Hirebridge
Security Assessment and Authorization Analyst, Associate
Hirebridge, Baltimore, Maryland, United States, 21276
Location:
Baltimore, MD ( 5 Days Onsite - Bayview Area)
Position Title:
Security Assessment and Authorization Analyst, Associate
Clearance:
Public Trust
Job Overview The Security Assessment and Authorization Analyst, Associate will provide technical Security Assessment and Authorization (SA&A) support for biomedical research and enterprise IT systems supporting the NIH Client. This role blends policy-driven RMF compliance with hands‑on technical security review, continuous monitoring, and system risk analysis. Working under the direction of the Federal Lead / Information System Security Officer (ISSO), the specialist will support system authorization activities, vulnerability management, configuration compliance, privacy assessments, and incident response coordination in accordance with FISMA, NIST, HHS, NIH, and FedRAMP requirements. The role requires close collaboration with system owners, infrastructure teams, application teams, and the Client SA&A team.
Key Responsibilities Technical SA&A & RMF Implementation
Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
Support system ATO and re‑authorization cycles, including package development and remediation tracking.
Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
Maintain GSS system inventory, and Security Program and any additional artifacts.
Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.
Security Controls & Technical Documentation
Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.
Vulnerability and Configuration Management
Review and analyze vulnerability scan results from SCAP‑compliant tools covering operating systems, databases, web applications, and network devices.
Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
Support Configuration Management Plans (CMP) and configuration baseline documentation.
Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.
Cloud & FedRAMP Support
Support SA&A activities for cloud‑based and hybrid systems, including systems operating under FedRAMP‑authorized CSPs.
Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
Assist in identifying gaps between FedRAMP baselines and agency‑specific security requirements.
Privacy & Data Protection
Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).
Incident Response & Contingency Planning
Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US‑CERT requirements.
Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
Participate in and document annual tabletop exercises and contingency plan testing.
Qualifications Education & Experience
Bachelor’s degree or equivalent experience
Six (6) years of hands‑on experience
supporting federal IT security, SA&A, and RMF implementations
Core Security & Compliance Skills
Strong experience with
FISMA ,
NIST RMF , and
FedRAMP
In‑depth knowledge of
NIST SP 800‑53, 800‑37, 800‑18, 800‑34, 800‑63
Experience performing
FIPS 199 categorizations
and control baseline determinations
Hands‑on development and maintenance of
SSPs, SARs, POA&Ms, CPs, CMPs
Technical & Infrastructure Knowledge
Understanding of
Windows, Linux, and UNIX operating systems
security concepts
Familiarity with
network security architecture , including firewalls, IDS/IPS, routers, and switches
Experience assessing
web applications, databases, and enterprise platforms
Knowledge of
authentication, access control, encryption, and key management
Security Tools & Platforms
Experience with
SCAP‑compliant vulnerability scanning tools
Familiarity with
NIH Security Assessment Tool (NSAT)
or similar GRC platforms
Experience reviewing security artifacts from
cloud service providers (AWS, Azure, GCP)
in a FedRAMP context
Proficiency with
Microsoft Office, SharePoint , and documentation collaboration tools
Preferred Qualifications
Prior experience supporting
NIH, HHS, or other federal health or research organizations
Experience supporting
high‑or moderate‑impact (FIPS 199)
systems
Familiarity with
biomedical research environments
and data protection requirements
Security certifications such as
CISSP, CISM, CAP, or Security+
Compensation and Benefits The projected compensation range for this position is $70,000 to $130,000 per year benchmarked in the Washington, D.C. metropolitan area. Salary at LCG is determined by various factors, including but not limited to role, location, the combination of education/training, knowledge, skills, competencies, certifications, and work experience. LCG offers a competitive, comprehensive benefits package which includes health insurance options (medical, dental, vision), life and disability insurance, retirement plan contributions, as well as paid leave, federal holidays, professional development, and lifestyle benefits.
Devoted to Fair and Inclusive Practices All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law.
If you are interested in applying for employment with LCG and need special assistance or an accommodation to apply for a posted position, contact our Human Resources department by email at hr@lcginc.com.
Securing Your Data Beware of fraudulent job offers using LCG's name. LCG will never request payment‑related details or advancement of money during the application process. Legitimate communication will only come from lcginc.com or system@hirebridgemail.com. If you receive suspicious emails asking for payment or personal information, contact us immediately at hr@lcginc.com. If you believe you are the victim of a scam, contact your local law enforcement and report the incident to the U.S. Federal Trade Commission.
#J-18808-Ljbffr
Baltimore, MD ( 5 Days Onsite - Bayview Area)
Position Title:
Security Assessment and Authorization Analyst, Associate
Clearance:
Public Trust
Job Overview The Security Assessment and Authorization Analyst, Associate will provide technical Security Assessment and Authorization (SA&A) support for biomedical research and enterprise IT systems supporting the NIH Client. This role blends policy-driven RMF compliance with hands‑on technical security review, continuous monitoring, and system risk analysis. Working under the direction of the Federal Lead / Information System Security Officer (ISSO), the specialist will support system authorization activities, vulnerability management, configuration compliance, privacy assessments, and incident response coordination in accordance with FISMA, NIST, HHS, NIH, and FedRAMP requirements. The role requires close collaboration with system owners, infrastructure teams, application teams, and the Client SA&A team.
Key Responsibilities Technical SA&A & RMF Implementation
Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
Support system ATO and re‑authorization cycles, including package development and remediation tracking.
Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
Maintain GSS system inventory, and Security Program and any additional artifacts.
Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.
Security Controls & Technical Documentation
Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.
Vulnerability and Configuration Management
Review and analyze vulnerability scan results from SCAP‑compliant tools covering operating systems, databases, web applications, and network devices.
Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
Support Configuration Management Plans (CMP) and configuration baseline documentation.
Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.
Cloud & FedRAMP Support
Support SA&A activities for cloud‑based and hybrid systems, including systems operating under FedRAMP‑authorized CSPs.
Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
Assist in identifying gaps between FedRAMP baselines and agency‑specific security requirements.
Privacy & Data Protection
Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).
Incident Response & Contingency Planning
Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US‑CERT requirements.
Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
Participate in and document annual tabletop exercises and contingency plan testing.
Qualifications Education & Experience
Bachelor’s degree or equivalent experience
Six (6) years of hands‑on experience
supporting federal IT security, SA&A, and RMF implementations
Core Security & Compliance Skills
Strong experience with
FISMA ,
NIST RMF , and
FedRAMP
In‑depth knowledge of
NIST SP 800‑53, 800‑37, 800‑18, 800‑34, 800‑63
Experience performing
FIPS 199 categorizations
and control baseline determinations
Hands‑on development and maintenance of
SSPs, SARs, POA&Ms, CPs, CMPs
Technical & Infrastructure Knowledge
Understanding of
Windows, Linux, and UNIX operating systems
security concepts
Familiarity with
network security architecture , including firewalls, IDS/IPS, routers, and switches
Experience assessing
web applications, databases, and enterprise platforms
Knowledge of
authentication, access control, encryption, and key management
Security Tools & Platforms
Experience with
SCAP‑compliant vulnerability scanning tools
Familiarity with
NIH Security Assessment Tool (NSAT)
or similar GRC platforms
Experience reviewing security artifacts from
cloud service providers (AWS, Azure, GCP)
in a FedRAMP context
Proficiency with
Microsoft Office, SharePoint , and documentation collaboration tools
Preferred Qualifications
Prior experience supporting
NIH, HHS, or other federal health or research organizations
Experience supporting
high‑or moderate‑impact (FIPS 199)
systems
Familiarity with
biomedical research environments
and data protection requirements
Security certifications such as
CISSP, CISM, CAP, or Security+
Compensation and Benefits The projected compensation range for this position is $70,000 to $130,000 per year benchmarked in the Washington, D.C. metropolitan area. Salary at LCG is determined by various factors, including but not limited to role, location, the combination of education/training, knowledge, skills, competencies, certifications, and work experience. LCG offers a competitive, comprehensive benefits package which includes health insurance options (medical, dental, vision), life and disability insurance, retirement plan contributions, as well as paid leave, federal holidays, professional development, and lifestyle benefits.
Devoted to Fair and Inclusive Practices All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law.
If you are interested in applying for employment with LCG and need special assistance or an accommodation to apply for a posted position, contact our Human Resources department by email at hr@lcginc.com.
Securing Your Data Beware of fraudulent job offers using LCG's name. LCG will never request payment‑related details or advancement of money during the application process. Legitimate communication will only come from lcginc.com or system@hirebridgemail.com. If you receive suspicious emails asking for payment or personal information, contact us immediately at hr@lcginc.com. If you believe you are the victim of a scam, contact your local law enforcement and report the incident to the U.S. Federal Trade Commission.
#J-18808-Ljbffr