The Cyber Risk Management Specialist (CRMS) will specialize in in-depth knowledge of the program's cyber security hygiene, DevSecOps, Risk Management Framework (RMF), Assessment and Authorization (A&A), Federal Risk and Authorization Management Program (FedRAMP) compliance, continuous ATO (cATO) and continuous monitoring. A solid grasp on confidentiality, integrity, and availability (CIA) security concepts is required. The candidate will be responsible for the technical implementation and enforcement of security hardening, vulnerability management, scan analysis, data analysis for metrics reporting, cloud environments, compliance with Federal regulation and policy, and commercial best practices relating to cyber security. The candidate must have the ability to be flexible and adaptive to a fast-paced, fluid business environment.

The role requires strong procedural knowledge of NIST SP 800-37 Risk Management Framework (RMF) for Information Systems and Organization, NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, FedRAMP requirements, cloud environments, cloud cybersecurity architecture, compliance with Federal regulation and policy, and commercial best practices relating to cloud security. The CRMS is expected to efficiently learn and adapt to rapidly changing federal governance frameworks and standards of practice, to include risk treatments for modern and emerging technologies (e,g, AI, blockchain, microservices).

The Cyber Risk Management Specialist performs a range of functions before, during, and after an authorization is granted:

• Integrate security into DevOps effectively at every stage of the software development life cycle (SDLC).
• Identify security holes and potential breaches, work through multifaceted security issues, and create effective solutions based on understanding of risk posture and treatments.
• Develop and implement tactical strategies for seamless automation to optimize the IT infrastructure.
• Apply specialized knowledge of financial audit standards, classified system IA requirements, and Privacy Act requirements.
• Implement the NIST Special Publication (SP) 800 family of publications, particularly those associated with the Risk Management Framework.
• Evaluating system, network, or infrastructure security controls against requirements such as FISMA, FIPS, and NIST guidelines
• Apply in-depth, hands-on knowledge of the FedRAMP regulations, process, and requirements to lead project and initiative teams in accrediting cloud products and services.
• Support external audits, data calls, and the Authorization to Operate (ATO) process by coordinating with organization system owners, engineers, CSP’s and Third-Party Assessment Organizations (3PAO). 
• Positively impact the organization’s goals and operational mission through various forms of metric performance measuring tools used to evaluate adherences to compliance.
• Advise clients on FedRAMP requirements and provide security guidance on the implementation of security compliance controls per technical, management, and operational requirements. 
• Implement, monitor, and assess NIST SP 800-53 security controls for cloud environments to ensure compliance with FedRAMP requirements and governance models. 
• Ensure ongoing compliance with FedRAMP policy and requirements through monthly deliverables, regular vulnerability scanning, penetration testing, contingency testing, and annual security assessments performed by a 3PAO.
• Support ATO, cATO, and continuous monitoring activities to include security documentation, audit log, security incidents, and risk assessment.
• Review and manage Plan of Action & Milestones (POA&M), to include remediation tracking and reporting.

Required

• Ability to obtain a U.S. government Security Clearance
• Master's Degree and 6 year of cyber and FISMA experience; OR
  • Bachelor's Degree and 8 years of cyber and FISMA experience; OR
  • No degree and 12 years of experience, 10 of which must be in cyber and FISMA 
• Possesses at least one professional certification: CISSP, CASP, CISA, CISM or GSLC

Preferred

• Experience in FISMA, cloud cybersecurity architecture, compliance with Federal regulation and policy, and commercial best practices relating to cloud security.
• Experience in Information Security processes to include RMF, FedRAMP, Compliance, Continuous Monitoring, and Annual Assessments.
• Certifications in one or more of the following: CISSP, CRICS, CCSP, CAP/CGRC.
• Certifications in one or more of the following: AWS Certified Solutions Architect, AWS Certified Security, Microsoft Certified Solutions Architect, MCSE Cloud Platform and Infrastructure
• Experience conducting assessments in a 3PAO, C3PAO, or risk auditing organization is desirable, but not required.
• Experience supporting systems in Agile environments.

Identity Statement

As part of the application process, you are expected to be on camera during interviews and assessments. We reserve the right to take your picture to verify your identity and prevent fraud.

Steampunk is a Change Agent in the Federal contracting industry, bringing new thinking to clients in the Homeland, Federal Civilian, Health and DoD sectors.  Through our Human-Centered delivery methodology, we are fundamentally changing the expectations our Federal clients have for true shared accountability in solving their toughest mission challenges.  As an employee owned company, we focus on investing in our employees to enable them to do the greatest work of their careers – and rewarding them for outstanding contributions to our growth. If you want to learn more about our story, visit http://www.steampunk.com.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Steampunk participates in the E-Verify program.