Security Control Assessor

Job Description

ECS is seeking a Security Control Assessor to work in our Washington, DC office.

Overview

ECS is seeking a Security Control Assessor to support the Department of State (DOS), Bureau of Diplomatic Technology (DT). This role is part of the Independent Security Control Assessment (ISCA) team, responsible for ensuring high-value and mission-critical systems comply with federal cybersecurity policies.

The ideal candidate will serve as a Security Control Assessor, executing the full RMF Step 4 lifecycle. This includes developing Security Assessment Plans (SAP), conducting detailed control testing under NIST SP 800-53A Rev. 5, and producing Security Assessment Reports (SARs) that enable Authorizing Officials to make informed risk-based decisions.

Key Responsibilities

• Assessment Planning (RMF Step 4):
  • Develop and finalize Security Assessment Plans (SAP) that identify controls to be tested, assessment methods (examination, interview, testing), and required tools.
  • Collaborate with system stakeholders to understand system boundaries and identify control testing strategies aligned with NIST SP 800-53A and SP 800-115.
• Security Control Assessment:
  • Perform independent and comprehensive assessments of security controls using manual and automated techniques to verify they are implemented correctly and operating as intended.
  • Document objective evidence of control implementation and effectiveness, including screenshots, logs, and interview notes.
  • Assess control inheritance from common control providers and external service providers.
• Reporting & Risk Analysis:
  • Develop Security Assessment Reports (SAR) detailing all findings, vulnerabilities, and residual risks.
  • Prepare Risk Acceptance Recommendation Reports and Executive Summary Briefings for the Authorizing Official (AO).
  • Analyze security tool reports to determine residual risk and differentiate between false positives and valid findings before assigning vulnerabilities.
• Remediation & Continuous Monitoring:
  • Coordinate with ISSOs and system owners to validate mitigation strategies and update Plans of Action and Milestones (POA&Ms).
  • Conduct retesting of remediated vulnerabilities and update the SAR and Closure Verification Reports accordingly.
  • Support ongoing continuous monitoring by assessing a subset of controls annually to confirm continued compliance.

Salary Range: $90,000 - $120,000

General Description of Benefits

Required Skills

• Clearance: Active Secret Security Clearance.
• Experience: 5+ years of Information Security experience, with at least 3 years specifically supporting security assessment teams (SCA).
• Framework Proficiency: Deep understanding of NIST SP 800-53 Rev. 5 (Security and Privacy Controls), NIST SP 800-53A (Assessment Procedures), and NIST SP 800-37 Rev. 2 (RMF).
• Technical Writing: Proven experience developing RMF artifacts including SAPs, SARs, and POA&Ms.
• Assessment Tools: Experience using eGRC tools (e.g., ArchAngel, CSAM, Xacta, Archer, ArchAngel) and analyzing vulnerability scan reports.
• Communication: Strong ability to present control deficiencies and risk implications to both technical and non-technical audiences.

Desired Skills

• Certifications: One or more of the following is highly preferred: CISSP, CISA, CEH, or CRISC.
• Agency Experience: Prior experience with Department of State (DOS) and High Value Asset (HVA) assessments.
• Cloud Security: Experience assessing systems hosted in AWS or Azure cloud environments.

#ECS1

ECS is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

ECS is a leading mid-sized provider of technology services to the United States Federal Government. We are focused on people, values and purpose. Every day, our 3300+ employees focus on providing their technical talent to support the Federal Agencies and Departments of the US Government to serve, protect and defend the American People.