Cybersecurity Risk Management Analyst

Cybersecurity Risk Management Analyst Cherokee Federal is seeking a Cybersecurity Risk Management Analyst to support its contract with the U.S. National Science Foundation. This role supports Assessment and Authorization (A&A) and broader risk management activities within a federal Governance, Risk, and Compliance (GRC) program. The analyst supports system authorization efforts, risk analysis, and ongoing compliance in alignment with federal cybersecurity requirements. The Cybersecurity Risk Management Analyst will be part of the Oversight and Compliance Team, which includes policy, A&A, continuity planning, privacy, training, and Security-Focused Configuration Management (SecCM) functions. This role works collaboratively with system owners, ISSOs, and technical teams to assess controls, evaluate risk, and contribute to a holistic view of organizational cybersecurity risk. Compensation & Benefits: $95,000- $105,000 Estimated Starting Salary Range for Cybersecurity Risk Management Analyst: Pay commensurate with experience. Full time benefits include Medical, Dental, Vision, 401K, and other possible benefits as provided. Benefits are subject to change with or without notice. Cybersecurity Risk Management Analyst Responsibilities Include: · Create, manage, maintain, and improve NSF A&A documentation and processes (e.g., SSPs, SARs, POA&Ms, security inventories, PTAs, PIAs, and internal reports to management), ensuring completeness, accuracy, and alignment with NIST RMF (SP 800-37, SP 800-53 Rev. 5) and NSF standards. · Perform control assessments by analyzing technical, procedural, and operational evidence; document results and support risk determinations, POA&M management, and ongoing authorization activities. · Collaborate with system owners, ISSOs, and engineers to gather artifacts, validate control implementations, and maintain authorization packages across the system lifecycle. · Conduct cybersecurity assessments and develop a continuous monitoring plan for cloud services in compliance with FedRAMP and other federal requirements. · Evaluate External Services (e.g., SaaS, PaaS, IaaS) for inclusion within authorization boundaries by reviewing service documentation, analyzing controls, and documenting risks, dependencies, and shared responsibility models; review authorization packages from FedRAMP to assess applicability and identify gaps. · Support continuous monitoring and SecCM activities by analyzing vulnerability and configuration data (e.g., scan results), validating remediation actions, and identifying trends or systemic risks across systems. · Customize DISA STIGs and CIS Benchmarks to create and maintain standardized “gold” audit files for systems in use at NSF; leverage Tenable Security Center to support the Security-Focused Configuration Management process. · Contribute to broader risk management efforts, including identifying cross-system or program-level risks, supporting audit and compliance activities (e.g., OIG), and incorporating findings from assessments, incidents, and external reviews into risk posture and reporting. · Perform peer reviews of A&A artifacts and related documentation to ensure technical accuracy, consistency, and adherence to established standards; contribute to team deliverables and coordination across Cybersecurity Oversight and Compliance functions. · Performs other job-related duties as assigned Cybersecurity Risk Management Analyst Experience, Education, Skills, Abilities requested: · Bachelor’s degree in Cybersecurity, Information Technology, or related field (or equivalent experience). · 2–5 years of experience in cybersecurity, risk management, or A&A within a federal or regulated environment. · CompTIA Security+ certification · Working knowledge of the NIST Risk Management Framework (RMF) and associated publications (e.g., SP 800-53, SP 800-37, FIPS 199). · Experience developing or maintaining A&A documentation (e.g., SSPs, SARs, POA&Ms). · Familiarity with External Services assessments and/or FedRAMP authorization concepts. · Demonstrated experience contributing to or reviewing at least one complete ATO package (e.g., SSP, SAR, POA&M lifecycle). · Proven track record of logical and critical thinking, sophisticated writing skills, superior organizational skills, and excellent planning and time management skills. · Strong attention to detail · Must pass pre-employment qualifications of Cherokee Federal Company Information: Criterion is a part of Cherokee Federal – the division of tribally owned federal contracting companies owned by Cherokee Nation Businesses. As a trusted partner for more than 60 federal clients, Cherokee Federal LLCs are focused on building a brighter future, solving complex challenges, and serving the government’s mission with compassion and heart. To learn more about Criterion, visit cherokee-federal.com. #CherokeeFederal #LI-SM2 #AppC Cherokee Federal is a military friendly employer. Veterans and active military transitioning to civilian status are encouraged to apply. Similar searchable job titles: · Cybersecurity Compliance Analyst · Information Security Risk Analyst · Governance, Risk & Compliance (GRC) Analyst · Assessment & Authorization (A&A) Analyst · Cybersecurity RMF Analyst Keywords: · NIST RMF · ATO Documentation · FedRAMP · Risk Assessment · Continuous Monitoring Legal Disclaimer: All qualified applicants will receive consideration for employment without regard to protected veteran status, disability or any other status protected under applicable federal, state or local law. Many of our job openings require access to government buildings or military installations. Candidates must pass pre-employment qualifications of Cherokee Federal.