Security Control Assessor/Analyst (Cybersecurity Analyst III)

New
Posted: May 18, 2026

This role is contingent upon award

I. Program Overview

Program Description

The IT CSSS program provides information security support to the Federal Bureau of Prisons Information Technology & Data Division and other DOJ components as required. The program supports BOP obligations to protect federal information systems under FISMA, OMB Circular A-130, the Privacy Act, NIST RMF guidance, DOJ policy, and related cybersecurity requirements.

Program Scope

The program covers ATO maintenance and rapid ATO activities, RMF lifecycle support, JCAM-based authorization management, FISMA/FISCAM audit support, security architecture and engineering support, vulnerability and risk management, privacy documentation, FedRAMP assessment support, continuous monitoring, and coordination with BOP system owners, CORs, AOs, and technical stakeholders.

II. Position Overview

The Security Control Assessor/Analyst supports BOP and DOJ cybersecurity authorization activities by assessing security controls, validating evidence, analyzing risk, and preparing assessment documentation for classified and unclassified systems, including National Security Systems. This role supports RMF, ATO maintenance, continuous monitoring, and security authorization activities by ensuring assessments are technically sound, properly documented, and aligned with NIST SP 800-53A, DOJ/BOP requirements, and program delivery expectations.

Work Environment

• Work Location: BOP Central Office, Washington, DC; in-office required, telework as approved
• Security Clearance: Public Trust / Suitability

III. Key Responsibilities

Security Control Assessment

• Assess security and privacy controls for classified and unclassified systems, including National Security Systems, in accordance with NIST SP 800-53A, DOJ/BOP requirements, and approved assessment plans.
• Validate implementation evidence, test results, artifacts, and technical documentation to determine whether controls are implemented correctly, operating as intended, and producing the desired security outcome.
• Document assessment results, findings, deficiencies, recommendations, and risk implications in Security Assessment Reports and related authorization artifacts.
• Coordinate with ISSOs, system owners, engineers, and authorization stakeholders to resolve control assessment questions and evidence gaps.

RMF, ATO, and Authorization Support

• Support RMF lifecycle activities for ATO maintenance, rapid ATOs, reauthorization, ongoing authorization, and continuous monitoring.
• Review authorization package content, including SSPP/SSP, SAR, POA&M, residual risk reports, risk analysis reports, threat matrix reports, and executive briefings.
• Use JCAM or similar authorization management systems to review control implementation data, assessment records, evidence, and authorization status.
• Support AO and stakeholder decision-making by providing clear assessment findings and risk-based recommendations.

Classified, Unclassified, and NSS Security Assessment Support

• Apply specialized cybersecurity assessment expertise across classified programs, unclassified programs, National Security Systems, and sensitive federal environments as assigned.
• Evaluate system boundaries, security categorization, control applicability, inherited controls, hybrid controls, and assessment scope to support accurate authorization decisions.
• Assess live networks, system components, cloud or hybrid environments, and enterprise services to determine security posture and compliance readiness.
• Ensure assessment work reflects the operational environment, mission use, technical architecture, and applicable federal security requirements.

Risk, Vulnerability, and POA&M Analysis

• Analyze control weaknesses, vulnerabilities, audit findings, and technical deficiencies to determine severity, risk impact, and recommended remediation approach.
• Support POA&M creation, review, validation, tracking, and closure by ensuring weaknesses are clearly documented and tied to corrective actions.
• Review remediation evidence and updated assessment results to determine whether findings can be reduced, closed, or escalated for risk acceptance consideration.
• Coordinate with vulnerability management, incident response, configuration management, and O&M teams to align findings with operational remediation activities.

Reporting, Documentation, and Stakeholder Coordination

• Prepare written communications, assessment summaries, status updates, findings reports, and briefing materials for government and contractor leadership.
• Support monthly reporting by documenting assessment progress, deliverables, risks, issues, corrective actions, and key authorization activities.
• Maintain audit-ready documentation that meets SOW requirements for content, completeness, accuracy, and conformance.
• Communicate technical assessment results in clear language for system owners, CORs, AOs, privacy stakeholders, and program leadership.

IV. Qualifications

Education

• Bachelor’s degree required.
• Degree in cybersecurity, information systems, computer science, information technology, management information systems, or a related discipline preferred.

Professional Certifications

Candidate must possess at least one of the following required certifications:

• CISA – Certified Information Systems Auditor.
• CRISC – Certified in Risk and Information Systems Control.
• CISSP – Certified Information Systems Security Professional.
• CGRC – Certified in Governance, Risk and Compliance.

Minimum Qualifications

• Minimum of eight (8) years of cybersecurity expertise.
• Minimum of five (5) years of specialized experience supporting classified and unclassified programs, National Security Systems, and NIST SP 800-53A security control assessment activities.
• Experience performing security control assessments, validating assessment evidence, documenting findings, and supporting authorization decisions for federal information systems.
• Experience supporting RMF, ATO maintenance, control assessment, risk analysis, POA&M management, and continuous monitoring activities.
• Ability to coordinate with system owners, ISSOs, engineers, assessors, authorizing officials, privacy stakeholders, CORs, and program leadership.
• Public Trust / Suitability required; must be able to obtain and maintain required access for the duration of the assignment.

Preferred Qualifications

• Strong working knowledge of NIST Special Publications, including NIST SP 800-53A assessment procedures, NIST SP 800-53 security controls, and NIST SP 800-37 RMF/security authorization.
• Experience using DOJ JCAM or similar governance, risk, and compliance systems to review authorization artifacts, assessment evidence, and authorization status.
• Prior DOJ, BOP, DoD, Intelligence Community, or federal law enforcement cybersecurity assessment experience.
• Experience assessing controls for on-premises, cloud, hybrid, air-gapped, or classified federal systems.
• Strong written communication skills with the ability to produce audit-ready assessment documentation and executive-level risk summaries.