance and no lapse in authorization status.
Coordinate directly with Government stakeholders (AO, ISSO, ISO) to support authorization efforts, renewals, and significant change requests.
Oversee development and maintenance of all required security documentation, including System Security Plans (SSPs), POA&Ms, Security Assessment Reports, contingency plans, and authorization artifacts.
Ensure all documentation remains accurate, current, and aligned with system architecture, operations, and control implementations.
Ensure compliance with Federal and healthcare security requirements, including NIST SP 800-53, FISMA, HIPAA, and VA cybersecurity policies.
Lead continuous monitoring (CONMON) activities, including vulnerability scanning, remediation tracking, and compliance reporting.
Manage POA&M lifecycle, ensuring timely updates, mitigation tracking, and closure of findings.
Identify, track, and mitigate cybersecurity risks impacting system authorization and operational readiness.
Ensure vulnerabilities are prioritized and resolved within required timelines and escalate high-risk issues as needed.
Coordinate with engineering, DevSecOps, and operations teams to ensure security controls are implemented and validated across cloud and application environments.
Support integration of security practices into CI/CD pipelines, including automated testing (SAST, DAST, container scanning, IaC validation).
Support incident response activities from a security perspective, ensuring proper documentation, root cause analysis, and corrective actions.
Lead preparation for security audits, assessments, and compliance reviews, including tracking and remediation of findings.
Provide regular reporting to VA stakeholders on ATO status, system security posture, risk exposure, and remediation progress.
Serve as the primary cybersecurity liaison, ensuring clear communication between the delivery team and Government leadership.