Apply on Employer Site

Solutions By Design II, LLC (now Evolver Federal) · 2 months ago

Cybersecurity Risk Management Analyst

Springfield,VA,US

Full-time

Onsite

Senior Level

5+ years exp

Evolver Federal is seeking a Cybersecurity Risk Management Analyst to support its Federal client in managing all aspects of cybersecurity risk and compliance. The role involves maintaining cybersecurity policies, managing risk and compliance programs, and developing compliance reports.

ConsultingCRMCyber SecurityInformation TechnologyInfrastructureRoboticsSoftware

No H1B

Security Clearance Required

U.S. Citizen Only

Responsibilities

Apply knowledge of NIST 800-53 security controls and recommend appropriate allocation to support and enterprise-wide common controls program. Advise the government client on which controls are appropriate as common controls and relevant to be inherited by all or a subset of systems in the enterprise portfolio. Also advise on system level controls, and review/ validate control inheritance

Review Control Implementation Statements to ensure proper implementation in alignment with NIST 800-53

Develop, maintain, and make recommendations for enhancing Cybersecurity Policies

Develop FISMA Metrics and Asset Management reports in compliance with requirements outlined in DHS 4300A/B

Monitor and manage FISMA Inventory and system designations (e.g., CFO, High Value Assets (HVA), Mission Essential Systems (MES), Personally Identifiable Information (PII)

Maintain and update the FISMA System Inventory Methodology and related SOPs

Provide recommendations in support of system boundary consolidation and integration of tools/databases

Communicate clearly with system owners, developers, and executive leadership on various cybersecurity, risk and compliance topics

Coordinate, schedule, develop agendas, and facilitate meetings with all levels of government and contractor stakeholders

Assist in engaging in providing support to the client in oversight of l Common Control Providers across the Department

Ensure testing of common controls aligns with the Risk Management Framework (RMF) and DHS 4300 policy

Conduct annual reviews of Common Control Providers and Programs

Maintain the Common Control Implementation Guide, Methodology, and training materials

Deliver formal Department-wide Common Controls compliance training

Recommend updates to DHS 4300 policies, attachments, memos, and cybersecurity directives

Provide policy recommendations for Security Authorization, POA&Ms, Ongoing Authorization, and Document Review

Maintain and update SA Guides, DR methodologies, checklists, and templates (e.g., FIPS199, SAR, SAP, RA, CM, CP, BIA)

Develop and manage RMF-related processes, procedures, and documentation templates

Conduct gap analyses and recommend improvements to streamline, automate, and standardize cybersecurity processes across the enterprise

Identify and recommend improvements to streamline Security Authorization processes (e.g., ATO, Ongoing Authorization, FedRAMP, Reciprocity)

Provide recommendations to standardize the Security Authorization and Risk Management programs using an agile, value-driven model

Perform document reviews for all security documentation in support of initial authorization, reauthorization, and ongoing Security Authorization packages, as well as compile and prepare authorization package

Assist with data calls and analysis as required by the Federal government

Prepare executive summaries, talking points, and slide decks for CISO/CIO briefings

Maintain documentation in Microsoft Teams, SharePoint, and other shared platforms

Develop and update training materials and PowerPoint presentations on inventory processes

Perform other duties as assigned by the Government

Ability to work efficiently and effectively in a dynamic and fast-paced environment

Qualification

NIST 800-37NIST 800-53POA&M ManagementCybersecurity PoliciesGRC ToolsCISSPCISMCISACAPCISSOCEHRisk Management FrameworkAnalytical SkillsClient EngagementCommunication SkillsOrganizational SkillsProblem-Solving Skills

Required

5 years of related experience with Bachelor's degree or 8 years of overall related experience in a relevant field

5 years of experience with NIST 800-37, experience that can span across a subset, or all, of the steps within the Risk Management Framework

1 year of experience assessing security controls in accordance with NIST 800-53 in/ in support of the Federal Government to include evaluating and validating security control implementation

3 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs)

1 year of experience with NIST SP 800-53, 800-37, DHS 4300A/B

3 years of experience documenting POA&Ms and managing the entire POA&M lifecycle, from open to closure

3 years of experience executing continuous monitoring activities, including those supporting vulnerability management and configuration management

3 years of experience with government GRC tools such as Archer, IACS, CSAM, etc

2 years of experience managing an enterprise's Inventory of information technology systems (or FISMA Systems)

Must have one of the following certifications: CISSP, CISM, CISA, CAP, C|ISSO, CEH

Must have an Active Secret clearance prior to start date

Preferred

2 years of experience assessing security controls in accordance with NIST 800-53 in/ in support of the Federal Government to include evaluating and validating security control implementation

5 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs)

Ability to schedule and lead meetings, including Working Groups and formal Governance Groups, with a diverse group of government and contractor stakeholders at various levels within the organization, including developing and maintaining agendas, meeting notes, and meeting records, including maintaining a repository of all meeting records

Ability to communicate clearly and effectively via written and verbal communication in both formal and informal situations

Ability to adapt to frequent changes in priorities, follow project schedules, meet established deadlines, and proactively communicate risks and issues to the Contractor PM and/or Federal Leads

Possess good listening skills and the ability to detect explicit and implicit needs and wants of the client

Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints

Possess strong analytical and critical thinking skills with the ability to apply them to the client/ contract workspace

Excellent organizational skills and attention to detail

Strong analytical, critical thinking, and problem-solving skills

Must have previous client-engagement experience

DHS HQ or Component- level experience