RMF / ISSO Lead
Devis · Bethesda, MD · 1 wk ago
On-siteInformation Technology$110k–$130k/yrFull-time
Primary Duties
- Manage the RMF lifecycle for new and existing systems and maintain continuous compliance with the NIST 800-53 Rev. 5 baseline
- Maintain the enterprise Risk Management Strategy, RMF Program Plan, common controls, and tailored baselines
- Provide RMF subject matter expertise and guidance to system owners, ISSOs, and stakeholders
- Support C-SCRM and EO 14028 requirements, including third-party/SBOM risk analysis
- Develop and maintain RMF authorization artifacts: SSP, BIA, FIPS 199 categorization, PTA/PIA, Configuration Management Plan, and e-Authentication documentation
- Develop boundary/architecture documents (BSM, ABND) and support control scoping, tailoring, and overlays (e.g., OD AI Overlay; NIST AI RMF 1.0 for AI/ML systems)
- Provide governance and final QA review of System Authorization Packages prior to submission to the Authorizing Official
- Maintain independence: package developers shall not perform SCA/SAR validation for the same system
- Populate and maintain the enterprise Risk Management Register and manage POA&Ms to timely remediation
- Identify, prioritize, and provide enhanced oversight for High Value Assets (HVAs)
- Cook up and execute annual Contingency Plan Tests and maintain ConMon plans
- Communicate risk posture, compliance status, and authorization updates to senior leadership
- Support internal/external assessments and audits (OIG, GAO, HHS, independent assessors) and track corrective actions
- Manage the Risk Mitigation Waiver Register and annual waiver reassessment
- Facilitate RMF training, office hours, and how-to guides for system owners and technical staff
Required Qualifications
- Education & Experience: Bachelor’s degree in Information Systems, Cybersecurity, Computer Science, or a related field (or equivalent experience); minimum 7 years in RMF / A&A / ISSO support for federal systems
- Demonstrated experience managing the ATO lifecycle and POA&Ms under NIST 800-53
- CISSP, CAP, or CGRC (or comparable RMF/GRC certification)
- Strong working knowledge of NIST RMF, NIST 800-53 Rev. 5, FIPS 199/200, and FISMA
- Experience authoring SSPs and full A&A packages; familiarity with GRC/compliance tools (e.g., JCAM)
- Familiarity with FedRAMP CSP package review and control inheritance
- Clear written documentation and the ability to guide system owners through complex RMF processes
- Strong organization and tracking discipline across many concurrent authorizations
- Prior NIH/HHS RMF or ISSO support experience
- Experience with AI/ML security overlays and NIST AI RMF 1.0
- Cloud A&A experience (FedRAMP, NIH STRIDES)
Clearance
- Must be able to obtain and maintain the NIH/OD/OIT required clearance level and complete all suitability/onboarding requirements
Salary Range
- $110,000 - $130,000