Job Requirements
Washington, DC
Public Trust Polygraph not specified
Senior Level Career (10+ yrs experience)
Salary not specified
Join Premium to unlock estimated salaries 
Job Description
For more than a decade, Karthik Consulting has been a reliable and trusted advisor to our Government customers, providing independent and unbiased recommendations and solutions to mitigate risk and help solve IT issues. We bring the innovation, passion, and agility of the commercial sector to meet the unique challenges of this competitive space.
Karthik Consulting is seeking a Security Control Assessor/Analyst (Cybersecurity Analyst III) with the below skillset.
Security Control Assessor/Analyst (Cybersecurity Analyst III)
Fulltime with Karthik Consulting
Location: Washington, DC
Clearance: Public Trust
Program Description:
The IT CSSS program provides information security support to the Federal Bureau of Prisons Information Technology & Data Division and other DOJ components as required. The program supports BOP obligations to protect federal information systems under FISMA, OMB Circular A-130, the Privacy Act, NIST RMF guidance, DOJ policy, and related cybersecurity requirements.
Program Scope:
The program covers ATO maintenance and rapid ATO activities, RMF lifecycle support, JCAM-based authorization management, FISMA/FISCAM audit support, security architecture and engineering support, vulnerability and risk management, privacy documentation, FedRAMP assessment support, continuous monitoring, and coordination with BOP system owners, CORs, AOs, and technical stakeholders.
Key Responsibilities:
Security Control Assessment
• Assess security and privacy controls for classified and unclassified systems, including National Security Systems, in accordance with NIST SP 800-53A, DOJ/BOP requirements, and approved assessment plans.
• Validate implementation evidence, test results, artifacts, and technical documentation to determine whether controls are implemented correctly, operating as intended, and producing the desired security outcome.
• Document assessment results, findings, deficiencies, recommendations, and risk implications in Security Assessment Reports and related authorization artifacts.
• Coordinate with ISSOs, system owners, engineers, and authorization stakeholders to resolve control assessment questions and evidence gaps.
RMF, ATO, and Authorization Support
• Support RMF lifecycle activities for ATO maintenance, rapid ATOs, reauthorization, ongoing authorization, and continuous monitoring.
• Review authorization package content, including SSPP/SSP, SAR, POA&M, residual risk reports, risk analysis reports, threat matrix reports, and executive briefings.
• Use JCAM or similar authorization management systems to review control implementation data, assessment records, evidence, and authorization status.
• Support AO and stakeholder decision-making by providing clear assessment findings and risk-based recommendations.
Classified, Unclassified, and NSS Security Assessment Support
• Apply specialized cybersecurity assessment expertise across classified programs, unclassified programs, National Security Systems, and sensitive federal environments as assigned.
• Evaluate system boundaries, security categorization, control applicability, inherited controls, hybrid controls, and assessment scope to support accurate authorization decisions.
• Assess live networks, system components, cloud or hybrid environments, and enterprise services to determine security posture and compliance readiness.
• Ensure assessment work reflects the operational environment, mission use, technical architecture, and applicable federal security requirements.
Risk, Vulnerability, and POA&M Analysis
• Analyze control weaknesses, vulnerabilities, audit findings, and technical deficiencies to determine severity, risk impact, and recommended remediation approach.
• Support POA&M creation, review, validation, tracking, and closure by ensuring weaknesses are clearly documented and tied to corrective actions.
• Review remediation evidence and updated assessment results to determine whether findings can be reduced, closed, or escalated for risk acceptance consideration.
• Coordinate with vulnerability management, incident response, configuration management, and O&M teams to align findings with operational remediation activities.
Reporting, Documentation, and Stakeholder Coordination
• Prepare written communications, assessment summaries, status updates, findings reports, and briefing materials for government and contractor leadership.
• Support monthly reporting by documenting assessment progress, deliverables, risks, issues, corrective actions, and key authorization activities.
• Maintain audit-ready documentation that meets SOW requirements for content, completeness, accuracy, and conformance.
• Communicate technical assessment results in clear language for system owners, CORs, AOs, privacy stakeholders, and program leadership.
Qualifications
Education
• Bachelor’s degree required.
• Degree in cybersecurity, information systems, computer science, information technology, management information systems, or a STEM related discipline preferred.
Professional Certifications
Candidate must possess at least one of the following required certifications:
• CISA - Certified Information Systems Auditor.
• CRISC - Certified in Risk and Information Systems Control.
• CISSP - Certified Information Systems Security Professional.
• CGRC - Certified in Governance, Risk and Compliance.
Minimum Qualifications
• Minimum of eight (8) years of cybersecurity expertise.
• Minimum of five (5) years of specialized experience supporting classified and unclassified programs, National Security Systems, and NIST SP 800-53A security control assessment activities.
• Experience performing security control assessments, validating assessment evidence, documenting findings, and supporting authorization decisions for federal information systems.
• Experience supporting RMF, ATO maintenance, control assessment, risk analysis, POA&M management, and continuous monitoring activities.
• Ability to coordinate with system owners, ISSOs, engineers, assessors, authorizing officials, privacy stakeholders, CORs, and program leadership.
• Public Trust / Suitability required; must be able to obtain and maintain required access for the duration of the assignment.
Preferred Qualifications
• Strong working knowledge of NIST Special Publications, including NIST SP 800-53A assessment procedures, NIST SP 800-53 security controls, and NIST SP 800-37 RMF/security authorization.
• Experience using DOJ JCAM or similar governance, risk, and compliance systems to review authorization artifacts, assessment evidence, and authorization status.
• Prior DOJ, BOP, DoD, Intelligence Community, or federal law enforcement cybersecurity assessment experience.
• Experience assessing controls for on-premises, cloud, hybrid, air-gapped, or classified federal systems.
• Strong written communication skills with the ability to produce audit-ready assessment documentation and executive-level risk summaries.
Karthik Consulting is seeking a Security Control Assessor/Analyst (Cybersecurity Analyst III) with the below skillset.
Security Control Assessor/Analyst (Cybersecurity Analyst III)
Fulltime with Karthik Consulting
Location: Washington, DC
Clearance: Public Trust
Program Description:
The IT CSSS program provides information security support to the Federal Bureau of Prisons Information Technology & Data Division and other DOJ components as required. The program supports BOP obligations to protect federal information systems under FISMA, OMB Circular A-130, the Privacy Act, NIST RMF guidance, DOJ policy, and related cybersecurity requirements.
Program Scope:
The program covers ATO maintenance and rapid ATO activities, RMF lifecycle support, JCAM-based authorization management, FISMA/FISCAM audit support, security architecture and engineering support, vulnerability and risk management, privacy documentation, FedRAMP assessment support, continuous monitoring, and coordination with BOP system owners, CORs, AOs, and technical stakeholders.
Key Responsibilities:
Security Control Assessment
• Assess security and privacy controls for classified and unclassified systems, including National Security Systems, in accordance with NIST SP 800-53A, DOJ/BOP requirements, and approved assessment plans.
• Validate implementation evidence, test results, artifacts, and technical documentation to determine whether controls are implemented correctly, operating as intended, and producing the desired security outcome.
• Document assessment results, findings, deficiencies, recommendations, and risk implications in Security Assessment Reports and related authorization artifacts.
• Coordinate with ISSOs, system owners, engineers, and authorization stakeholders to resolve control assessment questions and evidence gaps.
RMF, ATO, and Authorization Support
• Support RMF lifecycle activities for ATO maintenance, rapid ATOs, reauthorization, ongoing authorization, and continuous monitoring.
• Review authorization package content, including SSPP/SSP, SAR, POA&M, residual risk reports, risk analysis reports, threat matrix reports, and executive briefings.
• Use JCAM or similar authorization management systems to review control implementation data, assessment records, evidence, and authorization status.
• Support AO and stakeholder decision-making by providing clear assessment findings and risk-based recommendations.
Classified, Unclassified, and NSS Security Assessment Support
• Apply specialized cybersecurity assessment expertise across classified programs, unclassified programs, National Security Systems, and sensitive federal environments as assigned.
• Evaluate system boundaries, security categorization, control applicability, inherited controls, hybrid controls, and assessment scope to support accurate authorization decisions.
• Assess live networks, system components, cloud or hybrid environments, and enterprise services to determine security posture and compliance readiness.
• Ensure assessment work reflects the operational environment, mission use, technical architecture, and applicable federal security requirements.
Risk, Vulnerability, and POA&M Analysis
• Analyze control weaknesses, vulnerabilities, audit findings, and technical deficiencies to determine severity, risk impact, and recommended remediation approach.
• Support POA&M creation, review, validation, tracking, and closure by ensuring weaknesses are clearly documented and tied to corrective actions.
• Review remediation evidence and updated assessment results to determine whether findings can be reduced, closed, or escalated for risk acceptance consideration.
• Coordinate with vulnerability management, incident response, configuration management, and O&M teams to align findings with operational remediation activities.
Reporting, Documentation, and Stakeholder Coordination
• Prepare written communications, assessment summaries, status updates, findings reports, and briefing materials for government and contractor leadership.
• Support monthly reporting by documenting assessment progress, deliverables, risks, issues, corrective actions, and key authorization activities.
• Maintain audit-ready documentation that meets SOW requirements for content, completeness, accuracy, and conformance.
• Communicate technical assessment results in clear language for system owners, CORs, AOs, privacy stakeholders, and program leadership.
Qualifications
Education
• Bachelor’s degree required.
• Degree in cybersecurity, information systems, computer science, information technology, management information systems, or a STEM related discipline preferred.
Professional Certifications
Candidate must possess at least one of the following required certifications:
• CISA - Certified Information Systems Auditor.
• CRISC - Certified in Risk and Information Systems Control.
• CISSP - Certified Information Systems Security Professional.
• CGRC - Certified in Governance, Risk and Compliance.
Minimum Qualifications
• Minimum of eight (8) years of cybersecurity expertise.
• Minimum of five (5) years of specialized experience supporting classified and unclassified programs, National Security Systems, and NIST SP 800-53A security control assessment activities.
• Experience performing security control assessments, validating assessment evidence, documenting findings, and supporting authorization decisions for federal information systems.
• Experience supporting RMF, ATO maintenance, control assessment, risk analysis, POA&M management, and continuous monitoring activities.
• Ability to coordinate with system owners, ISSOs, engineers, assessors, authorizing officials, privacy stakeholders, CORs, and program leadership.
• Public Trust / Suitability required; must be able to obtain and maintain required access for the duration of the assignment.
Preferred Qualifications
• Strong working knowledge of NIST Special Publications, including NIST SP 800-53A assessment procedures, NIST SP 800-53 security controls, and NIST SP 800-37 RMF/security authorization.
• Experience using DOJ JCAM or similar governance, risk, and compliance systems to review authorization artifacts, assessment evidence, and authorization status.
• Prior DOJ, BOP, DoD, Intelligence Community, or federal law enforcement cybersecurity assessment experience.
• Experience assessing controls for on-premises, cloud, hybrid, air-gapped, or classified federal systems.
• Strong written communication skills with the ability to produce audit-ready assessment documentation and executive-level risk summaries.
group id: 91008401
