Risk Management Framework (RMF) Analyst
Full Time • Norfolk
The RMF Analyst supports OPTEVFOR Cyber Operational Test & Evaluation (OT&E) missions by applying enterprise- and system-level security architecture expertise across the system development lifecycle. The role ensures alignment with evolving laws, regulations, and DoD and Department of the Navy (DoN) cybersecurity policies, and contributes to Risk Management Framework (RMF) activities across all lifecycle phases.
The Security Architect translates complex technical, operational, and environmental requirements into effective security architectures; supports system categorization, policy documentation, security control selection and implementation; and conducts comprehensive assessments of management, operational, and technical security controls to evaluate effectiveness. The position also provides project management and subject matter expertise to guide certification and accreditation (A&A) activities for Cyber OT&E test infrastructure and toolsets, working closely with internal stakeholders and external oversight organizations to ensure timely and compliant system authorizations.
Security Clearance Requirement:
Eligibility for Top Secret / Sensitive Compartmented Information (TS/SCI).
Eligibility for Top Secret / Sensitive Compartmented Information (TS/SCI).
Qualifications
- Minimum of five (5) years of experience designing and integrating enterprise and system security architectures across the development lifecycle
- Minimum of three (3) years of experience conducting RMF-related assessments of management, operational, and technical security controls within DoD IT systems
- Minimum of three (3) years of experience providing project management, subject matter expertise, and hands-on support for system certification and accreditation efforts in accordance with DoD/DoN cybersecurity policies and RMF guidance
Key Responsibilities
Security Architecture and RMF Support
- Apply enterprise and system-level security architecture principles to support OPTEVFOR Cyber OT&E missions
- Support RMF activities across all steps, including system categorization, control selection, control implementation, assessment, authorization, and continuous monitoring
- Provide RMF support consistent with the RMF Process Guide (RPG) for the Information Systems Security Engineer (ISSE) role
- Evaluate security architectures and designs to determine adequacy and alignment with mission and enterprise objectives
- Define and document the impact of new systems, interfaces, or changes on overall security posture
Documentation, Compliance, and Governance
- Create, review, update, and validate cybersecurity Standard Operating Procedures (SOPs)
- Maintain inventories of authorized software, Government Furnished Equipment (GFE), and removable media
- Maintain and update all RMF and A&A documentation to ensure accuracy, relevance, and alignment with OPTEVFOR Cyber OT&E assets, including required updates in eMASS
- Ensure traceability across all RMF artifacts, including:
- A&A Plans
- Plans of Action and Milestones (POA&Ms)
- Security Assessment Reports (SARs)
- Network topologies
- Software inventories
- Ports, protocols, and services
- Test plans
- Maintain system and network documentation in DoD IT Portfolio Repository–DoN (DITPR-DON) / DADMS
- Maintain documentation and registration of network ports, protocols, services, and circuits, including GIAP and SNAP
- Track and report weekly status of all outstanding A&A actions and supporting documentation
- As a member of the Configuration Control Board (CCB), ensure approved changes are accurately and timely reflected in A&A documentation
Assessment, Validation, and Hardening
- Conduct comprehensive annual RMF package reviews to ensure continued compliance of Cyber OT&E toolsets, networks, and systems
- Execute DISA STIG validations in conjunction with RMF/A&A reviews in accordance with DoDI 8510 series
- Audit and validate system and network configurations against STIGs; define and implement compensating controls when required to support mission execution
- Support compliance validation for current and emerging directives (e.g., IAVs, STIGs, TASKORDs, CTOs)
- Provide recommendations for corrective actions to remediate non-compliant security controls
- Prepare and maintain vulnerability scan results, system security assessments, and configuration management findings to inform authorization decisions
- Document assessment activities and results in sufficient detail to support independent external review
Testing, Exercises, and Continuity Planning
- Develop or contribute to security test plans and supporting documentation to verify security control implementation and inform ongoing risk determinations
- Conduct and document semi-annual tabletop exercises (twice per calendar year)
- Review and analyze IT contingency and disaster recovery plans for compliance with NIST and DoN requirements
- Develop system-specific contingency planning checklists and support contingency plan exercises and training
- Work independently or in small teams to resolve tasks with minimal supervision
DCWF Knowledge, Skills, Abilities, and Tasks (KSATs)
Knowledge
- Enterprise information security architecture and IT architectural concepts (baseline and target architectures)
- Network security architecture principles, protocols, components, and defense-in-depth strategies
- Cybersecurity-enabled software products and secure configuration management practices
- RMF processes, documentation, and compliance requirements
- PII protection standards, program protection planning, and applicable security/privacy regulations
- Telecommunications concepts, network management principles, and cloud-based security technologies
- Specialized system requirements, including those supporting critical infrastructure
Skills & Abilities
- Design and integrate security architectures and frameworks, including multilevel and cross-domain solutions up to TS/SCI
- Translate laws, regulations, and environmental conditions into effective security designs and processes
- Perform comprehensive assessments of management, operational, and technical security controls
- Develop and maintain security compliance processes and audits, including for external services (e.g., cloud providers)
- Apply cybersecurity methods such as firewalls, DMZs, encryption, PKI, and digital signatures
- Optimize systems to meet enterprise performance and security requirements
- Provide project management and subject matter expertise for Cyber OT&E certification and accreditation efforts
- Document and update security architectures and related artifacts
- Translate mission capabilities into technical and security requirements and application design elements
- Provide cost, design, and change-impact advice to program and technical leadership
GCA is a minority veteran owned small business providing solutions to customer requirements in every realm of the intelligence and information technology industries to include, imagery/intelligence analysis, related systems engineering and administration, operations and maintenance, networking and VTC services.
GCA is committed to a safer tomorrow. The challenges facing our Nation and the World grow ever more complex and require the highest level of dedication, integrity, and service. These core values are the backbone GCA builds upon to provide our customers with exceptional service within the dynamic intelligence community and ever changing Information Technology sector.
(if you already have a resume on Indeed)
Or apply here.
Paid Time off that includes 10 federal holidays and 15 additional days.
Bereavement Leave & Parental Leave
PTO Cash out
Company Paid STD and LTD
Life and AD&D Insurance
Employee referral program
Medical, Prescription, Dental, and Vision Coverage
401k Savings and company match