Senior Cybersecurity A&A Risk Analyst

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, Public Policy, or related discipline (or equivalent experience).
• Professional certification(s) such as CISSP, CISM, or CAP.
• Minimum of 7 years of progressive cybersecurity experience, including at least 4 years supporting federal RMF/A&A efforts.
• Demonstrated experience implementing the NIST Risk Management Framework.
• Strong knowledge of:
• Federal Risk and Authorization Management Program (FedRAMP)
• NIST Special Publication 800-53 Rev. 5
• Federal Information Security Modernization Act (FISMA)
• Federal Zero Trust Strategy (OMB M-22-09)
• Familiarity with federal cloud security requirements and FedRAMP-authorized environments.
• Experience supporting Moderate and/or High impact systems.
• Experience with Microsoft 365 office applications.
• Excellent written and verbal communication skills.
• Ability to engage effectively with technical teams and executive leadership.
• Active Public Trust clearance or ability to obtain.

Nice To Haves

• Experience with ServiceNow, CSAM and/or comparable GRC tools.
• Familiarity with Atlassian Confluence and JIRA.
• Experience contributing to enterprise-level cybersecurity policy initiatives.
• Familiarity with guidance pertaining to responsible AI usage by federal agencies (e.g., Executive Order 13960, OMB M-25-21 and M-25-22).
• Experience supporting federal research or grant-management systems.

Responsibilities

• Manage full lifecycle Risk Management Framework (RMF) activities in accordance with NIST Special Publication 800-37.
• Develop, review, and maintain security authorization documentation, including System Security Plans (SSPs), Security Assessment Plans (SAPs), Security Assessment Reports (SARs), and Plans of Action and Milestones (POA&Ms).
• Review and assess FedRAMP authorization packages, and package updates, to support the evaluation and use of cloud services.
• Monitor ATO packages in the FedRAMP Secure Repository
• Communicate with system owners, information systems security officers (ISSOs), Cloud Service Providers, and security stakeholders frequently to review significant system changes and ensure continued compliance with federal security requirements.
• Evaluate and validate implementation of security controls defined in NIST Special Publication 800-53 Rev. 5, including inherited and agency-implemented controls.
• Conduct risk assessments using methodologies consistent with NIST Special Publication 800-30 and provide risk analysis and recommendations to Authorizing Officials and senior stakeholders.
• Support continuous monitoring and ongoing authorization activities by reviewing vulnerability scans, tracking POA&Ms, and coordinating remediation efforts.
• Peer review cybersecurity policies, standards, procedures, and implementation guidance.
• Perform regulatory and policy analysis to ensure alignment with federal requirements and agency directives.
• Conduct gap analyses to assess compliance posture and recommend remediation strategies.
• Assist in development of control overlays, baseline updates, and security control tailoring guidance.
• Provide subject matter expertise in governance discussions.
• Support enterprise reporting activities, including risk metrics and compliance dashboards in ServiceNow.
• Provide documentation and analysis support for internal and external reviews, including FISMA reporting activities.
• Assist in preparing responses to oversight inquiries and tracking corrective actions.
• Perform quality assurance reviews of security documentation to ensure accuracy and consistency.