Cybersecurity Risk Management Analyst

Evolver Federal is seeking a Cybersecurity Risk Management Analyst to support its Federal client in Springfield, VA in managing all aspects of cybersecurity risk and compliance including, but not limited to: maintaining an accurate FISMA Inventory, managing the government's Common Control Program, maintaining the client's Cybersecurity policies, procedures, guidance, and related templates, assist on oversight of the government's Ongoing Authorization Program and POA&M Management processes, as well as develop various compliance reports relating to all areas of risk and compliance.

The successful candidate will have previous experience as an ISSO with in-depth working knowledge of NIST 800-37 (Risk Management Framework (RMF) and NIST 800-53 Rev 5, as well as previous experience managing POA&Ms across an enterprise portfolio and experience developing and maintaining cybersecurity policies and procedures.

Responsibilities

• Apply knowledge of NIST 800-53 security controls and recommend appropriate allocation to support and enterprise-wide common controls program. Advise the government client on which controls are appropriate as common controls and relevant to be inherited by all or a subset of systems in the enterprise portfolio. Also advise on system level controls, and review/ validate control inheritance.
• Review Control Implementation Statements to ensure proper implementation in alignment with NIST 800-53.
• Develop, maintain, and make recommendations for enhancing Cybersecurity Policies,
• Develop FISMA Metrics and Asset Management reports in compliance with requirements outlined in DHS 4300A/B.
• Monitor and manage FISMA Inventory and system designations (e.g., CFO, High Value Assets (HVA), Mission Essential Systems (MES), Personally Identifiable Information (PII).
• Maintain and update the FISMA System Inventory Methodology and related SOPs.
• Provide recommendations in support of system boundary consolidation and integration of tools/databases.
• Communicate clearly with system owners, developers, and executive leadership on various cybersecurity, risk and compliance topics.
• Coordinate, schedule, develop agendas, and facilitate meetings with all levels of government and contractor stakeholders.
• Assist in engaging in providing support to the client in oversight of l Common Control Providers across the Department.
• Ensure testing of common controls aligns with the Risk Management Framework (RMF) and DHS 4300 policy.
• Conduct annual reviews of Common Control Providers and Programs.
• Maintain the Common Control Implementation Guide, Methodology, and training materials.
• Deliver formal Department-wide Common Controls compliance training.
• Recommend updates to DHS 4300 policies, attachments, memos, and cybersecurity directives.
• Provide policy recommendations for Security Authorization, POA&Ms, Ongoing Authorization, and Document Review.
• Maintain and update SA Guides, DR methodologies, checklists, and templates (e.g., FIPS
  199, SAR, SAP, RA, CM, CP, BIA).
• Develop and manage RMF-related processes, procedures, and documentation templates.
• Conduct gap analyses and recommend improvements to streamline, automate, and standardize cybersecurity processes across the enterprise.
• Identify and recommend improvements to streamline Security Authorization processes (e.g., ATO, Ongoing Authorization, FedRAMP, Reciprocity).
• Provide recommendations to standardize the Security Authorization and Risk Management programs using an agile, value-driven model.
• Perform document reviews for all security documentation in support of initial authorization, reauthorization, and ongoing Security Authorization packages, as well as compile and prepare authorization package.
• Assist with data calls and analysis as required by the Federal government.
• Prepare executive summaries, talking points, and slide decks for CISO/CIO briefings.
• Maintain documentation in Microsoft Teams, SharePoint, and other shared platforms.
• Develop and update training materials and PowerPoint presentations on inventory processes.
• Perform other duties as assigned by the Government.
• Ability to work efficiently and effectively in a dynamic and fast-paced environment.

Basic Qualifications

• 5 years of related experience with Bachelor's degree or 8 years of overall related experience in a relevant field
• 5 years of experience with NIST 800-37, experience that can span across a subset, or all, of the steps within the Risk Management Framework.
• 1 year of experience assessing security controls in accordance with NIST 800-53 in/ in support of the Federal Government to include evaluating and validating security control implementation.
• 3 years of experience as an Information System Security Office (ISSO) in/ in support of the Federal government, developing and maintaining comprehensive security documentation in support of the Risk Management Framework, including, but not limited to:
  System Security Plans (SSPs) (Sections 1 &
  2), Contingency Plans (CPs), Contingency Plan Tests (CPTs), Privacy Impact Assessments (PIAs), and Privacy…