Cybersecurity Compliance Auditor / Security Control Assessor (SCA)
Johns Hopkins Applied Physics Laboratory · Laurel, MD · 1 mo ago
On-siteSales$100k/yrFull-time
About the role
Recognized as one of Computerworld’s Top Places to Work in IT for seven consecutive years, APL is expanding its cybersecurity compliance and assessment capabilities. We are seeking a Cybersecurity Compliance Auditor / Security Control Reviewer (SCR) to perform independent security control assessments across classified information systems to determine the overall effectiveness of the controls.
Responsibilities
- Planning, conducting, and performing independent security control assessments of classified systems in accordance with Risk Management Framework (RMF), Joint Special Access Program (SAP) Implementation Guide (JSIG), and applicable DoD/IC standards.
- Evaluate the implementation and effectiveness of security controls across a wide range of technologies and environments.
- Conduct risk-based assessments to determine system compliance and identify vulnerabilities, control gaps, and areas for process improvement.
- Analyze system documentation, test results, and artifacts to validate control implementation and authorization readiness.
- Develop clear, concise, and defensible assessment reports, including findings, risk determinations, corrective actions, and recommendations to address identified vulnerabilities.
- Collaborate with Program Managers/System Owners, ISSMs, ISSOs, system engineers/administrators, and program teams to resolve findings and improve security posture.
- Support internal security reviews and external inspections (e.g., DCSA, DoD, IC), ensuring systems are prepared for independent evaluation and compliance inspections.
- Interpret and apply cybersecurity policies and frameworks, including RMF, NISPOM, DAAG/DAAPM, and JSIG.
- Evaluate the effectiveness and implementation of Continuous Monitoring Plans.
- Contribute to the continuous improvement of assessment methodologies, tools, and processes.
Qualifications
- Hold a Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field (or equivalent experience).
- Have at least 5 years of cybersecurity experience, including involvement in RMF, Certification & Accreditation (C&A), or Assessment & Authorization (A&A) processes.
- Have experience performing or supporting Security Control Assessments or independent validation of security controls.
- Have experience in three or more of the following areas: Network, endpoint, and application security Identity and access management Vulnerability and configuration management Encryption and data protection technologies Incident response and monitoring
- Hold a relevant certification such as CISA, GSNA, CASP+ CE, CISSP, CISM or DoD 8570/8140 IAT/IAM Level II/III equivalent.
- Have experience applying cybersecurity standards such as: NISPOM DAAG/DAAPM JSIG NIST SP 800-53 / RMF
- Demonstrate strong technical understanding of operating systems, networking, virtualization, AI/ML, and cloud environments.
- Possess strong written and verbal communication skills, with the ability to clearly document and communicate risk.
- Hold an active Secret clearance with the ability to obtain a Top-Secret clearance.