The RMF Analyst supports OPTEVFOR Cyber Operational Test & Evaluation (OT&E) missions by applying enterprise- and system-level security architecture expertise across the system development lifecycle. The role ensures alignment with evolving laws, regulations, and DoD and Department of the Navy (DoN) cybersecurity policies, and contributes to Risk Management Framework (RMF) activities across all lifecycle phases.

The Security Architect translates complex technical, operational, and environmental requirements into effective security architectures; supports system categorization, policy documentation, security control selection and implementation; and conducts comprehensive assessments of management, operational, and technical security controls to evaluate effectiveness. The position also provides project management and subject matter expertise to guide certification and accreditation (A&A) activities for Cyber OT&E test infrastructure and toolsets, working closely with internal stakeholders and external oversight organizations to ensure timely and compliant system authorizations.

Security Clearance Requirement: Eligibility for Top Secret / Sensitive Compartmented Information (TS/SCI).

Qualifications

Minimum of five (5) years of experience designing and integrating enterprise and system security architectures across the development lifecycle

Minimum of three (3) years of experience conducting RMF-related assessments of management, operational, and technical security controls within DoD IT systems

Minimum of three (3) years of experience providing project management, subject matter expertise, and hands-on support for system certification and accreditation efforts in accordance with DoD/DoN cybersecurity policies and RMF guidance

Key Responsibilities

Security Architecture and RMF Support

Apply enterprise and system-level security architecture principles to support OPTEVFOR Cyber OT&E missions

Support RMF activities across all steps, including system categorization, control selection, control implementation, assessment, authorization, and continuous monitoring

Provide RMF support consistent with the RMF Process Guide (RPG) for the Information Systems Security Engineer (ISSE) role

Evaluate security architectures and designs to determine adequacy and alignment with mission and enterprise objectives

Define and document the impact of new systems, interfaces, or changes on overall security posture

Documentation, Compliance, and Governance

Create, review, update, and validate cybersecurity Standard Operating Procedures (SOPs)

Maintain inventories of authorized software, Government Furnished Equipment (GFE), and removable media

Maintain and update all RMF and A&A documentation to ensure accuracy, relevance, and alignment with OPTEVFOR Cyber OT&E assets, including required updates in eMASS

Ensure traceability across all RMF artifacts, including:

A&A Plans

Plans of Action and Milestones (POA&Ms)

Security Assessment Reports (SARs)

Network topologies

Software inventories

Ports, protocols, and services

Test plans

Maintain system and network documentation in DoD IT Portfolio Repository–DoN (DITPR-DON) / DADMS

Maintain documentation and registration of network ports, protocols, services, and circuits, including GIAP and SNAP

Track and report weekly status of all outstanding A&A actions and supporting documentation

As a member of the Configuration Control Board (CCB), ensure approved changes are accurately and timely reflected in A&A documentation

Assessment, Validation, and Hardening

Conduct comprehensive annual RMF package reviews to ensure continued compliance of Cyber OT&E toolsets, networks, and systems

Execute DISA STIG validations in conjunction with RMF/A&A reviews in accordance with DoDI 8510 series

Audit and validate system and network configurations against STIGs; define and implement compensating controls when required to support mission execution

Support compliance validation for current and emerging directives (e.g., IAVs, STIGs, TASKORDs, CTOs)

Provide recommendations for corrective actions to remediate non-compliant security controls

Prepare and maintain vulnerability scan results, system security assessments, and configuration management findings to inform authorization decisions

Document assessment activities and results in sufficient detail to support independent external review

Testing, Exercises, and Continuity Planning

Develop or contribute to security test plans and supporting documentation to verify security control implementation and inform ongoing risk determinations

Conduct and document semi-annual tabletop exercises (twice per calendar year)

Review and analyze IT contingency and disaster recovery plans for compliance with NIST and DoN requirements

Develop system-specific contingency planning checklists and support contingency plan exercises and training

Work independently or in small teams to resolve tasks with minimal supervision

DCWF Knowledge, Skills, Abilities, and Tasks (KSATs)

Knowledge

Enterprise information security architecture and IT architectural concepts (baseline and target architectures)

Network security architecture principles, protocols, components, and defense-in-depth strategies

Cybersecurity-enabled software products and secure configuration management practices

RMF processes, documentation, and compliance requirements

PII protection standards, program protection planning, and applicable security/privacy regulations

Telecommunications concepts, network management principles, and cloud-based security technologies

Specialized system requirements, including those supporting critical infrastructure

Skills & Abilities

Design and integrate security architectures and frameworks, including multilevel and cross-domain solutions up to TS/SCI

Translate laws, regulations, and environmental conditions into effective security designs and processes

Perform comprehensive assessments of management, operational, and technical security controls

Develop and maintain security compliance processes and audits, including for external services (e.g., cloud providers)

Apply cybersecurity methods such as firewalls, DMZs, encryption, PKI, and digital signatures

Optimize systems to meet enterprise performance and security requirements

Provide project management and subject matter expertise for Cyber OT&E certification and accreditation efforts

Document and update security architectures and related artifacts

Translate mission capabilities into technical and security requirements and application design elements

Provide cost, design, and change-impact advice to program and technical leadership