Security Analyst II

Security Analyst II

Position: Full-Time

Location: Remote / Baltimore, MD Metro Area

Clearance: Public Trust required

Position Overview

The Security Analyst II supports the Security Compliance Team with FISMA compliance activities, CFACTS documentation, vulnerability tracking, and ATO sustainment across assigned CMS CCSQ FISMA systems. This role works closely with ISSOs, ADOs, and senior analysts to support continuous compliance monitoring, evidence collection, and security posture reporting. The Security Analyst II participates in Security ART PI planning and sprint activities as an integral team member.

Key Responsibilities

• Manage and maintain CFACTS artifacts for assigned CCSQ FISMA systems, ensuring documentation is current and audit-ready

• Support ISSOs and ADOs with control evidence collection, POA&M tracking, and CSRAP/CIO review readiness

• Assist with ATO maintenance activities including artifact preparation, evidence validation, and compliance tracking

• Monitor vulnerability scan findings, ensuring updates are recorded at least every 72 hours across 100% of in-scope IT assets

• Support ADO vulnerability remediation through analysis, escalation tracking, and SLA compliance reporting

• Assist in validating security configuration baselines against CMS policy, NIST guidance, and CIS benchmarks

• Support continuous authorization activities: administrative account audits, TTT participation, and detection coverage validation

• Prepare and contribute to the Weekly Vulnerability & Compliance Briefing and Monthly Executive Summary

• Attend PI Planning events; contribute security user stories, acceptance criteria, and security dependency input

• Coordinate with ISSOs and ADOs on Security Impact Analyses (SIAs) and maintain documentation in CFACTS

• Support cloud migration security activities including documentation of control mappings and post-migration verification

• Track CFACTS milestones, PIAs, and POA&M progression

Required Qualifications

• Bachelor''s degree in Cybersecurity, Information Systems, Computer Science, or related field

• 5+ years of information security experience with a focus on FISMA compliance or federal IT security

• Working knowledge of NIST RMF (SP 800-37), NIST 800-53 control families, and CMS ARS

• Experience supporting ATOs, POA&M management, and CFACTS documentation in a federal environment

• Familiarity with vulnerability scanning tools (Tenable, Nessus, or AWS Inspector) and SLA-based remediation tracking

• Ability to produce clear and accurate compliance documentation, reports, and evidence packages

• Experience in SAFe or Agile environments; comfort participating in PI Planning and sprint activities

• Strong organizational skills and attention to detail for tracking compliance milestones and deadlines

• Security+ and CySA+ required

Preferred Qualifications

• CAP (CGRC) or equivalent certification preferred

• Prior CMS, HHS, or CCSQ/ISG experience is a strong advantage

• Familiarity with CFACTS, CSAM, and QualityNet security environments

• Experience with Splunk or other SIEM platforms

• Basic understanding of AWS security services (Security Hub, GuardDuty, CloudTrail)

• Familiarity with ISCM and continuous monitoring strategies