Risk Management Framework; RMF Analyst

Risk Management Framework (RMF) Analyst – Join to apply for this role  RMF Analyst supports OPTEVFOR Cyber Operational Test & Evaluation (OT&E) missions by applying enterprise‑ and system‑level security architecture expertise across the system development lifecycle. The role ensures alignment with evolving laws, regulations, and DoD and Department of the Navy (DoN) cybersecurity policies, and contributes to RMF activities across all lifecycle phases.

Eligibility for Top Secret / Sensitive Compartmented Information (TS/SCI).

• Minimum of five (5) years of experience designing and integrating enterprise and system security architectures across the development lifecycle.
• Minimum of three (3) years of experience conducting RMF‑related assessments of management, operational, and technical security controls within DoD IT systems.
• Minimum of three (3) years of experience providing project management, subject matter expertise, and hands‑on support for system certification and accreditation efforts in accordance with DoD/DoN cybersecurity policies and RMF guidance.

• Apply enterprise and system‑level security architecture principles to support OPTEVFOR Cyber OT&E missions.
• Support RMF activities across all steps, including system categorization, control selection, control implementation, assessment, authorization, and continuous monitoring.
• Provide RMF support consistent with the RMF Process Guide (RPG) for the Information Systems Security Engineer (ISSE) role.
• Evaluate security architectures and designs to determine adequacy and alignment with mission and enterprise objectives.
• Define and document the impact of new systems, interfaces, or changes on overall security posture.

• Create, review, update, and validate cybersecurity Standard Operating Procedures (SOPs).
• Maintain inventories of authorized software, Government Furnished Equipment (GFE), and removable media.
• Maintain and update all RMF and A&A documentation to ensure accuracy, relevance, and alignment with OPTEVFOR Cyber OT&E assets, including required updates in eMASS.
• Ensure traceability across all RMF artifacts, including:
• A&A Plans
• Plans of Action and Milestones (POA&Ms)
• Security Assessment Reports (SARs)
• Network topologies
• Software inventories
• Ports, protocols, and services
• Test plans
• Maintain system and network documentation in DoD IT Portfolio Repository–DoN (DITPR‑DON) / DADMS.
• Maintain documentation and registration of network ports, protocols, services, and circuits, including GIAP and SNAP.
• Track and report weekly status of all outstanding A&A actions and supporting documentation.
• As a member of the Configuration Control Board (CCB), ensure approved changes are accurately and timely reflected in A&A documentation.

• Conduct comprehensive annual RMF package reviews to ensure continued compliance of Cyber OT&E toolsets, networks, and systems.
• Execute DISA STIG validations in conjunction with RMF/A&A reviews in accordance with DoDI 8510 series.
• Audit and validate system and network configurations against STIGs; define and implement compensating controls when required to support mission execution.
• Support compliance validation for current and emerging directives (e.g., IAVs, STIGs, TASKORDs, CTOs).
• Provide recommendations for corrective actions to remediate non‑compliant security controls.
• Prepare and maintain vulnerability scan results, system security assessments, and configuration management findings to inform authorization decisions.
• Document assessment activities and results in sufficient detail to support independent external review.

• Develop or contribute to security test plans and supporting documentation to verify security control implementation and inform ongoing risk determinations.
• Conduct and document semi‑annual tabletop exercises (twice per calendar year).
• Review and analyze IT contingency and disaster recovery plans for compliance with NIST and DoN requirements.
• Develop system‑specific contingency planning checklists and support contingency…