Risk Management Framework (RMF) Expert

What You Will Do:

• Lead and advise teams through the full NIST Risk Management Framework (RMF) lifecycle—Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor—embedding security and privacy into the system development life cycle (SDLC).
• Serve as the go-to Subject Matter Expert (SME) on RMF concepts, requirements, and agency-specific adaptations of RMF (e.g., organization RMF process guides), ensuring stakeholders understand expectations and decision points.
• Develop, review, and maintain RMF artifacts and authorization package documentation, including (as applicable): System Security Plans (SSPs), Security Assessment Plans (SAPs), Security Assessment Reports (SARs), and Plans of Action & Milestones (POA&Ms), along with supporting evidence.
• Coordinate and/or perform security control assessment activities (management, operational, and technical controls), evaluate control effectiveness, document weaknesses, and recommend remediation actions aligned to assessment results.
• Partner with system owners, engineers, ISSOs/ISSMs, assessors, and governance stakeholders to define authorization boundaries, identify inheritable controls, and drive readiness for Authorization to Operate (ATO) decisions.
• Track remediation and risk posture over time, supporting continuous monitoring activities, ongoing updates to security documentation, and leadership reporting for risk-based decisions.
• Maintain RMF records in approved repositories and GRC tooling (e.g., eMASS) and ensure documentation quality, consistency, and audit readiness.
• Facilitate working sessions and communicate clearly with both technical and non-technical audiences—translating controls and compliance language into actionable engineering and operational steps.
  

What You Will Need:

• Demonstrated hands-on experience applying the NIST RMF (based on NIST SP 800-37 Rev. 2) across multiple RMF steps, including support for A&A/ATO outcomes.
• Proven experience producing and/or reviewing core RMF artifacts and evidence packages—SSP, SAP, SAR, POA&M (and related documentation)—and driving them to completion with stakeholders.
• Experience planning and executing (or leading) security control assessments using NIST 800-53/800-53A-aligned methods; ability to identify deficiencies, determine severity, and recommend corrective actions.
• Working knowledge of security categorization and control selection concepts (e.g., risk levels/impact-based categorization and tailoring controls) and how those choices affect the authorization package.
• Familiarity with maintaining RMF artifacts in a formal repository/GRC system (e.g., eMASS) and managing versioning, audit trails, and stakeholder reviews.
• Strong written and verbal communication skills—able to produce clear, defensible documentation and brief technical and executive audiences on risk posture and decisions.
• Bachelor’s degree (or equivalent practical experience) in cybersecurity, information assurance, information systems, or a related field (typical for RMF-focused roles).

What Would Be Nice To Have:

• Experience supporting federal environments and common compliance regimes that leverage RMF (e.g., FISMA/FedRAMP-style documentation and A&A workflows).
• Experience with cloud authorization approaches and documentation expectations (including reviewing SSPs and supporting authorization decisions for cloud instantiations).
• Familiarity with vulnerability management and configuration compliance inputs that often serve as RMF evidence (e.g., scanning outputs and remediation tracking), and how those map to controls and POA&Ms.
• Professional certifications such as CISSP, CISM, CISA, CCSP, Security+, or similar (commonly requested for RMF/assessment roles).
• Experience leading small teams or acting as a workstream lead for RMF/A&A efforts (planning deliverables, setting cadence, and coordinating cross-functional contributors).
• Active security clearance or ability to obtain/maintain one (if required by the client environment).