Security Control Assessor

Tyto Athene, LLC

$75K — $95K *
Information Technology
Less than 5 years of experience
Job Overview by Ladders

Qualifications

  • Bachelor's degree with 4+ years in IT, including 2+ years in cybersecurity or GRC activities within NIST RMF lifecycle.
  • Thorough knowledge of FISMA and NIST RMF processes.
  • Familiarity with NIST SP 800-53 Rev. 5, 800-53A Rev. 5, and 800-137.
  • Experience in assessing security controls for technical, operational, and management safeguards.
  • Strong analytical skills with attention to detail and the ability to communicate risk effectively.
  • Excellent technical writing skills for developing assessment reports.
  • Ability to balance security requirements with operational objectives.

Responsibilities

  • Conduct system security assessments to comply with RMF steps 4 (assess) and 5 (authorize).
  • Produce high-quality, system-specific security assessment deliverables.
  • Develop and execute security and privacy assessment plans for projects.
  • Maintain test cases for security assessment.
  • Perform control-requirement level security testing for various system components.
  • Review technical reports from security vulnerability and compliance tools.
  • Analyze security tool reports to gauge residual risks and assign findings.

Benefits

  • Health/Dental/Vision insurance
  • 401(k) matching
  • Flexible Time Off
  • Short-term and Long-term Disability and Life Insurance
  • Referral Bonuses
  • Professional development reimbursement
  • Maternity/Paternity leave
Full Job Description
Description

Tyto Athene is seeking a Security Control Assessor (SCA) to support a federal customer in Washington, DC. The successful candidate will evaluate information systems to ensure compliance with FISMA, NIST, and agency security requirements by conducting thorough security control assessments, documenting objective evidence, and communicating risk in a clear and actionable manner.

The ideal candidate is a detail-oriented cybersecurity professional with exceptional analytical, organizational, and interpersonal skills who can collaborate effectively with technical teams, system owners, and stakeholders while maintaining the highest standards of quality, accuracy, and professionalism throughout the assessment process.

Responsibilities:
  • Support RMF steps 4 -assess, 5 -authorize, step 6 -monitor controls: conducting system security assessments, supporting the system security authorization to operate process, and conducting annual assessments, respectively
  • Produce quality security assessment deliverables, ensuring the content of each deliverable is specific to the subject systems, complete, and accurate
  • Develop and execute a security and privacy assessment plan for each security assessment project
  • Create and maintain test cases for security assessment testing
  • Perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.)
  • Conduct technical content review and analysis of technical reports from security vulnerability scan, penetration test, and configuration compliance scan tools with respect to the subject system's context and environment in order to analyze the findings accurately and completely
  • Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings
  • Document and provide findings and recommendations that are concise, system-specific, and actionable
  • Perform and document client and system-specific risk analysis for each finding identified during each assessment in accordance with NIST SP 800-30, the client's risk appetite, and the client's security policies. The results of this risk analysis shall be documented in the Security Assessment Report (SAR) for each assessed FISMA system, and a summary of the assessment results and risk shall be provided in the respective Assessment/Authorization Briefing.


Qualifications

Required:
  • Bachelor's degree and at least four (4) years of total IT experience, including at least two (2) years supporting cybersecurity, information assurance, or Governance, Risk, and Compliance (GRC) activities within the NIST Risk Management Framework (RMF) lifecycle.
    • High school diploma with 8 years of experience in Functional Responsibility area may be substituted for a Bachelor's Degree
    • PMP, ISO 27001, or CISM certifications equate to 3 years of experience in Functional Responsibility each
    • ITIL, CISSP, or other relevant IT management certifications equate to 2 years of general experience each
  • Thorough knowledge of the Federal Information Security Modernization Act (FISMA), NIST Risk Management Framework (RMF), and Security Assessment and Authorization (SA&A) processes.
  • Demonstrated knowledge of NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, and NIST SP 800-137.
  • Experience assessing security controls and evaluating the effectiveness of technical, operational, and management safeguards.
  • Ability to assess the severity of identified weaknesses and deficiencies, communicate risk effectively, and recommend appropriate corrective actions.
  • Strong critical thinking, analytical, and problem-solving skills with exceptional attention to detail.
  • Ability to balance security requirements with operational and mission objectives.
  • Excellent technical writing skills, including experience developing assessment reports and documenting security findings.
  • Strong verbal communication and interpersonal skills with the ability to collaborate effectively with technical teams, system owners, and stakeholders.

Desired:
  • Certified Authorization Professional (CAP)
  • Certified in Risk and Information Systems Control (CRISC)
  • Experience with GRC Tools such as ServiceNow, CSAM, etc.

Clearance: US Citizen with Public Trust eligibility required

Location: On-site in DC, minimal remote flexibility

Compensation:
  • Compensation is unique to each candidate and relative to the skills and experience they bring to the position. Salary for this role is between $75-95K. This does not guarantee a specific salary as compensation is based upon multiple factors such as education, experience, certifications, and other requirements, and may fall outside of the above-stated range.

Benefits:
  • Highlights of our benefits include Health/Dental/Vision, 401(k) match, Flexible Time Off, STD/LTD/Life Insurance, Referral Bonuses, professional development reimbursement, and maternity/paternity leave.


Similar Jobs

More Jobs at Tyto Athene, LLC

More Information Technology Jobs

Find similar Security Control Assessor jobs: