Security Assessment and Authorization Analyst, Associate

About The Position

Requirements

• Bachelor's degree or equivalent experience
• Six (6) years of hands-on experience supporting federal IT security, SA&A, and RMF implementations
• Strong experience with FISMA , NIST RMF , and FedRAMP
• In-depth knowledge of NIST SP 800-53, 800-37, 800-18, 800-34, 800-63
• Experience performing FIPS 199 categorizations and control baseline determinations
• Hands-on development and maintenance of SSPs, SARs, POA&Ms, CPs, CMPs
• Understanding of Windows, Linux, and UNIX operating systems security concepts
• Familiarity with network security architecture , including firewalls, IDS/IPS, routers, and switches
• Experience assessing web applications, databases, and enterprise platforms
• Knowledge of authentication, access control, encryption, and key management
• Experience with SCAP-compliant vulnerability scanning tools
• Familiarity with NIH Security Assessment Tool (NSAT) or similar GRC platforms
• Experience reviewing security artifacts from cloud service providers (AWS, Azure, GCP) in a FedRAMP context
• Proficiency with Microsoft Office, SharePoint , and documentation collaboration tools

Nice To Haves

• Prior experience supporting NIH, HHS, or other federal health or research organizations
• Experience supporting high- or moderate-impact (FIPS 199) systems
• Familiarity with biomedical research environments and data protection requirements
• Security certifications such as CISSP, CISM, CAP, or Security+

Responsibilities

• Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
• Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
• Support system ATO and re-authorization cycles, including package development and remediation tracking.
• Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
• Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
• Maintain GSS system inventory, and Security Program and any additional artifacts.
• Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.
• Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
• Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
• Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
• Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.
• Review and analyze vulnerability scan results from SCAP-compliant tools covering operating systems, databases, web applications, and network devices.
• Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
• Support Configuration Management Plans (CMP) and configuration baseline documentation.
• Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.
• Support SA&A activities for cloud-based and hybrid systems, including systems operating under FedRAMP-authorized CSPs.
• Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
• Assist in identifying gaps between FedRAMP baselines and agency-specific security requirements.
• Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
• Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
• Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).
• Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US-CERT requirements.
• Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
• Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
• Participate in and document annual tabletop exercises and contingency plan testing.

Benefits

• LCG offers a competitive, comprehensive benefits package which includes health insurance options (medical, dental, vision), life and disability insurance, retirement plan contributions, as well as paid leave, federal holidays, professional development, and lifestyle benefits.