Security Control Assessor Job Description

Position Overview

Key Responsibilities

• Conduct independent security control assessments in accordance with NIST SP 800-53 Rev. 5 and NIST SP 800-53A methodologies.
• Evaluate management operational and technical security controls for federal information systems and cloud environments.
• Support the SBA Risk Management Framework (RMF) lifecycle including assessment authorization continuous monitoring and ongoing authorization activities.
• Develop and maintain Security Assessment Reports (SARs) Security Assessment Plans (SAPs) POA&Ms risk findings and remediation recommendations.
• Review and validate cybersecurity documentation including System Security Plans (SSPs) Configuration Management Plans (CMPs) Incident Response Plans ISCPs and architecture diagrams.
• Perform vulnerability assessment validation activities and verify remediation efforts for identified weaknesses and deficiencies.
• Support Information System Continuous Monitoring (ISCM) activities and ongoing authorization (OA) evaluation support.
• Assess compliance with FISMA OMB Circular A-130 NIST guidance FedRAMP requirements and agency-specific cybersecurity policies.
• Support audit readiness activities for Inspector General (IG) GAO FISMA and internal cybersecurity audits.
• Assist with High Value Asset (HVA) assessment support activities in alignment with CISA and OMB guidance.
• Coordinate with ISSOs ISSMs system owners and engineering teams to evaluate cybersecurity risks and remediation strategies.
• Support enterprise vulnerability management and risk reporting activities.
• Participate in cybersecurity governance meetings compliance reviews and technical assessment briefings.
• Document assessment findings technical analysis and recommendations with clear and concise reporting suitable for executive and technical stakeholders.
• Support development of cybersecurity metrics dashboards and compliance reporting artifacts.
• Ensure all assessment deliverables are peer reviewed Section 508 compliant and delivered in accordance with SBA-defined quality standards and timelines.

Required Qualifications

• Bachelors degree in Cybersecurity Information Assurance Information Technology Computer Science Engineering or related field.
• Minimum of six (6) years of experience supporting federal cybersecurity assessment compliance RMF or security authorization activities.
• Minimum of four (4) years of experience conducting security control assessments vulnerability assessments or cybersecurity compliance evaluations.
• Demonstrated expertise in NIST RMF processes NIST SP 800-53 Rev. 5 NIST SP 800-53A and FISMA compliance requirements.
• Experience developing Security Assessment Reports (SARs) Security Assessment Plans (SAPs) POA&Ms and related accreditation documentation.
• Experience supporting continuous monitoring ongoing authorization (OA) and cybersecurity audit activities.
• Knowledge of FedRAMP security assessment and continuous monitoring requirements.
• Experience using cybersecurity assessment vulnerability management and governance/risk/compliance (GRC) tools.
• Strong analytical technical writing and communication skills.
• Relevant cybersecurity certifications such as CAP CISSP CISA Security CEH or equivalent preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting civilian federal agencies such as SBA DHS or CISA.
• Experience supporting FedRAMP cloud environments including Microsoft Azure AWS Microsoft 365 and SaaS platforms.
• Experience supporting enterprise cybersecurity metrics dashboards and automated compliance reporting.