• System Analyst II

    Job Locations US-DC
    Job ID
    # of Openings
    IT Security
    Public Trust
    Work Authorization
    US Citizens, preferred
  • Overview

    VariQ has an exciting opportunity for a highly qualified System Analyst II to support the SEC in Washington, DC.


    Additional Information:


    • Location: Federal client offices in North East, Washington, DC
    • Salary: Dependent upon experience
    • Security ClearanceCandidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.
    • Available: within 30 days



    Role: The successful candidate will serve as a member of the technical staff supporting our federal client in the cybersecurity domain. The work will focus on federal information and cybersecurity doctrine, including FISMA and the NIST issuances. Our client’s FISMA compliance program is risk-based (in agreement with NIST issuances), with a lifecycle that leads to and sustains ATOs. Like most federal agencies, our client is constantly improving and refining systems, developing and deploying new systems, refreshing technologies, and incorporating new products as the IT market advances. Simultaneously, our client must address the ever-evolving threat landscape, changes in statute, standards, and regulations, and the continuous adaptation of their information security program to provide appropriate, cost-effective security in the midst of all of these factors.

    The successful candidate will be a member of an established and successful team that is already supporting our client. Our expertise, commitment to quality, and insightful consulting has led the client to request even more support from VariQ, and we are looking for two additional members to join our team (one senior, and one junior). Our team is supported by a part-time program manager (who will handle finances, and minor oversight to ensure that client needs are being met), and a part-time technical writer (who will help with QA on deliverables). Thus, these positions require self-motivated, educated, and mature candidates who are comfortable with working with minimal supervision.

    All members of the team are required to learn and support the various aspects of the work required under this task. The client has licensed the RSA Archer™ product as a FISMA/SA&A support tool, primarily for use in POA&M (~300 plans) and ISA/MOU (~30) management, as well as general security reporting and tracking. Our client is currently sustaining a FISMA portfolio of approximately 100 systems, with a mix of general support as well as major/minor application systems.

    As our Senior Security Specialist or Security Analyst II, you will be a key technical member of the team, charged with sustaining and evolving the specified elements of the SA&A program, including the processes and tools employed throughout our client’s FISMA compliance program.


    The successful candidate will:

    • Provide informed counsel to the team and to the client about federal doctrine, particularly the RMF, regarding the role and function of the NIST issuances, with a specific emphasis on the managerial and operational control requirements and control implementations.  Note that technical controls normally addressed through the use of scanners, patch management tools, vulnerability management products, etc., are not within the scope of this engagement.  The preferred candidates will those with demonstrated expertise in the non-technical control areas, particularly reviewing and writing artifacts regarding the management and operations related to the FISMA program.
    • Support the client’s execution of the NIST Cybersecurity Framework (CSF) Implementation Plan, already delivered to the client under this contract.  This requires modifying artifacts, tools, processes, and templates already in use with the RMF-based program and extending them to incorporate required CSF elements, such as sub-categories and outcome objectives.  The goal is to fuse the CSF into the RMF, not create a parallel program.
    • Support System Security Planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5). SSP support includes cloud-based systems that rely upon the FedRAMP program and artifacts, and some are in the process of moving into the cloud.
    • Utilize the RSA Archer™ GRC tool to maintain current status and related artifacts regarding data calls made by, or made upon, the information security office, usually by auditors. Interconnection Agreements and MOUs are also supported in the tool.  This data will typically relate to security findings, risk analyses, and tracking for approximately 300 Plans of Action & Milestones (POA&Ms) and around 30 ISA/MOUs.
    • Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
    • Help ensure that the team provides deliverables of impeccable quality. Never settle for “good enough,” and foster a culture in others to do the same. As needed, step in and support any project underway with the team.
    • Our team is high-energy, passionate, driven, vibrant, and diverse.  We have a rich blend of experience and expertise, plenty of personality and team camaraderie, and just a touch of eccentricity.  We need two members who can join us and embrace our culture and style, so “nerds are welcome,” and we don’t judge as long as you know how to do your job, and you do it well – that’s how we roll.


    Required Experience and Abilities:

    • Strong understanding of the NIST SP 800-3X series and SP 800-18, and a working knowledge of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrine.
    • Ability to participate as a member of a technical team that is performing audit support, POA&M management, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
    • Strong preference is given to candidates with hands-on RSA Archer tool experience, including the use of Microsoft Word Content Controls and Visual Basic macros and programming for both Word and Excel (import/export in and out of Archer). Experience with other GRC tools, such as RSAM, or experience with SA&A tools, such as Xacta, is also of significant value.  Experience working with Word and Excel VBA programming is also of significant value.
    • Experience with the CSF in the federal environment is desirable, but not required.  If you are a strong candidate with good RMF experience and expertise, our CSF subject matter expert will train you in the CSF and implementation of the framework for our client.
    • Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
    • Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
    • Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
    • Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
    • Quickly review the work products of others, employ your own fluency in federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.


    Years of Experience:

    For the Senior Security Specialist/ISSO position, at least six years of federal information security experience. At least three years involving the SA&A and security planning processes, as well as the POA&M management process.

    For the Security Analyst/ISSO position, at least three years of federal information security experience. At least 18 months involving the SA&A and security planning processes, as well as the POA&M management process.


    Professional Certifications:

    Candidates must hold one or more of the following certifications (or equivalents): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or CompTIA Security+.




    VariQ is an equal opportunity employer.


    Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
    Share on your newsfeed