Information Systems Security Analyst

Job Title

Information Systems Security Analyst

# of Hires Needed

1

Date Needed By

1/30/2026

Category

Information Technology

Education

Bachelor's Degree

Career Level

Experienced (Non-Manager)

Job Type

Full-time

Location

CTAC HQ - Falls Church, VA 22042 US (Primary)

Travel

0 - 10%

Job Description

CTAC is seeking an experienced Information Systems Security Analyst to support a federal program focused on achieving and sustaining an Authority to Operate (ATO) for a complex, multi-tenant AWS cloud environment. This role is a key member of CTAC's federal delivery team and is responsible for executing Risk Management Framework (RMF) activities across the full NIST lifecycle, with a strong emphasis on control validation, documentation, evidence development, and assessor engagement.

The ideal candidate will bring deep hands-on experience supporting federal ATOs, implementing NIST SP 800-53 controls, managing POA&Ms, and working directly with cloud engineers, architects, and Authorizing Officials to remediate security gaps and maintain continuous authorization readiness. This position requires a balance of technical security expertise, disciplined documentation, and the ability to operate effectively in a fast-paced, sprint-based delivery model.

Key Responsibilities

• Execute and support the full NIST Risk Management Framework (RMF) lifecycle (Categorize, Select, Implement, Assess, Authorize, Monitor) for ORNL's AWS multi-tenant platform.

• Perform control-by-control gap analysis against NIST SP 800-53, identifying incomplete, partially implemented, or undocumented controls.

• Develop, update, and maintain RMF artifacts, including:

  • System Security Plan (SSP)

  • Control implementation narratives

  • POA&M

  • Continuous Monitoring documentation

  • Objective evidence mappings

  
  

• Partner closely with cloud architects and engineers to validate technical control implementations and support remediation activities within AWS.

• Support assessment and authorization activities, including direct engagement with assessors, auditors, and ORNL security stakeholders.

• Track, document, and manage risks, findings, and remediation activities in accordance with federal RMF expectations.

• Ensure security documentation accurately reflects the operational state of the environment and remains audit-ready throughout the engagement.

• Support the use of governance, risk, and compliance (GRC) tools (e.g., eMASS, Kion, or equivalent) to manage controls, evidence, and reporting.

• Contribute to sprint planning and execution by aligning RMF activities with engineering and documentation deliverables.

• Assist in the development or refinement of security policies, procedures, and standards where gaps exist.

• Provide subject matter expertise on federal security requirements, best practices, and emerging guidance relevant to cloud-hosted systems

Job Requirements

• Bachelor's degree in Information Security, Cybersecurity, Information Technology, or a related discipline (or equivalent experience).

• 10+ years of progressive experience in cybersecurity, information assurance, or RMF-focused security roles supporting federal systems.

• Demonstrated hands-on experience supporting ATO packages for federal cloud or hybrid environments.

• Deep working knowledge of:

  • NIST SP 800-53

  • NIST SP 800-37

  • FISMA requirements

  • Federal A&A processes

  
  
  
  

• Strong experience developing and maintaining SSPs, POA&Ms, and RMF evidence.

• Experience working with cloud (Amazon Web Services) security environments, including validation of technical control implementations.

• Ability to clearly document complex technical and compliance concepts for both technical and non-technical audiences.

• Proven ability to collaborate across engineering, security, and program management teams.
  
  Strong analytical, organizational, and communication skills.

• Ability to obtain and maintain a Public Trust (or higher) clearance.

Preferred Qualifications

• Master's degree in Cybersecurity, Information Systems, or a related field.

• Active CISSP and/or CISM certification.

• Experience supporting multi-tenant cloud platforms and control inheritance models.

• Familiarity with Infrastructure as Code (IaC) concepts and how automation supports compliance.

• Experience supporting federal research, scientific, or mission-driven environments.

• Prior experience working in agile or sprint-based delivery models for RMF execution.

CTAC is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, age, sexual orientation, gender identity, national origin, disability, or protected veteran status. VEVRAA Federal Contractor