Ctac · 2 weeks ago
Information Systems Security Analyst
United States
Full-time
Remote
Senior Level, Lead/Staff
10+ years expCTAC is seeking an experienced Information Systems Security Analyst to support a federal program focused on achieving and sustaining an Authority to Operate (ATO) for a complex, multi-tenant AWS cloud environment. This role is responsible for executing Risk Management Framework (RMF) activities across the full NIST lifecycle, emphasizing control validation and documentation.
Enterprise Resource Planning (ERP)
No H1B
Security Clearance Required
Responsibilities
Execute and support the full NIST Risk Management Framework (RMF) lifecycle (Categorize, Select, Implement, Assess, Authorize, Monitor) for ORNL’s AWS multi-tenant platform
Perform control-by-control gap analysis against NIST SP 800-53, identifying incomplete, partially implemented, or undocumented controls
Develop, update, and maintain RMF artifacts, including: System Security Plan (SSP), Control implementation narratives, POA&M, Continuous Monitoring documentation, Objective evidence mappings
Partner closely with cloud architects and engineers to validate technical control implementations and support remediation activities within AWS
Support assessment and authorization activities, including direct engagement with assessors, auditors, and ORNL security stakeholders
Track, document, and manage risks, findings, and remediation activities in accordance with federal RMF expectations
Ensure security documentation accurately reflects the operational state of the environment and remains audit-ready throughout the engagement
Support the use of governance, risk, and compliance (GRC) tools (e.g., eMASS, Kion, or equivalent) to manage controls, evidence, and reporting
Contribute to sprint planning and execution by aligning RMF activities with engineering and documentation deliverables
Assist in the development or refinement of security policies, procedures, and standards where gaps exist
Provide subject matter expertise on federal security requirements, best practices, and emerging guidance relevant to cloud-hosted systems
Qualification
Required
Bachelor's degree in Information Security, Cybersecurity, Information Technology, or a related discipline (or equivalent experience)
10+ years of progressive experience in cybersecurity, information assurance, or RMF-focused security roles supporting federal systems
Demonstrated hands-on experience supporting ATO packages for federal cloud or hybrid environments
Deep working knowledge of: NIST SP 800-53, NIST SP 800-37, FISMA requirements, Federal A&A processes
Strong experience developing and maintaining SSPs, POA&Ms, and RMF evidence
Experience working with cloud (Amazon Web Services) security environments, including validation of technical control implementations
Ability to clearly document complex technical and compliance concepts for both technical and non-technical audiences
Proven ability to collaborate across engineering, security, and program management teams
Strong analytical, organizational, and communication skills
Ability to obtain and maintain a Public Trust (or higher) clearance
Preferred
Master's degree in Cybersecurity, Information Systems, or a related field
Active CISSP and/or CISM certification
Experience supporting multi-tenant cloud platforms and control inheritance models
Familiarity with Infrastructure as Code (IaC) concepts and how automation supports compliance
Experience supporting federal research, scientific, or mission-driven environments
Prior experience working in agile or sprint-based delivery models for RMF execution
Company
Ctac
CTAC is an IT services company specialized in the design, development and implementation of SAP systems.
201-500 employees
Funding
Current Stage
Public CompanyTotal Funding
unknown2001-01-05IPO
Company data provided by crunchbase