Risk Management Framework Subject Matter Expert

Overview

Risk Management Framework (RMF) Subject Matter Expert position located in the DMV Area (client site based on program needs) within the Cyber Security Services Department. The role supports cybersecurity and compliance efforts across multiple DoD and Intelligence Community customer environments, combining ISSO, ISSM, and Security Control Assessor responsibilities in accordance with NIST SP 800-37 Rev. 2.

• Support RMF activities across all six RMF steps:
  Categorize, Select, Implement, Assess, Authorize, and Monitor.
• Develop, review, and maintain RMF documentation including SSPs, SARs, SAPs, RARs, POA&M, contingency plans, and authorization packages.
• Support security control selection, tailoring, implementation, and assessment activities aligned to NIST SP 800-53 Rev. 5.
• Conduct or support independent security control assessments and validation activities.
• Perform ISSO operational security responsibilities including account reviews, audit reviews, vulnerability tracking, configuration management coordination, and continuous monitoring activities.
• Utilize eMASS, Xacta, or equivalent GRC/A&A platforms to manage RMF activities and system artifacts.
• Interpret and analyze STIG findings, SCAP scans, ACAS results, and vulnerability assessment data to support remediation efforts.
• Develop and track POA&M and coordinate remediation activities with technical and program teams.
• Support ongoing continuous monitoring strategies, reporting, and compliance reviews.
• Provide cybersecurity guidance to system owners, engineers, and leadership regarding RMF compliance and risk posture.
• Ensure cybersecurity documentation and processes align with DoD RMF requirements, DoDI 8510.01, ICD 503, CNSSI 1253, and applicable customer guidance.
• Support cloud and hybrid environments as applicable, including AWS and Azure-based systems.
• Assist with executive-level briefings, risk discussions, and authorization recommendations.

• Strong working knowledge of NIST SP 800-37 Rev. 2 and NIST SP 800-53 Rev. 5.
• Experience supporting DoD RMF and/or Intelligence Community RMF frameworks including ICD 503 and CNSSI 1253.
• Hands‑on experience with eMASS, Xacta, or equivalent GRC/A&A platforms.
• Experience developing and reviewing RMF artifacts and ATO packages.
• Familiarity with STIGs, SCAP, ACAS, vulnerability management, and remediation processes.
• Understanding of continuous monitoring strategies and compliance reporting.
• Strong analytical, communication, and documentation skills.
• Ability to collaborate effectively with technical teams, security leadership, and government stakeholders.
• Experience supporting cloud‑based environments and security authorizations is preferred.
• Bachelor’s Degree in Cybersecurity, Information Technology, Computer Science, or related technical discipline preferred.
• Active TS/SCI clearance required. Candidates must be eligible for CI Polygraph processing or willing to obtain one if required.
• Must possess a DoD 8570/8140 IAM Level II or IAT Level III compliant certification such as CISSP, CISM, CASP+, or equivalent.
• Preferred certifications include CAP/CGRC, CCSP, or other RMF/GRC‑focused certifications.

• Mid‑Level: 5–8 years of RMF, ISSO, SCA, or cybersecurity compliance experience.
• Senior‑Level: 8–12 years of progressively responsible RMF and cybersecurity experience.
• Principal‑Level: 12+ years of experience, including prior leadership experience as an ISSM, ISSO Lead, SCA Lead, or equivalent cybersecurity management role.

Apavo Corporation provides equal employment opportunities to all applicants and employees and strictly prohibits any type of harassment or discrimination in regards to race, religion, age, color, sex, disability status, national origin, genetics, sexual orientation, protected veteran status, gender expression, gender identity, or any other characteristic protected under federal, state, and/or local laws.

Consistent with the Americans with Disabilities Act (ADA), Apavo provides reasonable accommodation when requested by a qualified applicant or employee with a disability, unless such accommodation would cause an undue hardship. The policy regarding requests for reasonable accommodation applies to all aspects of employment, including the application process.

Employment with Apavo Corporation is on an at‑will basis, meaning either you or the Company can terminate the employment relationship, at any time, for any or no reason, and with or without cause or notice.