Security Assessment and Authorization Analyst, Associate

Location: Baltimore, MD ( 5 Days Onsite - Bayview Area)

Position Title: Security Assessment and Authorization Analyst, Associate

Clearance: Public Trust

Job Overview: The Security Assessment and Authorization Analyst, Associate will provide technical Security Assessment and Authorization (SA&A) support for biomedical research and enterprise IT systems supporting the NIH Client. This role blends policy-driven RMF compliance with hands-on technical security review, continuous monitoring, and system risk analysis.

Working under the direction of the Federal Lead / Information System Security Officer (ISSO), the specialist will support system authorization activities, vulnerability management, configuration compliance, privacy assessments, and incident response coordination in accordance with FISMA, NIST, HHS, NIH, and FedRAMP requirements. The role requires close collaboration with system owners, infrastructure teams, application teams, and the Client SA&A team.

Key Responsibilities

Technical SA&A & RMF Implementation

• Execute Risk Management Framework (RMF) activities aligned with NIST SP 800-37, including system categorization, control selection, implementation review, assessment support, authorization, and continuous monitoring.
• Develop, update, and maintain System Security Plans (SSPs) aligned with NIST SP 800-18, documenting system architecture, data flows, boundary definitions, and control implementations.
• Support system ATO and re-authorization cycles, including package development and remediation tracking.
• Maintain and update SA&A artifacts within NIH Security Assessment Tool (NSAT).
• Review SA&A documentation with a goal of preparation and successful mediation of any audits (e.g. IG and GAO).
• Maintain GSS system inventory, and Security Program and any additional artifacts.
• Conduct annual/periodic disaster recovery tabletop test, application contingency tabletop tests, critical processes testing and update of the Client Disaster Recovery Plan as necessary.

Security Controls & Technical Documentation

• Provide technical guidance and validation for NIST SP 800-53 security and privacy controls, including management, operational, and technical controls.
• Support FIPS 199 / FIPS 200 security categorization and baseline selection for systems and applications.
• Review and validate Security Assessment Reports (SAR) and translate findings into actionable remediation steps.
• Develop and maintain Plans of Action and Milestones (POA&M), ensuring timely mitigation of high and medium risks in accordance with NIH timelines.

Vulnerability and Configuration Management

• Review and analyze vulnerability scan results from SCAP-compliant tools covering operating systems, databases, web applications, and network devices.
• Validate compliance with USGCB, DISA STIGs, CIS Benchmarks, and NIH configuration standards.
• Support Configuration Management Plans (CMP) and configuration baseline documentation.
• Work with system owners and infrastructure teams to assess configuration changes for security impact and approval.

Cloud & FedRAMP Support

• Support SA&A activities for cloud-based and hybrid systems, including systems operating under FedRAMP-authorized CSPs.
• Review FedRAMP security packages (SSP, SAR, POA&M) and map controls to NIH/HHS agency requirements.
• Assist in identifying gaps between FedRAMP baselines and agency-specific security requirements.

Privacy & Data Protection

• Conduct technical reviews for Privacy Threshold Analyses (PTA) and Privacy Impact Assessments (PIA).
• Evaluate system handling of PII, PHI, and sensitive research data, ensuring compliance with Privacy Act, OMB, and NIH privacy requirements.
• Support Interconnection Security Agreements (ISA) and Data Use Agreements (DUA).

Incident Response & Contingency Planning

• Support development and maintenance of Incident and Breach Response Plans (IRP) in alignment with HHS, NIH, and US-CERT requirements.
• Assist in incident response activities, including IOC analysis, coordination with CSIRC/IRT teams, and documentation.
• Develop, test, and update Contingency Plans (CP) and Disaster Recovery Plans (DRP) in accordance with NIST SP 800-34.
• Participate in and document annual tabletop exercises and contingency plan testing.

Qualifications

Education & Experience

• Bachelor's degree or equivalent experience
• Six (6) years of hands-on experience supporting federal IT security, SA&A, and RMF implementations

Core Security & Compliance Skills

• Strong experience with FISMA, NIST RMF, and FedRAMP
• In-depth knowledge of NIST SP 800-53, 800-37, 800-18, 800-34, 800-63
• Experience performing FIPS 199 categorizations and control baseline determinations
• Hands-on development and maintenance of SSPs, SARs, POA&Ms, CPs, CMPs

Technical & Infrastructure Knowledge

• Understanding of Windows, Linux, and UNIX operating systems security concepts
• Familiarity with network security architecture, including firewalls, IDS/IPS, routers, and switches
• Experience assessing web applications, databases, and enterprise platforms
• Knowledge of authentication, access control, encryption, and key management

Security Tools & Platforms

• Experience with SCAP-compliant vulnerability scanning tools
• Familiarity with NIH Security Assessment Tool (NSAT) or similar GRC platforms
• Experience reviewing security artifacts from cloud service providers (AWS, Azure, GCP) in a FedRAMP context
• Proficiency with Microsoft Office, SharePoint, and documentation collaboration tools

Preferred Qualifications

• Prior experience supporting NIH, HHS, or other federal health or research organizations
• Experience supporting high- or moderate-impact (FIPS 199) systems
• Familiarity with biomedical research environments and data protection requirements
• Security certifications such as CISSP, CISM, CAP, or Security+

Compensation and Benefits

The projected compensation range for this position is $70,000 to $130,000 per year benchmarked in the Washington, D.C. metropolitan area. The salary range provided is a good faith estimate representative of all experience levels. Salary at LCG is determined by various factors, including but not limited to role, location, the combination of education/training, knowledge, skills, competencies, certifications, and work experience.

LCG offers a competitive, comprehensive benefits package which includes health insurance options (medical, dental, vision), life and disability insurance, retirement plan contributions, as well as paid leave, federal holidays, professional development, and lifestyle benefits.

Devoted to Fair and Inclusive Practices

All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law.

If you are interested in applying for employment with LCG and need special assistance or an accommodation to apply for a posted position, contact our Human Resources department by email at hr@lcginc.com.

Securing Your Data

Beware of fraudulent job offers using LCG's name. LCG will never request payment-related details or advancement of money during the application process. Legitimate communication will only come from lcginc.com or system@hirebridgemail.com emails, not free commercial services like Gmail or WhatsApp. If you receive suspicious emails asking for payment or personal information, contact us immediately at hr@lcginc.com.

If you believe you are the victim of a scam, contact your local law enforcement and report the incident to the U.S. Federal Trade Commission.