Jobs · Information Technology · Maryland

RMF / ISSO Lead

Devis · Bethesda, MD · 1 wk ago
On-siteInformation Technology$110k–$130k/yrFull-time

Primary Duties

  • Manage the RMF lifecycle for new and existing systems and maintain continuous compliance with the NIST 800-53 Rev. 5 baseline
  • Maintain the enterprise Risk Management Strategy, RMF Program Plan, common controls, and tailored baselines
  • Provide RMF subject matter expertise and guidance to system owners, ISSOs, and stakeholders
  • Support C-SCRM and EO 14028 requirements, including third-party/SBOM risk analysis
  • Develop and maintain RMF authorization artifacts: SSP, BIA, FIPS 199 categorization, PTA/PIA, Configuration Management Plan, and e-Authentication documentation
  • Develop boundary/architecture documents (BSM, ABND) and support control scoping, tailoring, and overlays (e.g., OD AI Overlay; NIST AI RMF 1.0 for AI/ML systems)
  • Provide governance and final QA review of System Authorization Packages prior to submission to the Authorizing Official
  • Maintain independence: package developers shall not perform SCA/SAR validation for the same system
  • Populate and maintain the enterprise Risk Management Register and manage POA&Ms to timely remediation
  • Identify, prioritize, and provide enhanced oversight for High Value Assets (HVAs)
  • Cook up and execute annual Contingency Plan Tests and maintain ConMon plans
  • Communicate risk posture, compliance status, and authorization updates to senior leadership
  • Support internal/external assessments and audits (OIG, GAO, HHS, independent assessors) and track corrective actions
  • Manage the Risk Mitigation Waiver Register and annual waiver reassessment
  • Facilitate RMF training, office hours, and how-to guides for system owners and technical staff

Required Qualifications

  • Education & Experience: Bachelor’s degree in Information Systems, Cybersecurity, Computer Science, or a related field (or equivalent experience); minimum 7 years in RMF / A&A / ISSO support for federal systems
  • Demonstrated experience managing the ATO lifecycle and POA&Ms under NIST 800-53
  • CISSP, CAP, or CGRC (or comparable RMF/GRC certification)
  • Strong working knowledge of NIST RMF, NIST 800-53 Rev. 5, FIPS 199/200, and FISMA
  • Experience authoring SSPs and full A&A packages; familiarity with GRC/compliance tools (e.g., JCAM)
  • Familiarity with FedRAMP CSP package review and control inheritance
  • Clear written documentation and the ability to guide system owners through complex RMF processes
  • Strong organization and tracking discipline across many concurrent authorizations
  • Prior NIH/HHS RMF or ISSO support experience
  • Experience with AI/ML security overlays and NIST AI RMF 1.0
  • Cloud A&A experience (FedRAMP, NIH STRIDES)

Clearance

  • Must be able to obtain and maintain the NIH/OD/OIT required clearance level and complete all suitability/onboarding requirements

Salary Range

  • $110,000 - $130,000

Similar jobs

RMF Lead

Amyx, Inc.Fort Huachuca, AZ· 16 mo ago
Managementapply on careers-amyx.icims.com

RMF / GRC Lead

Softek InternationalPiscataway, NJ· 1 wk ago
Managementapply on recruiting.paylocity.com

Security / RMF Lead

E-Logic, Inc.Atlanta, GA· 1 mo ago
RemoteInformation Technology$85k/yrapply on elogic.discovered.ai