Description of Work Perform risk analysis for supporting customer requirements. Assess information systems for compliance with the NIST RMF and the associated security controls. Review current security assessment and authorization processes and provide recommendations for improvement. Conduct Security Impact Analysis as per NIST 800-128 guidance. Support the Risk Management Branch by implementing appropriate methods to evaluate risk levels associated with improperly implemented security controls, characterizing aggregate levels of risk to include recommendations to fix, mitigate, or accept the risk. Conduct system security categorizations, security control assessments, risk assessments, and provide recommendations to enhance the security posture of the information system. Draft agency specific security control assessment (SCA) guidance, procedures, and templates to allow thorough and accurate control assessments, risk analysis, and final documentation in the Security Assessment Report (SAR). Analyze Interconnection Security Agreements for compliance to NIST 800-47. Develop Security Risk Assessment Reports (SRA, RAR). Provide support by providing guidance on control requirements and agency implementation. RequirementsBasic Qualifications Minimum knowledge, skills, abilities needed. Bachelor s degree and 7 years of experience, Master's degree and 5 years of experience, or 11 years of experience in lieu of a degree Minimum of 4 years of experience in cybersecurity documentation and system authorization artifacts (System Security Plan, lifecycle documentation, continuous monitoring plan, Security Assessment Plan, Security Assessment Report, Risk Assessment, etc.) CompTia Security+ Minimum of 3 years of experience and working knowledge of o NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations o NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems o NIST SP 800-30 Guide for Conducting Risk Assessments o NIST SP 800-39 Managing Information Security Risk Minimum of 3 years of experience with o FedRamp Cloud security o Federal regulatory bodies such as the Office of Management Budget (OMB), National Institute of Standards and Technology (NIST), Federal Information Security Management Act of 2002 (FISMA), Federal Risk and Authorization Management Program (FedRAMP) and the Health Insurance Portability and Accountability Act (HIPAA). Minimum of 3 years of experience with o Reviewing, analyzing, and documenting the secure implementation of logical controls, physical controls, environmental controls, personnel security and incident handling o Conducting Security Control Assessments o Interpreting security architecture diagrams independently with the ability to articulate to the team o Assessing security requests, gathering requirements and communicating with customers, subject matter experts and various agency stakeholders Minimum of 1 year of experience with o AGILE and SDLC processes o Conducting security control assessments (ie Security Impact Analysis) independently Must be or US Permanent Resident ( holder) Must be able to obtain and maintain a US Public Trust clearance Preferred Qualifications Candidates with these skillsexperience will be given preferential consideration. CISSP certification Ability to work independently to determine and develop a risk assessment approach to proposed new agency solutions, only needing review upon completion for adequacy in meeting objectives Ability to interpret and provide consulting on the development of security guidance, complex system security requirements, and serve as a RMF SME at key stakeholder meetings Critical thinkinganalytical skills, creativity, proven drive for quality, and excellent technical oral and written communication skills Migrating systems from on-prem to cloud Has strong organizational skills and an ability to stay focused while managing multiple tasks concurrently Proficient knowledge and experience with Microsoft Office products, including Word, PowerPoint, Excel, and SharePoint. Prior experience supporting the government agencies a plus Understanding of federal governemnt business processes supporting IT programs, networks, andor cybersecurity programs