Cyber Risk Analyst

DivIHN (pronounced divine ) is a CMMI ML3-certified Technology and Talent solutions firm. Driven by a unique Purpose, Culture, and Value Delivery Model, we enable meaningful connections between talented professionals and forward-thinking organizations. Since our formation in 2002, organizations across commercial and public sectors have been trusting us to help build their teams with exceptional temporary and permanent talent.

Visit us at to learn more and view our open positions.

• Cyber Security Program Office promotes the safe and secure use of information technology. There are a variety of risks and threats inside and outside of the Client.
• Cyber Security Program Office (CSPO) safeguards the Client by identifying, protecting against, detecting, responding to, and recovering from cybersecurity risks and incidents. Services include consultation and guidance; detection and protection technologies; education and awareness; incident management; vulnerability management; and risk assessment and compliance.
• For this SOW, the CSPO seeks a full-time Cyber Risk Analyst.

• This Client opportunity is for a Cyber Risk Analyst within the Cyber Security Program Office (CSPO). This role requires a full-time (40 HRS/week) contractor for a 1-year duration who will identify risks, by conducting reviews and evaluations to determine compliance with defined standards.
• The Cyber Risk Analyst will play an important role in identifying and communicating areas of concern and risks to the business. This engagement will free up other cybersecurity resources to work in other critical Client areas.
• The ideal candidate will need to:
  • Possess a working level expertise with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and the NIST 800-53 series of control families and approaches.
  • Perform detailed analysis and a cyber risk assessment of Cloud Service Providers (CSPs).
  • Engage with vendors to review controls, certifications, and risks in support of the associated business need and the Client's risk tolerance.
  • Partner with the CSPO in the development of risk assessment and reporting processes within the Client's Governance, Risk and Compliance (GRC) tool, Talatek TiGRIS.
  • Partner with others from within the CSPO team and Client IT environment to perform risk-based assessments of NIST 800-53 control validation and gap analysis.
  • Collaborate with the CSPO to present outcomes of risk analysis work using presentation methods to CSPO and other lab audiences (IT admins, Deputy CIO, CISO)
  • Maintain assessment and assessment results in identified repositories, e.g., the Lab's GRC tool, Talatek TiGRIS, MS Excel, Box or Box+
  • Assist in the performance of the Client's Divisional Site Assist Visit (DSAV) self-assessment and continuous monitoring strategy, assessing the cyber security controls and their implementation in various programmatic spaces.

• A fundamental understanding of IT Risk management and the NIST 800 series framework.
• Experience with government environments.
• Experience working closely with cyber security leadership and peers along with IT system/process owners to capture artifacts for control testing.
• Technical understanding of systems and technologies to inform audits and assessments.
• Ability to translate results into business-oriented, task-focused presentations.
• The ideal candidate will support the projects and tasks associated with Cybersecurity Risk Assessment and Compliance.
• Ability to support urgency and timeliness expectations, assuring risk assessments are completed to support DOE Authority to Operate and Authority to Use deadlines.
  • Typically, the assessment presentation cadence is weekly for the DOE's Client Site Office, and monthly for the DOE Authorizing Official.

• Considerable knowledge of Risk Management and Risk Management Framework (RMF) requirements
• Working level knowledge of the NIST 800 Rev 5 series framework
• Considerable knowledge/experience of assessing controls.
• Knowledge of industry-standard and organizationally accepted analysis principles and methods.
• Experience in working with Governance Risk Compliance systems.
• Experience presenting reports and outcomes to leadership, tracking to closure, and creating buy-in to risk management.
• Experience and skill in conducting audits or reviews of technical systems.
• Experience assessing vendor risk.
• Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
• Ability to skillfully communicate through various methods. This includes written documentation. The audience will be leaders and executives. Finalists may be asked to complete a brief, job-relevant writing exercise.
• Ability to work autonomously as a contributing member of a small technical team
• Experience working in a government environment.
• Experience working in a distributed IT environment.
• Basic knowledge of cyber security concepts.
• Working knowledge of networking administration.
• Working knowledge of system administration.
• Ability to qualify for HSPD-12 card for use in two-factor authentication.
• Able to effectively interact with user organizations to validate controls.
• Able to effectively disseminate knowledge to current staff.

• Report to a senior staff Cyber Risk Analyst within Business & Information Services; including daily guidance and collaboration with others in the Cyber Security Program Office (CSPO).

• The project managers measure work performed by the contractor on a task basis. The tasks typically represent 8 to 80 hours of effort with performance being measured at the completion of each of the assigned tasks. Hours will be recorded on a weekly time sheet; progress against planned tasks will be reported weekly.
• Typically, the work is performed remotely. For the candidate within driving distance of the Lab, there may be rare times to be onsite for in-person meetings, assessments, or presentations. Most of the Business Information Services (BIS) Division works remotely and are rarely onsite. If the candidate is out of state, too far away from the Lab, onsite meetings are not feasible to attend and not required.
• The following expectations are part of working remote:

• Assist in the management of Lab-Vendor risk assessments throughout the engagement.
  • Includes analysis and a cyber risk assessment of Cloud Service Providers (CSPs) (Vendors).
• Regularly, engage with vendors to review controls, certifications, and risks.
• Regularly, engage with Client System Business Owners to review controls, convey/educate regarding identified risks, and coordinate various control implementation with BIS technicians when necessary.
• As necessary, work various Governance, Risk and Compliance (GRC) projects using GRC tool, Talatek TiGRIS.
  • Includes various risk-based assessments of NIST 800-53 Rev 5 control validation and gap analysis.
• Present outcomes of risk analysis work to CSPO and other lab audiences, as needed.
• Perform assessment and assessment result maintenance in the GRC tool, /Talatek TiGRIS, as necessary.
• Deliverables include assessment process documents and assessment report management, updates in Talatek TiGRIS, and communicating via E-Mail, TEAMS, etc.

• Contractors shall comply with Client's Computer Protection Program and Cyber Security Program requirements by:
  • Completing required training and understanding the protection requirements for any systems, applications, or sensitive data they access.
  • Adhering to all applicable policies and procedures and not bypassing any controls protecting data, applications, hardware, or communications.
  • Maintaining a work environment that meets audit, privacy, and security standards.
  • Immediately reporting any suspected or actual deficiencies in protection procedures to their technical contact, the BIS Computer Protection Program Representative, and the CSPO.

• Client will supply a government-furnished laptop, PIV Card, and PIV Card reader.

• The Cyber Security Program Office follows the National Institute of Standards and Technology (NIST) Cyber Security Framework. All subcontracts, where applicable, will work within the same requirements as though the subcontractor was part of the Client's cyber program.
• In cases where staffing is required, vetting of identity (NIST 800-63 Identity Assurance Level 3) and strong authentication (NIST 800-63 Authentication Assurance Level 3) will be required. Client uses the HSPD-12 smart card for staff relationships that last longer than 6 months.
• Client may provide relevant information requested from the vendor or remote access as required to gather information. U.S. citizenship will be required for any access to systems or data.
• The manager of the contract and the Cyber Security Program Office must approve authorization for remote work.

• Work will be performed remotely, using communication through Microsoft tools such as Microsoft Teams and Microsoft Outlook

DivIHN is an equal opportunity employer. DivIHN does not and shall not discriminate against any employee or qualified applicant on the basis of race, color, religion (creed), gender, gender expression, age, national origin (ancestry), disability, marital status, sexual orientation, or military status.