RMF/ATO Consultant - U.S. Citizenship Required

CGI•Fairfax, VA

11h•Hybrid

About The Position

CGI is seeking a Risk Management Framework/Authority to Operate (RMF/ATO) Analyst to support an SAP S/4HANA Greenfield implementation project for a large government contract. As the RMF/ATO Analyst, you will support the security compliance lifecycle for an SAP federal financials implementation, ensuring the system meets all FISMA, NIST RMF, GAO FISCAM, FedRAMP, and agency-specific requirements. You will work closely with the SAP Basis, Security, Functional, and Infrastructure teams to develop, maintain, and validate all security artifacts required to obtain and sustain an Authority to Operate (ATO). You will also serve as a government-designated AISSO for the project. This position is located in one of CGI Federal’s offices in Fairfax, VA; Lebanon, VA; Lafayette, LA; or Knoxville, TN; however, a hybrid working model is acceptable. You will be required to work in a CGI Federal office two days per week.

Requirements

Due to contract requirements, U.S. citizenship and successful completion of a CGI background check are required prior to starting work.
Candidates must also have the ability to obtain and maintain a DHS EOD/Public Trust clearance.
3–6 years of experience supporting RMF, FISMA, or federal cybersecurity compliance.
Understanding of NIST SP 800-37, 800-53, 800-30, and related federal security publications.
Experience supporting enterprise-class systems.
Familiarity with system architecture diagrams, network security principles, and cloud/on-prem hosting models.
Ability to manage moderately complex work independently and escalate appropriately.
Strong writing and documentation skills.

Nice To Haves

Experience with federal SAP Financials (FM, FI/CO, SD/AR), SAP Basis, or SAP Security Role Design teams.
Familiarity with government GAO FISCAM security controls for financial systems.
Experience with GRC tools (JCAM/CSAM), scanner outputs (ACAS, Nessus, AppDetective), and SIEM platforms.
Relevant certifications (Security+, CAP, CISSP, Associate of CISSP, CISM).

Responsibilities

Support all phases of the NIST RMF (Categorize → Select → Implement → Assess → Authorize → Monitor) for SAP financial modules (FM/GL, SD/AR, FI/CO, BW/BI, Procurement, etc.).
Develop and maintain ATO package artifacts.
Ensure the official government FISMA record and artifacts are updated as required in the government JCAM/CSAM GRC system.
Support the Security Control Assessor (SCA) during walkthroughs, evidence collection, interviews, and testing.
Perform internal control reviews for both NIST security controls and FISCAM internal controls, and conduct readiness assessments prior to formal assessments.
Track, resolve, and validate findings from vulnerability scans, penetration tests, and audit actions.
Coordinate with SAP Security Role Design teams to ensure authorization concepts align with RMF control requirements and best practices.
Validate the implementation of logging, audit trails, and monitoring across SAP.
Support triage and remediation of ongoing vulnerabilities and compliance items.
Carry out assigned duties in the AISSO role.