Information Systems Security Analyst

Job TitleInformation Systems Security Analyst# of Hires Needed1Date Needed By1/30/2026CategoryInformation TechnologyEducationBachelor's DegreeCareer LevelExperienced (Non-Manager)Job TypeFull-timeLocationCTAC HQ - Falls Church, VA 22042 US (Primary)Travel0 - 10%Job DescriptionCTAC is seeking an experienced Information Systems Security Analyst to support a federal program focused on achieving and sustaining an Authority to Operate (ATO) for a complex, multi-tenant AWS cloud environment. This role is a key member of CTAC's federal delivery team and is responsible for executing Risk Management Framework (RMF) activities across the full NIST lifecycle, with a strong emphasis on control validation, documentation, evidence development, and assessor engagement.The ideal candidate will bring deep hands-on experience supporting federal ATOs, implementing NIST SP 800-53 controls, managing POA&Ms, and working directly with cloud engineers, architects, and Authorizing Officials to remediate security gaps and maintain continuous authorization readiness. This position requires a balance of technical security expertise, disciplined documentation, and the ability to operate effectively in a fast-paced, sprint-based delivery model.Key ResponsibilitiesExecute and support the full NIST Risk Management Framework (RMF) lifecycle (Categorize, Select, Implement, Assess, Authorize, Monitor) for ORNL's AWS multi-tenant platform.Perform control-by-control gap analysis against NIST SP 800-53, identifying incomplete, partially implemented, or undocumented controls.Develop, update, and maintain RMF artifacts, including:System Security Plan (SSP)Control implementation narrativesPOA&MContinuous Monitoring documentationObjective evidence mappingsPartner closely with cloud architects and engineers to validate technical control implementations and support remediation activities within AWS.Support assessment and authorization activities, including direct engagement with assessors, auditors, and ORNL security stakeholders.Track, document, and manage risks, findings, and remediation activities in accordance with federal RMF expectations.Ensure security documentation accurately reflects the operational state of the environment and remains audit-ready throughout the engagement.Support the use of governance, risk, and compliance (GRC) tools (e.g., eMASS, Kion, or equivalent) to manage controls, evidence, and reporting.Contribute to sprint planning and execution by aligning RMF activities with engineering and documentation deliverables.Assist in the development or refinement of security policies, procedures, and standards where gaps exist.Provide subject matter expertise on federal security requirements, best practices, and emerging guidance relevant to cloud-hosted systemsJob RequirementsBachelor's degree in Information Security, Cybersecurity, Information Technology, or a related discipline (or equivalent experience).10+ years of progressive experience in cybersecurity, information assurance, or RMF-focused security roles supporting federal systems.Demonstrated hands-on experience supporting ATO packages for federal cloud or hybrid environments.Deep working knowledge of:NIST SP 800-53NIST SP 800-37FISMA requirementsFederal A&A processesStrong experience developing and maintaining SSPs, POA&Ms, and RMF evidence.Experience working with cloud (Amazon Web Services) security environments, including validation of technical control implementations.Ability to clearly document complex technical and compliance concepts for both technical and non-technical audiences.Proven ability to collaborate across engineering, security, and program management teams.Strong analytical, organizational, and communication skills.Ability to obtain and maintain a Public Trust (or higher) clearance.Preferred QualificationsMaster's degree in Cybersecurity, Information Systems, or a related field.Active CISSP and/or CISM certification.Experience supporting multi-tenant cloud platforms and control inheritance models.Familiarity with Infrastructure as Code (IaC) concepts and how automation supports compliance.Experience supporting federal research, scientific, or mission-driven environments.Prior experience working in agile or sprint-based delivery models for RMF execution. CTAC is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, age, sexual orientation, gender identity, national origin, disability, or protected veteran status. VEVRAA Federal Contractor