Security Assessment and Authorization Analyst, Associate

Lcg-posted 4 days ago
$70,000 - $130,000/Yr
Full-time • Entry Level
Onsite • Baltimore, MD
Resume
Match Score
Upload and Match ResumeTrack Jobs with Teal

The Security Assessment and Authorization Analyst, Associate will provide technical Security Assessment and Authorization (SA&A) support for biomedical research and enterprise IT systems supporting the NIH Client. This role blends policy-driven RMF compliance with hands-on technical security review, continuous monitoring, and system risk analysis. Working under the direction of the Federal Lead / Information System Security Officer (ISSO), the specialist will support system authorization activities, vulnerability management, configuration compliance, privacy assessments, and incident response coordination in accordance with FISMA, NIST, HHS, NIH, and FedRAMP requirements. The role requires close collaboration with system owners, infrastructure teams, application teams, and the Client SA&A team.

  • Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
  • Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
  • Support system ATO and re-authorization cycles, including package development and remediation tracking.
  • Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
  • Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
  • Maintain GSS system inventory, and Security Program and any additional artifacts.
  • Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.
  • Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
  • Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
  • Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
  • Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.
  • Review and analyze vulnerability scan results from SCAP-compliant tools covering operating systems, databases, web applications, and network devices.
  • Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
  • Support Configuration Management Plans (CMP) and configuration baseline documentation.
  • Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.
  • Support SA&A activities for cloud-based and hybrid systems, including systems operating under FedRAMP-authorized CSPs.
  • Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
  • Assist in identifying gaps between FedRAMP baselines and agency-specific security requirements.
  • Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
  • Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
  • Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).
  • Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US-CERT requirements.
  • Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
  • Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
  • Participate in and document annual tabletop exercises and contingency plan testing.
  • Bachelor's degree or equivalent experience
  • Six (6) years of hands-on experience supporting federal IT security, SA&A, and RMF implementations
  • Strong experience with FISMA , NIST RMF , and FedRAMP
  • In-depth knowledge of NIST SP 800-53, 800-37, 800-18, 800-34, 800-63
  • Experience performing FIPS 199 categorizations and control baseline determinations
  • Hands-on development and maintenance of SSPs, SARs, POA&Ms, CPs, CMPs
  • Understanding of Windows, Linux, and UNIX operating systems security concepts
  • Familiarity with network security architecture , including firewalls, IDS/IPS, routers, and switches
  • Experience assessing web applications, databases, and enterprise platforms
  • Knowledge of authentication, access control, encryption, and key management
  • Experience with SCAP-compliant vulnerability scanning tools
  • Familiarity with NIH Security Assessment Tool (NSAT) or similar GRC platforms
  • Experience reviewing security artifacts from cloud service providers (AWS, Azure, GCP) in a FedRAMP context
  • Proficiency with Microsoft Office, SharePoint , and documentation collaboration tools
  • Prior experience supporting NIH, HHS, or other federal health or research organizations
  • Experience supporting high- or moderate-impact (FIPS 199) systems
  • Familiarity with biomedical research environments and data protection requirements
  • Security certifications such as CISSP, CISM, CAP, or Security+
  • LCG offers a competitive, comprehensive benefits package which includes health insurance options (medical, dental, vision), life and disability insurance, retirement plan contributions, as well as paid leave, federal holidays, professional development, and lifestyle benefits.
Track Jobs with Teal

Job Search Resources

Resume Builder
Resume Examples
Cover Letter Examples

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service