Job Title: Senior Control Assessment Analyst
Location: Washington, DC
Type: Contract
We are seeking a skilled Senior Control Assessment Analyst to support a high-impact cybersecurity program aligned with the NIST Risk Management Framework (RMF). The analyst will be responsible for developing control assessment methodologies, maintaining schedules, and executing security and privacy control assessments for newly developed, acquired, and ongoing information systems.
Create tailored control assessment approaches for SaaS solutions and external organizations lacking FedRAMP authorization.
Align assessment methodologies with FISMA, OMB, and NIST standards (including NIST SP 800-37, SP 800-53A, and SP 800-171A).
Ensure methodologies enable efficient, risk-based authorization decisions.
Develop and maintain a real-time Master Assessment Schedule.
Adjust for prioritization changes, delays, and resource shifts to provide accurate timelines for assessments.
Review and update control overlays for categories such as web applications and FedRAMP-authorized SaaS platforms.
Review artifacts such as FIPS-199 Memos, SSPPs, and Contingency Plans.
Develop CAPs outlining:
Methodologies and assessment scope
Assessment team members and stakeholders
Control baselines and procedures
Timelines, dependencies, and access requirements
Ensure assessor independence and objectivity.
Conduct technical, operational, and management control assessments.
Validate control inheritance and overlays.
Document results, supporting evidence, and evaluation outcomes.
Prepare Control Assessment Reports (CARs) detailing findings, associated risks, and recommended remediations.
Support authorization briefings and issue resolution with stakeholders.
Conduct post-authorization assessments for production deployment validation.
Perform impact analysis for system changes.
Identify affected controls and assessment procedures.
Assess a selected subset of controls per the continuous monitoring strategy.
Produce an annual summary report highlighting risks, trends, and recommendations.
Minimum 5 years of experience in control assessments and A&A support in compliance with NIST frameworks.
Proven experience with:
NIST SP 800-53 (Rev. 5 or newer)
Assessment planning, execution, and risk evaluation
Developing and maintaining POA&Ms
Inventory management of information systems
Strong ability to brief stakeholders on findings, risks, and remediations.
CISSP – Certified Information Systems Security Professional
CAP – Certified Authorization Professional (preferred)