Role Summary
This position involves both security engineering and governance, risk, and compliance (GRC) activities, primarily centered around the Federal Information Security Modernization Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). The ideal candidate will bridge the gap between technical security controls and federal compliance requirements.
Key Responsibilities

1. FISMA/NIST Compliance & Documentation

• Implement and Monitor Controls: Implement, document, and monitor security controls in accordance with NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).
• System Security Plan (SSP) Management: Assist in the development, maintenance, and update of System Security Plans (SSPs), including continuous monitoring strategies and Plans of Action and Milestones (POA&Ms).
• Assessment & Authorization (A&A) Support: Support the Authorization process, including contributing to security assessments, control validation, and evidence gathering to achieve and maintain an Authority to Operate (ATO).
• Policy & Procedure: Contribute to the development and refinement of security policies, standards, and procedures to align with FISMA and other applicable federal regulations.

1. Security Engineering & Operations

• Control Implementation: Consult on the configuration and management of security tools and systems (e.g., SIEM, vulnerability scanners, intrusion detection/prevention systems) to effectively enforce NIST 800-53 controls.
• Vulnerability Management: Analyze results, prioritize remediation efforts based on risk to the system's security categorization (e.g., FIPS 199), and track POA&M completion.
• Incident Response: Participate in security incident response planning and testing activities, ensuring all incidents are documented and handled in compliance with federal reporting requirements.
• Change Management: Review system and network change requests to ensure security implications are addressed and maintain the security posture of authorized systems.

1. Auditing & Reporting

• Internal & External Audits: Coordinate and support internal and external security audits (e.g., Office of Inspector General (OIG), independent assessors).
• Continuous Monitoring: Establish and maintain processes for continuous monitoring to ensure the ongoing effectiveness of security controls and timely reporting of security status to management.
• Reporting: Generate reports on security control compliance, vulnerability posture, and POA&M status for stakeholders and the Authorizing Official (AO).

Experience: 3–5 years of progressive experience in Federal IT security, with at least 2 years focusing on federal compliance (FISMA, NIST RMF).
Education: Bachelor’s degree in Computer Science, Information Technology, or a related field, or equivalent experience.
Certifications: Relevant Cybersecurity certifications