Security Assessment and Authorization Analyst, Associate

Location: Baltimore, MD ( 5 Days Onsite - Bayview Area)

Position Title: Security Assessment and Authorization Analyst, Associate

Clearance: Public Trust

The Security Assessment and Authorization Analyst, Associate will provide technical Security Assessment and Authorization (SA&A) support for biomedical research and enterprise IT systems supporting the NIH Client. This role blends policy-driven RMF compliance with hands‑on technical security review, continuous monitoring, and system risk analysis. Working under the direction of the Federal Lead / Information System Security Officer (ISSO), the specialist will support system authorization activities, vulnerability management, configuration compliance, privacy assessments, and incident response coordination in accordance with FISMA, NIST, HHS, NIH, and FedRAMP requirements.

The role requires close collaboration with system owners, infrastructure teams, application teams, and the Client SA&A team.

• Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
• Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
• Support system ATO and re‑authorization cycles, including package development and remediation tracking.
• Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
• Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
• Maintain GSS system inventory, and Security Program and any additional artifacts.
• Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.

• Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
• Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
• Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
• Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.

• Review and analyze vulnerability scan results from SCAP‑compliant tools covering operating systems, databases, web applications, and network devices.
• Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
• Support Configuration Management Plans (CMP) and configuration baseline documentation.
• Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.

• Support SA&A activities for cloud‑based and hybrid systems, including systems operating under FedRAMP‑authorized CSPs.
• Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
• Assist in identifying gaps between FedRAMP baselines and agency‑specific security requirements.

• Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
• Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
• Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).

• Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US‑CERT requirements.
• Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
• Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
• Participate in and document annual tabletop exercises and…