Cybersecurity Risk Management Analyst - Springfield - Evolver Federal

Description

Evolver Federal is seeking a Cybersecurity Risk Management Analyst to support its Federal client in Springfield, VA in managing all aspects of cybersecurity risk and compliance including, but not limited to: maintaining an accurate FISMA Inventory, managing the government's Common Control Program, maintaining the client's Cybersecurity policies, procedures, guidance, and related templates, assist on oversight of the government's Ongoing Authorization Program and POA&M Management processes, as well as develop various compliance reports relating to all areas of risk and compliance.
The successful candidate will have previous experience as an ISSO with in-depth working knowledge of NIST Risk Management Framework (RMF) and NIST Rev 5, as well as previous experience managing POA&Ms across an enterprise portfolio and experience developing and maintaining cybersecurity policies and procedures.
Responsibilities

• Apply knowledge of NIST security controls and recommend appropriate allocation to support and enterprise-wide common controls program. Advise the government client on which controls are appropriate as common controls and relevant to be inherited by all or a subset of systems in the enterprise portfolio. Also advise on system level controls, and review/ validate control inheritance.
• Review Control Implementation Statements to ensure proper implementation in alignment with NIST
• Develop, maintain, and make recommendations for enhancing Cybersecurity Policies,
• Develop FISMA Metrics and Asset Management reports in compliance with requirements outlined in DHS 4300A/B.
• Monitor and manage FISMA Inventory and system designations (e.g., CFO, High Value Assets (HVA), Mission Essential Systems (MES), Personally Identifiable Information (PII).
• Maintain and update the FISMA System Inventory Methodology and related SOPs.
• Provide recommendations in support of system boundary consolidation and integration of tools/databases.
• Communicate clearly with system owners, developers, and executive leadership on various cybersecurity, risk and compliance topics.
• Coordinate, schedule, develop agendas, and facilitate meetings with all levels of government and contractor stakeholders.
• Assist in engaging in providing support to the client in oversight of l Common Control Providers across the Department.
• Ensure testing of common controls aligns with the Risk Management Framework (RMF) and DHS 4300 policy.
• Conduct annual reviews of Common Control Providers and Programs.
• Maintain the Common Control Implementation Guide, Methodology, and training materials.
• Deliver formal Department-wide Common Controls compliance training.
• Recommend updates to DHS 4300 policies, attachments, memos, and cybersecurity directives.
• Provide policy recommendations for Security Authorization, POA&Ms, Ongoing Authorization, and Document Review.
• Maintain and update SA Guides, DR methodologies, checklists, and templates (e.g., FIPS199, SAR, SAP, RA, CM, CP, BIA).
• Develop and manage RMF-related processes, procedures, and documentation templates.
• Conduct gap analyses and recommend improvements to streamline, automate, and standardize cybersecurity processes across the enterprise.
• Identify and recommend improvements to streamline Security Authorization processes (e.g., ATO, Ongoing Authorization, FedRAMP, Reciprocity).
• Provide recommendations to standardize the Security Authorization and Risk Management programs using an agile, value-driven model.
• Perform document reviews for all security documentation in support of initial authorization, reauthorization, and ongoing Security Authorization packages, as well as compile and prepare authorization package.
• Assist with data calls and analysis as required by the Federal government.
• Prepare executive summaries, talking points, and slide decks for CISO/CIO briefings.
• Maintain documentation in Microsoft Teams, SharePoint, and other shared platforms.
• Develop and update training materials and PowerPoint presentations on inventory processes.
• Perform other duties as assigned by the Government.
• Ability to work efficiently and effectively in a dynamic and fast-paced environment.

Basic Qualifications

• 5 years of related experience with Bachelor's degree or 8 years of overall related experience in a relevant field
• 5 years of experience with NIST 800-37, experience that can span across a subset, or all, of the steps within the Risk Management Framework.
• 1 year of experience assessing security controls in accordance with NIST in/ in support of the Federal Government to include evaluating and validating security control implementation.
• 3 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs).
• 1 year of experience with NIST SP 800-53, 800-37, DHS 4300A/B
• 3 years of experience documenting POA&Ms and managing the entire POA&M lifecycle, from open to closure.
• 3 years of experience executing continuous monitoring activities, including those supporting vulnerability management and configuration management.
• 3 years of experience with government GRC tools such as Archer, IACS, CSAM, etc.
• 2 years of experience managing an enterprise's Inventory of information technology systems (or FISMA Systems).
• Must have one of the following certifictaions: CISSP, CISM, CISA, CAP, C|ISSO, CEH
• Must have an Active Secret clearance prior to start date

Preferred Qualifications

• 2 years of experience assessing security controls in accordance with NIST in/ in support of the Federal Government to include evaluating and validating security control implementation.
• 5 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to: System Security Plans (SSPs) (Sections 1 & 2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy Threshold Analyses (PIA), and Business Impact Assessments (BIAs).
• Ability to schedule and lead meetings, including Working Groups and formal Governance Groups, with a diverse group of government and contractor stakeholders at various levels within the organization, including developing and maintaining agendas, meeting notes, and meeting records, including maintaining a repository of all meeting records.
• Ability to communicate clearly and effectively via written and verbal communication in both formal and informal situations.
• Ability to adapt to frequent changes in priorities, follow project schedules, meet established deadlines, and proactively communicate risks and issues to the Contractor PM and/or Federal Leads.
• Possess good listening skills and the ability to detect explicit and implicit needs and wants of the client.
• Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints
• Possess strong analytical and critical thinking skills with the ability to apply them to the client/ contract workspace.
• Excellent organizational skills and attention to detail.
• Strong analytical, critical thinking, and problem-solving skills.
• Must have previous client-engagement experience.
• DHS HQ or Component- level experience

Evolver Federal is an equal opportunity employer and welcomes all job seekers. It is the policy of Evolver Federal not to discriminate based on race, color, ancestry, religion, gender, age, national origin, gender identity or expression, sexual orientation, genetic factors, pregnancy, physical or mental disability, military/veteran status, or any other factor protected by law.