HHS Security Control Assessor

Rockville, MD - USA

Monthly Salary: Not Disclosed

Posted on: Yesterday

Vacancies: 1 Vacancy

Job Summary

cFocus Software seeks a Security Control Assessor to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance.
Qualifications:

Bachelors degree in Cybersecurity Information Technology or related field.
Minimum 710 years of experience performing federal RMF and Security Control Assessments.
Expert knowledge of NIST SP 800-37 NIST SP 800-53 and NIST SP 800-53A.
Demonstrated experience leading SCAs and producing SARs for FISMA systems.
Experience with FedRAMP assessments and cloud security evaluations.
Hands-on experience with eGRC platforms such as RSA Archer.
Strong written and verbal communication skills.
CISSP CISA GSNA CRISC or equivalent cybersecurity certification preferred.
Certified Authorization Professional (CAP) preferred.

Duties:

Lead and manage Security Control Assessments (SCAs) for HRSA systems programs and components in accordance with the RMF lifecycle.
Develop review and approve Security Control Assessment Plans (SCAPs) defining assessment scope methodology sampling strategies schedules and resource needs.
Coordinate and conduct assessment kickoff meetings interviews and out-briefs with System Owners ISSOs administrators and stakeholders.
Develop and tailor Assessment Test Plans (ATPs) and test procedures aligned to NIST SP 800-53A assessment methods.
Assess management operational technical and privacy controls to determine whether controls are implemented correctly operating as intended and producing the desired outcomes.
Validate control inheritance from FedRAMP-authorized systems common control providers and shared services including review of CRMs and SSP documentation.
Perform risk analysis using qualitative and quantitative methods including CVSS scoring likelihood and impact analysis and alignment with organizational risk tolerance.
Produce comprehensive Security Assessment Reports (SARs) documenting testing results findings risk ratings and remediation recommendations.
Ensure findings are accurately entered into the HRSA eGRC tool and properly mapped to POA&Ms with supporting evidence.
Verify remediation actions and validate closure evidence for resolved findings.
Maintain assessment cadence in accordance with the HRSA SCA Process SOP and defined timelines.
Utilize automation technologies including OSCAL AI-assisted assessment tools automated evidence collection and continuous control monitoring solutions.
Conduct cloud and FedRAMP-specific assessments including shared responsibility model validation and CSP security posture review.
Assess systems against Zero Trust Architecture maturity models and emerging technology risks including AI IoT and cloud-native services.

Required Experience:

Senior IC

Bachelors degree in Cybersecurity Information Technology or related field.
Minimum 710 years of experience performing federal RMF and Security Control Assessments.
Expert knowledge of NIST SP 800-37 NIST SP 800-53 and NIST SP 800-53A.
Demonstrated experience leading SCAs and producing SARs for FISMA systems.
Experience with FedRAMP assessments and cloud security evaluations.
Hands-on experience with eGRC platforms such as RSA Archer.
Strong written and verbal communication skills.
CISSP CISA GSNA CRISC or equivalent cybersecurity certification preferred.
Certified Authorization Professional (CAP) preferred.

Duties:

Lead and manage Security Control Assessments (SCAs) for HRSA systems programs and components in accordance with the RMF lifecycle.
Develop review and approve Security Control Assessment Plans (SCAPs) defining assessment scope methodology sampling strategies schedules and resource needs.
Coordinate and conduct assessment kickoff meetings interviews and out-briefs with System Owners ISSOs administrators and stakeholders.
Develop and tailor Assessment Test Plans (ATPs) and test procedures aligned to NIST SP 800-53A assessment methods.
Assess management operational technical and privacy controls to determine whether controls are implemented correctly operating as intended and producing the desired outcomes.
Validate control inheritance from FedRAMP-authorized systems common control providers and shared services including review of CRMs and SSP documentation.
Perform risk analysis using qualitative and quantitative methods including CVSS scoring likelihood and impact analysis and alignment with organizational risk tolerance.
Produce comprehensive Security Assessment Reports (SARs) documenting testing results findings risk ratings and remediation recommendations.
Ensure findings are accurately entered into the HRSA eGRC tool and properly mapped to POA&Ms with supporting evidence.
Verify remediation actions and validate closure evidence for resolved findings.
Maintain assessment cadence in accordance with the HRSA SCA Process SOP and defined timelines.
Utilize automation technologies including OSCAL AI-assisted assessment tools automated evidence collection and continuous control monitoring solutions.
Conduct cloud and FedRAMP-specific assessments including shared responsibility model validation and CSP security posture review.
Assess systems against Zero Trust Architecture maturity models and emerging technology risks including AI IoT and cloud-native services.