DescriptionTyto Athene is seeking a
Security Control Assessor (SCA) to support a federal customer in Washington, DC. The successful candidate will evaluate information systems to ensure compliance with FISMA, NIST, and agency security requirements by conducting thorough security control assessments, documenting objective evidence, and communicating risk in a clear and actionable manner.
The ideal candidate is a detail-oriented cybersecurity professional with exceptional analytical, organizational, and interpersonal skills who can collaborate effectively with technical teams, system owners, and stakeholders while maintaining the highest standards of quality, accuracy, and professionalism throughout the assessment process.
Responsibilities:- Support RMF steps 4 -assess, 5 -authorize, step 6 -monitor controls: conducting system security assessments, supporting the system security authorization to operate process, and conducting annual assessments, respectively
- Produce quality security assessment deliverables, ensuring the content of each deliverable is specific to the subject systems, complete, and accurate
- Develop and execute a security and privacy assessment plan for each security assessment project
- Create and maintain test cases for security assessment testing
- Perform security testing at the control-requirement level for each unique component of each system (e.g., application, web application server, financial systems, database server/instance, operating systems, specialized appliances, network and infrastructure devices, and end-user devices (e.g., mobile phones, laptops, etc.)
- Conduct technical content review and analysis of technical reports from security vulnerability scan, penetration test, and configuration compliance scan tools with respect to the subject system's context and environment in order to analyze the findings accurately and completely
- Analyze security tool reports and determine residual risk or false positives from technical reports and artifacts before assigning findings
- Document and provide findings and recommendations that are concise, system-specific, and actionable
- Perform and document client and system-specific risk analysis for each finding identified during each assessment in accordance with NIST SP 800-30, the client's risk appetite, and the client's security policies. The results of this risk analysis shall be documented in the Security Assessment Report (SAR) for each assessed FISMA system, and a summary of the assessment results and risk shall be provided in the respective Assessment/Authorization Briefing.
QualificationsRequired:- Bachelor's degree and at least four (4) years of total IT experience, including at least two (2) years supporting cybersecurity, information assurance, or Governance, Risk, and Compliance (GRC) activities within the NIST Risk Management Framework (RMF) lifecycle.
- High school diploma with 8 years of experience in Functional Responsibility area may be substituted for a Bachelor's Degree
- PMP, ISO 27001, or CISM certifications equate to 3 years of experience in Functional Responsibility each
- ITIL, CISSP, or other relevant IT management certifications equate to 2 years of general experience each
- Thorough knowledge of the Federal Information Security Modernization Act (FISMA), NIST Risk Management Framework (RMF), and Security Assessment and Authorization (SA&A) processes.
- Demonstrated knowledge of NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, and NIST SP 800-137.
- Experience assessing security controls and evaluating the effectiveness of technical, operational, and management safeguards.
- Ability to assess the severity of identified weaknesses and deficiencies, communicate risk effectively, and recommend appropriate corrective actions.
- Strong critical thinking, analytical, and problem-solving skills with exceptional attention to detail.
- Ability to balance security requirements with operational and mission objectives.
- Excellent technical writing skills, including experience developing assessment reports and documenting security findings.
- Strong verbal communication and interpersonal skills with the ability to collaborate effectively with technical teams, system owners, and stakeholders.
Desired:- Certified Authorization Professional (CAP)
- Certified in Risk and Information Systems Control (CRISC)
- Experience with GRC Tools such as ServiceNow, CSAM, etc.
Clearance: US Citizen with Public Trust eligibility required
Location: On-site in DC, minimal remote flexibility
Compensation:- Compensation is unique to each candidate and relative to the skills and experience they bring to the position. Salary for this role is between $75-95K. This does not guarantee a specific salary as compensation is based upon multiple factors such as education, experience, certifications, and other requirements, and may fall outside of the above-stated range.
Benefits:- Highlights of our benefits include Health/Dental/Vision, 401(k) match, Flexible Time Off, STD/LTD/Life Insurance, Referral Bonuses, professional development reimbursement, and maternity/paternity leave.