Sr. Security Risk Management SME/ Sr. Vulnerability Threat Assessment Analyst

Job Description

ECS is seeking a Sr. Security Risk Management SME/ Sr. Vulnerability Threat Assessment Analyst to work in our Washington, DC office.

Overview

ECS is seeking a Security Risk Management Subject Matter Expert (SME) to provide strategic technical advisory services for the Department of State (DOS) Bureau of Diplomatic Technology (DT). This senior role supports the Independent Security Control Assessment (ISCA) program and the Risk and Vulnerability Assessment (RVA) portfolio.

The ideal candidate will effectively serve as a senior analyst responsible for Ongoing Risk Determination , Threat Analysis, and the management of the Issue Resolution Process. You will act as a key advisor to Authorizing Officials (AOs), translating complex vulnerability data into actionable "Risk Acceptance Recommendation Reports" and driving risk-based decision-making for High Value Assets (HVAs).

Key Responsibilities

• Strategic Risk Management & Issue Resolution:
  • Lead the Issue Resolution Process to communicate identified risks to key stakeholders and document risk-based decisions, including risk acceptance and remediation strategies.
  • Analyze the security status of information systems to determine if the risk to organizational operations and assets remains acceptable.
  • Develop and present Risk Acceptance Recommendation Reports and Residual Risk Statements to the Authorizing Official (AO) to facilitate informed authorization decisions.
• Vulnerability & Threat Assessment:
  • Analyze security tool reports and vulnerability scan data to differentiate false positives from valid findings, ensuring accurate risk characterization before assigning vulnerabilities.
  • Conduct Security Impact Analyses of changes to the environment to ensure continued compliance and security stability.
  • Review and analyze Assessment & Authorization (A&A) packages, including System Security Plans (SSP) and Plans of Action and Milestones (POA&Ms), for completeness and effectiveness of controls.
• RMF SME & Advisory:
  • Provide expert guidance on NIST SP 800-53 Rev. 5 control implementation and NIST SP 800-37 Rev. 2 workflows.
  • Oversee the development of Security Assessment Reports (SARs), ensuring findings are concise, system-specific, and mapped to the correct risk categorization.
  • Support Continuous Monitoring strategies by defining monitoring frequencies and assessing a subset of controls annually.
• Reporting & Leadership:
  • Prepare and deliver Executive Summary Briefings for senior government leadership.
  • Mentor junior analysts and assessors on advanced assessment techniques and risk analysis methodologies.

Salary Range: $115,000 - $140,000

General Description of Benefits

Required Skills

• Clearance: Active Secret Security Clearance (Required).
• Experience: 8+ years of progressive Information Security experience, with a specific focus on Risk Management, Threat Assessment, or Security Control Assessment (SME level).
• Risk Analysis: Demonstrated expertise in calculating residual risk, developing risk acceptance justifications, and managing POA&Ms for complex federal systems.
• Frameworks: Mastery of NIST SP 800-53 Rev. 5, NIST RMF (SP 800-37), and NIST SP 800-30 (Risk Assessment).
• Tooling: Advanced proficiency with eGRC tools (e.g., CSAM, Xacta, Archer) and vulnerability analysis tools (e.g., Tenable Nessus, Splunk).
• Communication: Elite written and verbal communication skills, with the ability to defend risk recommendations to Authorizing Officials and executive stakeholders.

Desired Skills

• Certifications: Advanced certifications such as CISSP (Certified Information Systems Security Professional), CRISC (Certified in Risk and Information Systems Control), or CISM (Certified Information Security Manager).
• Domain Expertise: Prior experience supporting Department of State (DOS) and High Value Asset (HVA) programs.
• Cloud Security: Experience assessing and analyzing risks in AWS and Azure cloud environments.

#ECS1

ECS is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

ECS is a leading mid-sized provider of technology services to the United States Federal Government. We are focused on people, values and purpose. Every day, our 3300+ employees focus on providing their technical talent to support the Federal Agencies and Departments of the US Government to serve, protect and defend the American People.