Security RMF Audit Analyst

Role: Security RMF Audit Analyst

POP: 12+ Months Contract

Location: Remote

SCOPE:

The Sr. Security RMF Audit Analyst will lead audit preparation and execution, support continuous RMF lifecycle activities, and oversee compliance with federal cybersecurity requirements across on-premises, virtual, and cloud-hosted systems.

REQUIRED SKILLS:

• Bachelor s or Associate's degree in Computer Science, Math, Information Technology, Engineering, or related field. Two (2) years of directly relevant experience may substitute for one (1) year of formal education.
• CompTIA Security+ required
• Minimum of five (5) years of experience in Information security with auditing and IT controls design experience.
• Minimum of five (5) years of experience with Security Information and Event Management (SIEM).
• Minimum of five (5) years of experience in the risk management framework.
• Hands-on experience with Active Directory, Windows/UNIX systems, and relational databases in secure environments.
• Advanced knowledge of NIST RMF, NIST SP 800-37, 800-53, DHS 4300A, and FISMA compliance.
• Experience preparing and maintaining RMF ATO documentation and conducting system assessments.
• Familiarity with Security Information and Event Management (SIEM) platforms for log analysis and incident monitoring.
• Proficient in evaluating and documenting security configurations and technical implementations for federal systems.
• Strong understanding of cybersecurity audit workflows, control testing, and risk-based prioritization of vulnerabilities.
• Excellent writing and communication skills, capable of producing technical documentation and executive summaries.
• Experience in Agile or DevSecOps environments, with a strong understanding of security integration within CI/CD pipelines.

PREFERRED SKILLS:

• Previous support of federal government enterprise systems or DHS/DOD programs is strongly preferred.
• Additional certifications (Network+, AWS Certified Cloud Practitioner, Microsoft Azure Fundamentals, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), ITIL Foundation, TOGAF, or other cybersecurity architecture certifications) are a plus.

TASKS

• Oversee the Risk Management Framework (RMF) lifecycle, including assessment, authorization, and continuous monitoring across all ALC-ISD systems.
• Lead and coordinate internal and external cybersecurity audits, including pre-audit readiness assessments and post-audit remediation tracking.
• Validate the implementation of security controls (NIST SP 800-53 Rev. 5) and ensure they are effectively documented within System Security Plans (SSPs), Security Assessment Reports (SARs), and related artifacts.
• Design and implement vulnerability management strategies, assess threat vectors, and develop comprehensive Plans of Action and Milestones (POA&Ms).
• Analyze cyber risks and provide guidance on remediation strategies aligned with DHS policy and evolving cybersecurity threats.
• Perform and document risk assessments, penetration testing coordination, and impact analyses to evaluate the security posture of information systems.
• Collaborate with Security Control Assessors (SCAs), engineers, ISSOs, and DevSecOps teams to ensure audit alignment with enterprise system modernization efforts.
• Manage and maintain audit packages, compliance dashboards, and evidence repositories using platforms like Jira, Confluence, and SharePoint.
• Assess and validate configurations of infrastructure (e.g., Windows, Linux, databases, Active Directory) for compliance with security benchmarks (e.g., DISA STIGs, CIS).
• Draft and update security-related documentation including SOPs, incident response plans, and security test procedures.
• Serve as a subject matter expert to stakeholders on RMF best practices, ATO sustainment, and security documentation management.
• All other duties as assigned by management.