Security Control Assessments Analyst - Mid

Job Description

ECS is seeking a Security Control Assessments Analyst - Mid to work in our Suitland, MD office. The role is full‑time/permanent and supports a U.S. Government civilian agency. The position is available immediately for a qualified candidate with the appropriate background clearance.

• Strong written and verbal communication skills.
• Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
• Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
• Knowledge of cyber threats and vulnerabilities.
• Knowledge of specific operational impacts of cybersecurity lapses.
• Knowledge of authentication, authorization, and access control methods.
• Knowledge of application vulnerabilities.
• Knowledge of communication methods, principles, and concepts that support the network infrastructure.
• Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.
• Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
• Knowledge of Risk Management Framework (RMF) requirements.
• Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
• Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
• Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross‑site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return‑oriented attacks, malicious code).

• Manage and create authorization packages (e.g., ISO/IEC 15026-2).
• Plan and conduct security authorization assessments for initial authorization of systems and networks as well as systems in continuous monitoring.
• Review authorization and assessment documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
• Perform security assessments and identify security gaps in security architecture, providing recommendations for inclusion in the risk mitigation strategy.
• Provide input to the Risk Management Framework process activities and related documentation (e.g., system life‑cycle support plans, concept of operations, operational procedures, and maintenance training materials).
• Ensure that plans of action and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
• Assure successful implementation and functionality of security requirements and appropriate IT policies and procedures that are consistent with the organization’s mission and goals.
• Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
• Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.

Salary Range: $70,000 - $90,000

• 4-year bachelor's degree or equivalent experience.
• 4+ years’ experience developing information security and privacy policy.
• Certifications that address security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, incident management, integration of computing/communications/business disciplines and enterprise components.
• Active Public Trust clearance or eligible to obtain a Public Trust clearance.

• Experience reviewing and drafting Privacy Impact Assessments (PIAs).
• Experience in assessing security controls based on cybersecurity principles and tenets (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework,…