HHS - Security Control Assessor

Overview

cFocus Software seeks a Security Control Assessor to join our program supporting the Department of Health and Human Services (HHS). This position is remote. This position requires the ability a Public Trust clearance.

• Bachelor’s degree in Cybersecurity, Information Technology, or related field.
• Minimum 7–10 years of experience performing federal RMF and Security Control Assessments.
• Expert knowledge of NIST SP 800-37, NIST SP 800-53, and NIST SP 800-53A.
• Demonstrated experience leading SCAs and producing SARs for FISMA systems.
• Experience with FedRAMP assessments and cloud security evaluations.
• Hands-on experience with eGRC platforms such as RSA Archer.
• Strong written and verbal communication skills.
• CISSP, CISA, GSNA, CRISC, or equivalent cybersecurity certification preferred.
• Certified Authorization Professional (CAP) preferred.

• Lead and manage Security Control Assessments (SCAs) for HRSA systems, programs, and components in accordance with the RMF lifecycle.
• Develop, review, and approve Security Control Assessment Plans (SCAPs), defining assessment scope, methodology, sampling strategies, schedules, and resource needs.
• Coordinate and conduct assessment kickoff meetings, interviews, and out-briefs with System Owners, ISSOs, administrators, and stakeholders.
• Develop and tailor Assessment Test Plans (ATPs) and test procedures aligned to NIST SP 800-53A assessment methods.
• Assess management, operational, technical, and privacy controls to determine whether controls are implemented correctly, operating as intended, and producing the desired outcomes.
• Validate control inheritance from FedRAMP-authorized systems, common control providers, and shared services, including review of CRMs and SSP documentation.
• Perform risk analysis using qualitative and quantitative methods, including CVSS scoring, likelihood and impact analysis, and alignment with organizational risk tolerance.
• Produce comprehensive Security Assessment Reports (SARs) documenting testing results, findings, risk ratings, and remediation recommendations.
• Ensure findings are accurately entered into the HRSA eGRC tool and properly mapped to POA&Ms with supporting evidence.
• Verify remediation actions and validate closure evidence for resolved findings.
• Maintain assessment cadence in accordance with the HRSA SCA Process SOP and defined timelines.
• Utilize automation technologies including OSCAL, AI-assisted assessment tools, automated evidence collection, and continuous control monitoring solutions.
• Conduct cloud and FedRAMP-specific assessments, including shared responsibility model validation and CSP security posture review.
• Assess systems against Zero Trust Architecture maturity models and emerging technology risks including AI, IoT, and cloud-native services.