SBA - ISSO / Control Evaluator - Sr in Washington, District of Columbia at cFocus Software Incorporated

ISSO / Control Evaluator – Senior Job DescriptionPosition Title: ISSO / Control Evaluator – Senior
Opportunity: SBA Enterprise Cybersecurity Services (ECS)Position OverviewThe ISSO / Control Evaluator – Senior shall provide cybersecurity governance, Risk Management Framework (RMF), continuous monitoring, and security controls assessment support services for the U.S. Small Business Administration (SBA) Enterprise Cybersecurity Services (ECS) program. Key Responsibilities

• Serve as the senior ISSO and security compliance advisor for assigned SBA systems, applications, services, and cloud environments.
• Provide leadership and technical oversight for RMF assessment, authorization, and continuous monitoring activities in accordance with NIST SP 800-37 Rev. 2.
• Conduct and oversee testing and validation of NIST SP 800-53 Rev. 5 security and privacy controls in accordance with NIST SP 800-53A assessment procedures.
• Develop, review, update, and maintain cybersecurity and privacy documentation including SSPs, CMPs, ISCPs, ISCP Test Reports, ERAs, POA&Ms, and architecture diagrams.
• Support SBA Ongoing Authorization (OA) activities including development and execution of OA Playbooks, positive testing, and negative testing methodologies.
• Document Determine If Statements (DISs), assessment evidence, and technical findings to demonstrate security control effectiveness.
• Develop Security Assessment Plans (SAPs), Security Assessment Reports (SARs), Annual Assessment Reports (AARs), and remediation recommendations.
• Coordinate vulnerability management activities including validation of remediation actions, mapping vulnerabilities to NIST controls, and tracking POA&M closure activities.
• Support FISMA reporting, cybersecurity metrics collection, dashboard reporting, and Governance Risk and Compliance (GRC) tool updates.
• Provide audit support for IG, GAO, FISMA, and internal assessments by coordinating artifact collection, walkthroughs, and audit response activities.
• Support High Value Asset (HVA) assessment activities and FedRAMP Continuous Monitoring (CONMON) management activities.
• Review system architectures, network topologies, cloud environments, and security configurations to identify cybersecurity risks and compliance gaps.
• Participate in SBA Enterprise Change Control Board (ECCB) activities and cybersecurity governance reviews.
• Provide technical guidance to system owners, ISSMs, engineers, administrators, and program stakeholders regarding cybersecurity compliance and remediation strategies.
• Ensure all deliverables are peer reviewed, aligned with SBA implementation procedures, Section 508 compliant, and submitted within required timelines.
• Support enterprise cybersecurity continuous monitoring, risk analysis, and automation/visualization initiatives.

Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Assurance, Information Technology, Computer Science, Engineering, or related discipline.
• Minimum of eight (8) years of experience supporting federal cybersecurity, RMF, ISSO, or information assurance activities.
• Minimum of five (5) years of experience conducting security controls assessments, compliance evaluations, or continuous monitoring activities for federal systems.
• Extensive knowledge of NIST SP 800-53 Rev. 5, NIST SP 800-53A Rev. 5, NIST SP 800-37 Rev. 2, FISMA, and OMB cybersecurity guidance.
• Experience supporting ongoing authorization (OA), continuous monitoring, and cybersecurity governance activities.
• Experience developing and maintaining cybersecurity documentation including SSPs, SARs, SAPs, AARs, POA&Ms, and related RMF artifacts.
• Experience supporting cloud security assessments and FedRAMP environments including AWS, Azure, Microsoft 365, and SaaS platforms.
• Experience supporting federal cybersecurity audits including IG, GAO, and FISMA reviews.
• Strong analytical, technical writing, communication, and stakeholder engagement skills.
• Experience using Governance Risk and Compliance (GRC) platforms and cybersecurity assessment tools.
• Relevant certifications such as CISSP, CAP, CISA, Security+, GSLC, or equivalent preferred.
• Ability to obtain and maintain a Moderate Risk background investigation and eligibility for higher-level clearances if required.

Desired Experience

• Experience supporting civilian federal agencies including SBA, DHS, or CISA.
• Experience supporting Zero Trust Architecture initiatives and FedRAMP CONMON activities.
• Experience coordinating penetration testing or vulnerability assessment remediation activities.
• Experience supporting enterprise cybersecurity dashboards, automation, and visualization reporting.