Ampcus Inc. is a certified global provider of a broad range of Technology and Business consulting services. We are in search of a highly motivated candidate to join our talented Team.
Job Title: Senior Control Assessment Analyst
Location: Washington DC
Responsibilities:
- The Board's Assessment and Authorization (A&A) program operates in alignment with the NIST Risk Management Framework (RMF) as outlined in the current release of NIST SP 800-37.
- The objective of the Control Assessment task is to provide security subject matter expertise to develop A&A methodologies, maintain accurate assessment schedules, and conduct control assessment activities for newly developed or acquired information systems, as well as for systems and common controls in ongoing authorization.
Assessment Methodology:
- Develop a methodology for conducting control assessments for software-as-a-service (SaaS) solutions operated by a vendor on behalf of the Board that have not received FedRAMP authorization, and for assessing external organizations and systems that process, store, or transmit Board information.
- Align these assessment methodologies with principles set forth in FISMA, OMB, and NIST standards and publications, and consider efficient and cost-effective means of assessment to allow Board senior leaders and stakeholders to make risk-based authorization decisions.
Planning and Scheduling:
- Develop and maintain a Master Assessment Schedule that tracks new information systems requiring full control assessments and existing information systems and common controls under ongoing authorization in the continuous monitoring phase of the RMF.
- Ensure the Master Assessment Schedule adjusts estimated completion dates in real-time to account for unplanned assessments, changes in prioritization, delays, or changes in resource availability, enabling Board security staff to provide stakeholders with estimated completion dates for all scheduled A&As at any given time.
Control Tailoring and Overlays:
- Review and update Control Overlays that define and justify the applicable security and privacy controls for information systems with common characteristics, such as internally developed web applications, FedRAMP-authorized SaaS solutions, etc.
Control Assessment Plans:
- Based on the receipt and review of artifacts provided by system owners or support staff, which may include, but are not limited to, FIPS-199 Categorization Memos, System Security and Privacy Plans (SSPP), Contingency Plans, etc., develop Control Assessment Plans (CAPs) for each system, service, or common control provider to be assessed. Each CAP shall include, at minimum: The assessment methodology to be followed.
Education:
- At least five years of experience performing the functions associated with this labor category.
Experience:
- Experience performing control assessments as part of a team in accordance with applicable NIST standards (NIST 800-53, Rev 5, or newer version, as applicable).
- Experience preparing control assessment plans, executing technical and non-technical assessments actions, evaluating the risk associated with areas of deficiency, and documenting detailed findings and executive-level summaries of assessment results.
- Experience briefing stakeholders on key findings, recommendations, risks, and impacts.
- Experience providing direct support of information security compliance activities, including managing plans of actions and milestones (POA&Ms) and inventories of information systems.
Ampcus is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identify, national origin, age, protected veterans or individuals with disabilities.
|
Ampcus, Inc
Oct 16, 2025