Cybersecurity Assessment & Authorization SME

Cybersecurity Assessment & Authorization SME

Serves as a cybersecurity Subject Matter Expert (SME) with regards to Assessment and Authorization (A&A) of information systems and all associated cybersecurity policies and procedures. Performs a DOD cybersecurity process while either authorizing an information system or serving as a SME for an information system undergoing authorization. Possess an understanding of how the security controls identified in the NIST 800-53 apply to the process of assessing and authorizing a large organization’s IT infrastructure such as DLA’s, in which there is a compilation of large and small enclaves, AIS applications and outsourced IT processes. Determines the applicable severity value for an identified vulnerability (e.g., non-compliant security control) and determines the possible ramifications on the system’s current or future authorization. Briefs senior management on the progress or results of an information system undergoing the Risk Management Framework (RMF) process.

Key Responsibilities

• Assessment & Authorization (A&A): Perform or advise on the RMF process for authorizing DoD information systems, including preparing and reviewing authorization packages
• Security Control Evaluation: Apply NIST 800-53 controls to assess compliance in large-scale IT infrastructures with multiple enclaves, AIS applications, and outsourced IT
• Vulnerability Analysis: Identify, assess, and determine the severity of vulnerabilities (e.g., non-compliant controls) and their impact on system authorization status
• POA&M Management: Develop, track, and update Plan of Action and Milestone Plans (POA&Ms) for remediation of control deficiencies
• Stakeholder Briefings: Present RMF progress, risk posture, and authorization status to senior management and technical teams
• Policy & Process Support: Ensure cybersecurity documentation, procedures, and processes align with DoD policies and enterprise standards
• Collaboration: Work with system owners, cybersecurity teams, and government representatives to resolve security findings and apply STIGs
• Emerging Tech Expertise: Support cybersecurity for cloud environments, Industrial Control Systems (ICS), Warehouse Execution Systems (WES), and Operational Technology (OT)

Typical Daily Tasks

• Run and analyze system/software scans for vulnerabilities.
• Coordinate with Information System Security Managers (ISSMs) on vulnerability management.
• Support Agile release processes with embedded testers.
• Review and move issues through the authorization process.
• Generate audit-ready reports on compliance, risk, and remediation status