Security Assessment and Authorization Analyst, Associate jobs in United States
cer-icon
Apply on Employer Site
company-logo

LCG, Inc. ยท 2 weeks ago

Security Assessment and Authorization Analyst, Associate

positionBaltimore, MD
timeFull-time
remoteOnsite
seniorityMid, Senior Level
money$70K/yr - $130K/yr
date6+ years exp

LCG, Inc. is a company that provides technical Security Assessment and Authorization support for biomedical research and enterprise IT systems for the NIH Client. The Security Assessment and Authorization Analyst, Associate will be responsible for executing RMF activities, developing security plans, and supporting system authorization and compliance efforts.

Health CareInformation Technology
check
Growth OpportunitiesbadNo H1BnoteU.S. Citizen Onlynote

Responsibilities

Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring
Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations
Support system ATO and re-authorization cycles, including package development and remediation tracking
Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT)
Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO)
Maintain GSS system inventory, and Security Program and any additional artifacts
Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary
Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls
Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications
Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps
Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines
Review and analyze vulnerability scan results from SCAP-compliant tools covering operating systems, databases, web applications, and network devices
Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards
Support Configuration Management Plans (CMP) and configuration baseline documentation
Work with system owners and infrastructure teams to assess configuration changes for security impact and approval
Support SA&A activities for cloud-based and hybrid systems, including systems operating under FedRAMP-authorized CSPs
Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements
Assist in identifying gaps between FedRAMP baselines and agency-specific security requirements
Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA)
Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements
Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA)
Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US-CERT requirements
Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation
Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34
Participate in and document annual tabletop exercises and contingency plan testing

Qualification

FISMANIST RMFNIST SP 800-53FedRAMPSecurity Assessment ToolVulnerability ManagementIncident ResponseMicrosoft OfficeCollaboration ToolsSoft Skills

Required

Bachelor's degree or equivalent experience
Six (6) years of hands-on experience supporting federal IT security, SA&A, and RMF implementations
Strong experience with FISMA, NIST RMF, and FedRAMP
In-depth knowledge of NIST SP 800-53, 800-37, 800-18, 800-34, 800-63
Experience performing FIPS 199 categorizations and control baseline determinations
Hands-on development and maintenance of SSPs, SARs, POA&Ms, CPs, CMPs
Understanding of Windows, Linux, and UNIX operating systems security concepts
Familiarity with network security architecture, including firewalls, IDS/IPS, routers, and switches
Experience assessing web applications, databases, and enterprise platforms
Knowledge of authentication, access control, encryption, and key management
Experience with SCAP-compliant vulnerability scanning tools
Familiarity with NIH Security Assessment Tool (NSAT) or similar GRC platforms
Experience reviewing security artifacts from cloud service providers (AWS, Azure, GCP) in a FedRAMP context
Proficiency with Microsoft Office, SharePoint, and documentation collaboration tools

Preferred

Prior experience supporting NIH, HHS, or other federal health or research organizations
Experience supporting high- or moderate-impact (FIPS 199) systems
Familiarity with biomedical research environments and data protection requirements
Security certifications such as CISSP, CISM, CAP, or Security+

Benefits

Health insurance options (medical, dental, vision)
Life and disability insurance
Retirement plan contributions
Paid leave
Federal holidays
Professional development
Lifestyle benefits

Company

LCG, Inc.

twittertwittertwitter
company-logo
LCG is an information technology company specializing in scientific research support, grants management, and health IT services.
dateFounded in 1990
location
Rockville, Maryland, USA
people-size201-500 employees
web-link
http://lcginc.com

Funding

Current Stage
Growth Stage

Leadership Team

leader-logo
Melissa McCullough
Executive Vice President and CFO
linkedin
leader-logo
Carey Parrett, MBA
Vice President and Chief Delivery Officer
linkedin
Company data provided by crunchbase