What are the responsibilities and job description for the HHS - Security Control Assessor position at cFocus Software Incorporated?
cFocus Software seeks a Security Control Assessor to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance.
Qualifications:
Qualifications:
- Bachelor’s degree in Cybersecurity, Information Technology, or related field.
- Minimum 7–10 years of experience performing federal RMF and Security Control Assessments.
- Expert knowledge of NIST SP 800-37, NIST SP 800-53, and NIST SP 800-53A.
- Demonstrated experience leading SCAs and producing SARs for FISMA systems.
- Experience with FedRAMP assessments and cloud security evaluations.
- Hands-on experience with eGRC platforms such as RSA Archer.
- Strong written and verbal communication skills.
- CISSP, CISA, GSNA, CRISC, or equivalent cybersecurity certification preferred.
- Certified Authorization Professional (CAP) preferred.
- Lead and manage Security Control Assessments (SCAs) for HRSA systems, programs, and components in accordance with the RMF lifecycle.
- Develop, review, and approve Security Control Assessment Plans (SCAPs), defining assessment scope, methodology, sampling strategies, schedules, and resource needs.
- Coordinate and conduct assessment kickoff meetings, interviews, and out-briefs with System Owners, ISSOs, administrators, and stakeholders.
- Develop and tailor Assessment Test Plans (ATPs) and test procedures aligned to NIST SP 800-53A assessment methods.
- Assess management, operational, technical, and privacy controls to determine whether controls are implemented correctly, operating as intended, and producing the desired outcomes.
- Validate control inheritance from FedRAMP-authorized systems, common control providers, and shared services, including review of CRMs and SSP documentation.
- Perform risk analysis using qualitative and quantitative methods, including CVSS scoring, likelihood and impact analysis, and alignment with organizational risk tolerance.
- Produce comprehensive Security Assessment Reports (SARs) documenting testing results, findings, risk ratings, and remediation recommendations.
- Ensure findings are accurately entered into the HRSA eGRC tool and properly mapped to POA&Ms with supporting evidence.
- Verify remediation actions and validate closure evidence for resolved findings.
- Maintain assessment cadence in accordance with the HRSA SCA Process SOP and defined timelines.
- Utilize automation technologies including OSCAL, AI-assisted assessment tools, automated evidence collection, and continuous control monitoring solutions.
- Conduct cloud and FedRAMP-specific assessments, including shared responsibility model validation and CSP security posture review.
- Assess systems against Zero Trust Architecture maturity models and emerging technology risks including AI, IoT, and cloud-native services.