Risk Management Framework; RMF Analyst – TS​/SCI Clearance | Norfolk, VA

Risk Management Framework (RMF) Analyst – Top Secret Clearance | Norfolk, VA

Cambridge International Systems, Inc.

Join a dynamic global team united by shared values: commitment, integrity, and perseverance. At Cambridge, you’ll work alongside top talent worldwide, tackling some of today’s most complex and critical challenges in defense and security.

We are currently seeking a Risk Management Framework (RMF) Analyst to support operations in Norfolk, VA. This is a full-time position requiring an active DoD TS clearance.

This position is contingent upon contract award with an expected award date of January 2026.

• Design and maintain enterprise and systems security throughout the development lifecycle in alignment with DoD and DoN RMF guidance.
• Conduct assessments of management, operational, and technical security controls to evaluate system compliance and risk posture.
• Maintain and update RMF and A&A documentation across the OPTEVFOR Cyber OT&E mission, including revisions in eMASS and DADMS.
• Create, validate, and revise cybersecurity SOPs, system security plans (SSPs), contingency plans, and privacy impact assessments.
• Review and maintain inventories of authorized software, GFE, ports, protocols, and circuit registrations (GIAP/SNAP).
• Execute annual RMF reviews and STIG validations on systems, identifying and recommending corrective actions for non-compliance.
• Support configuration audits, vulnerability scans, POA&Ms, SARs, test plans, and documentation of RMF lifecycle artifacts.
• Lead semi‑annual tabletop exercises and review business impact analysis and disaster recovery plans for compliance.
• Serve on the Configuration Control Board (CCB), ensuring approved changes are reflected in security documentation.
• Provide technical reports on system scan results, cybersecurity compliance, and configuration management.
• Advise stakeholders on risk management, ATO strategy, and secure architecture to meet mission requirements.

Required Qualifications

• Minimum 5 years of experience designing enterprise/system security throughout the development lifecycle.
• Minimum 3 years conducting assessments of security controls and authoring RMF documentation.
• Minimum 3 years of experience supporting RMF certification and accreditation efforts for DoD/DON systems.
• Familiarity with eMASS, DADMS, GIAP, STIGs, and the DoDI 8510 series.
• Strong working knowledge of NIST SP 800‑series, DoD cybersecurity policies, and A&A lifecycle artifacts.
• Must have a current and active DoD TS security clearance with the ability to obtain a SCI clearance.
• Proficient with modern IT tools and infrastructure technologies.

Education & Experience

• Minimum 5 years of experience designing enterprise/system security throughout the development lifecycle.
• Minimum 3 years conducting assessments of security controls and authoring RMF documentation.
• Minimum 3 years of experience supporting RMF certification and accreditation efforts for DoD/DON systems.
• Familiarity with eMASS, DADMS, GIAP, STIGs, and the DoDI 8510 series.
• Strong working knowledge of NIST SP 800‑series, DoD cybersecurity policies, and A&A lifecycle artifacts.
• Must have a current and active DoD TS security clearance with the ability to obtain a SCI clearance.
• Proficient with modern IT tools and infrastructure technologies.

Preferred (Nice to Have)

• Experience supporting OT&E environments, including cyber test toolset and infrastructure validation.
• Knowledge of network architecture, PKI, firewall and encryption methods, and multilevel/cross‑domain security solutions.
• Ability to translate technical requirements into secure designs that meet mission and compliance objectives.
• Knowledge of PII data security, program protection planning, and enterprise security architecture frameworks.
• Proficiency in system hardening, vulnerability remediation, and documentation for RMF artifacts.
• Experience conducting security audits, contingency plan tests, and cloud‑based system evaluations.

• Some overnight stays possible.

• Compliance with vaccination and medical requirements for TDY/OCONUS roles as per Vaccine Recommendations by AOR | Health.mil.
• Primarily an office‑based role in…