top of page

Senior Governance Risk and Compliance (GRC) Analyst and Team Lead

Fully Remote. Salary negotiable. Q or TS clearance required

Senior Governance Risk and Compliance (GRC) Analyst and Team Lead

The Senior Governance Risk and Compliance (GRC) Analyst and Team Lead will lead a team of security analysts and engineers to implement regulatory frameworks such as the Federal Information Security Modernization Act (FISMA), the Federal Risk Authorization Management Program (FedRAMP) and the State Risk Authorization Management Program (StateRAMP).

You will leverage GRC tools to develop security authorization package documentation such as the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and the Plan of Actions & Milestones (POA&M) in human readable and machine-readable formats. You will serve as a Subject Matter Expert (SME) at key stakeholder meetings and will develop and maintain client relationships. You will draft security control implementation statements with enough detail to facilitate the testing of the controls and will develop supporting documentation including the Contingency Plan (CP), Incident Response Plan (IRP), and Configuration Management Plan (CMP). As a Senior GRC Analyst your primary responsibility will be to ensure the timely development of the security authorization package in accordance with quality standards. You will be expected to lead multiple teams and will work on up to 2 packages at a time.

Responsibilities:

Categorize systems in accordance with Federal Information Processing Standards (FIPS) 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60

Select and tailor security controls by applying scoping guidance in accordance with NIST SP 800-53 and FedRAMP specific guidance

Document the implementation characteristics for security controls with enough detail to permit the testing of the security control by an independent assessor/Third Party Assessment Organization (3PAO)

Develop, review, and update security authorization package documentation to include the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Actions and Milestones (POA&M)

Develop, review, and update supporting documentation including the Contingency Plan (CP), Incident Response Plan (IRP), and Configuration Management Plan (CMP)

Conduct Security Impact Assessments (SIAs) on changes to information systems

Create the Control Implementation Summary (CIS)/Customer Responsibility Matrix (CRM) workbook outline Cloud Service Provider (CSP) and customer responsibilities

Develop, review, and update policies and procedures to support the implementation of the NIST 800-53 control families

Leverage the next generation of Governance Risk and Compliance (GRC) tools to automate the creation of the SSP

Review current security assessment and authorization processes and provide recommendations for improvement

Develop Risk Assessment Reports (RAR)

Provide guidance on NIST 800-53, FedRAMP, and StateRAMP control requirements

Develop and deliver training to educate stakeholders on the various tasks and activities associated with the RMF

Requirements:

Minimum 8 years’ experience in IT consulting specializing in Governance, Risk, and Compliance using the RMF

CISSP, CISM, or CAP certification, or equivalent preferred

Excellent communication and interpersonal skills, with the ability to build a rapport and trust with clients

Knowledge of the cybersecurity industry to include regulatory frameworks such as the National Institute of Standards in Technology (NIST) Risk Management Framework (RMF), Federal Risk Authorization Management Program (FedRAMP), Department of Defense (DoD) Impact Levels (2-6), and the State Risk Authorization Management Program (StateRAMP)

Possesses an in-depth understanding of the FedRAMP authorization process and associated templates and deliverables

Must have extensive experience creating security authorization package documentation (i.e., SSP, SAP, SAR, & POA&M) and managing system authorization artifacts for a FedRAMP authorized cloud environment

Working knowledge of:

NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

FedRAMP Security Controls Baselines (i.e., Low, Moderate, High, and Li-SaaS)

StateRAMP Security Control Baselines (i.e., Low Impact Ready, Low Impact Authorized, Moderate Impact Ready, Moderate Impact Authorized)

NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems

Must have strong technical writing skills

Must be able to work independently under only general direction

Must be able to interpret and provide consulting expertise on FedRAMP security requirements

Will serve as an RMF Subject Matter Expert (SME) at key stakeholder meetings

Must have extensive knowledge in reviewing, analyzing, and documenting the secure implementation of logical controls, physical controls, environmental controls, personnel security, and incident handling

Experience preparing monthly continuous monitoring deliverables (e.g., vulnerability scans, POA&Ms, and asset inventory) for submission to the FedRAMP PMO

Must be a US Citizen and capable of passing a Public Trust background investigation

bottom of page