Senior Cybersecurity A&A Risk Analyst

Senior Cybersecurity A&A Risk Analyst

Position Summary

The Senior Cybersecurity Assessment & Authorization (A&A) Risk Analyst provides advanced governance, risk, and compliance (GRC) support to federal information systems in alignment with the Federal Information Security Modernization Act (FISMA) and the NIST Risk Management Framework (RMF).

This position is responsible for managing external service authorization activities, conducting security risk assessments, and supporting NSF's continuous monitoring efforts. The role requires strong analytical, documentation, and stakeholder engagement skills to ensure federal systems maintain compliance with applicable federal laws, regulations, and NSF directives.

Essential Duties and Responsibilities

Assessment & Authorization (A&A)

• Manage full lifecycle Risk Management Framework (RMF) activities in accordance with NIST Special Publication 800-37.
• Develop, review, and maintain security authorization documentation, including System Security Plans (SSPs), Security Assessment Plans (SAPs), Security Assessment Reports (SARs), and Plans of Action and Milestones (POA&Ms).
• Review and assess FedRAMP authorization packages, and package updates, to support the evaluation and use of cloud services.
• Monitor ATO packages in the FedRAMP Secure Repository
• Communicate with system owners, information systems security officers (ISSOs), Cloud Service Providers, and security stakeholders frequently to review significant system changes and ensure continued compliance with federal security requirements.
• Evaluate and validate implementation of security controls defined in NIST Special Publication 800-53 Rev. 5, including inherited and agency-implemented controls.
• Conduct risk assessments using methodologies consistent with NIST Special Publication 800-30 and provide risk analysis and recommendations to Authorizing Officials and senior stakeholders.
• Support continuous monitoring and ongoing authorization activities by reviewing vulnerability scans, tracking POA&Ms, and coordinating remediation efforts.

Governance, Risk & Compliance (GRC)

• Peer review cybersecurity policies, standards, procedures, and implementation guidance.
• Perform regulatory and policy analysis to ensure alignment with federal requirements and agency directives.
• Conduct gap analyses to assess compliance posture and recommend remediation strategies.
• Assist in development of control overlays, baseline updates, and security control tailoring guidance.
• Provide subject matter expertise in governance discussions.
• Support enterprise reporting activities, including risk metrics and compliance dashboards in ServiceNow.

Compliance & Oversight Support

• Provide documentation and analysis support for internal and external reviews, including FISMA reporting activities.
• Assist in preparing responses to oversight inquiries and tracking corrective actions.
• Perform quality assurance reviews of security documentation to ensure accuracy and consistency.

Required Qualifications

• Bachelor's degree in Cybersecurity, Information Technology, Public Policy, or related discipline (or equivalent experience).
• Professional certification(s) such as CISSP, CISM, or CAP.
• Minimum of 7 years of progressive cybersecurity experience, including at least 4 years supporting federal RMF/A&A efforts.
• Demonstrated experience implementing the NIST Risk Management Framework.
• Strong knowledge of:
• Federal Risk and Authorization Management Program (FedRAMP)
• NIST Special Publication 800-53 Rev. 5
• Federal Information Security Modernization Act (FISMA)
• Federal Zero Trust Strategy (OMB M-22-09)
• Familiarity with federal cloud security requirements and FedRAMP-authorized environments.
• Experience supporting Moderate and/or High impact systems.
• Experience with Microsoft 365 office applications.
• Excellent written and verbal communication skills.
• Ability to engage effectively with technical teams and executive leadership.
• Active Public Trust clearance or ability to obtain.

Preferred Qualifications

• Experience with ServiceNow, CSAM and/or comparable GRC tools.
• Familiarity with Atlassian Confluence and JIRA.
• Experience contributing to enterprise-level cybersecurity policy initiatives.
• Familiarity with guidance pertaining to responsible AI usage by federal agencies (e.g., Executive Order 13960, OMB M-25-21 and M-25-22).
• Experience supporting federal research or grant-management systems.

Core Competencies

• Federal Cybersecurity Governance
• Risk Assessment & Analysis
• Policy Development & Regulatory Interpretation
• Technical Documentation & Quality Assurance
• Stakeholder Engagement
• Analytical Problem Solving

Work Environment

This is a full-time remote position supporting Cherokee Federal's cybersecurity contract with the U.S. National Science Foundation in Alexandria, VA. This position reports to the Cybersecurity Oversight and Compliance Lead, operates within a structured federal compliance environment, and requires collaboration with system owners, security personnel, program offices, and senior stakeholders. The role supports ongoing authorization, governance initiatives, and periodic oversight reviews to maintain a strong cybersecurity posture across NSF systems.

About Criterion Systems

Criterion Systems LLC is a part of Cherokee Federal - the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government's mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com .

Cherokee Federal is a military-friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply.

• Cybersecurity RMF Analyst
• Cybersecurity GRC Analyst
• Information Security Risk Analyst
• Cybersecurity Compliance Analyst
• NIST RMF / NIST 800-53
• FedRAMP / ATO Authorization
• FISMA Compliance
• Security Authorization (A&A)
• ServiceNow GRC / Cyber Risk Management
• Federal Cybersecurity Risk Management

#CherokeeFederal #LI-SM2 #AppC

Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law.