Security Analyst II/SA&A Specialist

Job ID
# of Openings
Cyber Security
Work Authorization
US Citizens, preferred


VariQ has an exciting opportunity for a highly qualified Security Analyst II / Security Specialist to support our client in Denver, CO.


Additional Information:

  • Location: USBR Denver, Colorado. (Travel may be required to all 17 Western States)
  • Salary: Dependent upon experience
  • Security Clearance: Candidates will have to be favorably adjudicated for access to Sensitive but Unclassified (SBU) / Controlled Unclassified Information (CUI) following a background suitability and records check.
  • Available: within 30 days


Role: As the Security Analyst II (SA) for this engagement, the successful candidate will serve as a member of the technical staff supporting our federal client in the cybersecurity domain. The work will focus on federal information and cybersecurity doctrine, including FISMA and the NIST issuances. Our client’s FISMA compliance program is risk-based (in agreement with NIST issuances), with a lifecycle that leads to and sustains ATOs. Like most federal agencies, our client is constantly improving and refining systems, developing and deploying new systems, refreshing technologies, and incorporating new products as the IT market advances. Simultaneously, our client must address the ever-evolving threat landscape, changes in statute, standards, and regulations, and the continuous adaptation of their information security program to provide appropriate, cost-effective security in the midst of all of these factors.

All members of the team are required to learn and support the various aspects of the work required under this task. The client has licensed the CSAM as a FISMA/SA&A support tool, primarily for use in POA&M and System Security Plan elements as well as general security reporting and tracking. The client must also submit the customary CyberScope data, including PMC, CAP, and FISMA inventory information. Our client is currently sustaining a FISMA portfolio of approximately 30 Systems with at least an annual update to the SSP, All 30 systems each year require new or heavily updated SSPs. Our client uses the traditional per-system SSP model, as well as program-level SSPs that support reuse and common control inheritance. Many of our client’s applications are being moved to the cloud, using the government’s FedRAMP program. Compliance with the least-privilege control requirement is accomplished, in part, by periodic revalidation that user access to SBU/CUI is required due to need-to-know/need-for-duty.

As our Security Analyst II, you will be a key technical member of the team, charged with sustaining and evolving the specified elements of the SA&A program, including the processes and tools employed throughout our client’s FISMA compliance program.

The successful candidate will:

  • Provide informed counsel to the team and to the client about federal doctrine regarding the role and function of the NIST issuances, particularly the NIST RMP (SP 800-39), the RMF (SP 800-37), Risk Assessments (SP 800-30), and Security Plans (SP 800-18).
  • Support System Security planning efforts, including performing updates to system security plans (SSPs), determining the impact of new or updated doctrine upon the SSPs, planning and coordinating responses to these impacts, and ensuring that work is done in agreement with standard templates and guidelines. Support is also required to refine and update these templates and guidelines as changes in doctrine take place (for example, the impending release of NIST SP 800-53 Rev 5). SSP support includes cloud-based systems that rely upon the FedRAMP program and artifacts, and some are in the process of moving into the cloud.
  • Manage Account Recertification Reporting, which is done to ensure compliance with the least-privilege control requirement. Users of approximately 100 systems, that include Windows, Linux, Cisco, Oracle, Sybase, and SQL RDBMS platforms, must be confirmed as still requiring access to these information systems due to their duties and need-to-know. Such “recertification” is done at least semiannually. Maintain authoritative records of all users and their recertification status, and communicate with the system owners to collect relevant information.
  • Utilize the CSAM tool to maintain current status and related artifacts regarding data calls made by, or made upon, the information security office. This data will typically relate to security findings, risk analyses, and tracking for Action & Milestones (POA&Ms).
  • Utilize the CSAM GRC tool to maintain current status and related artifacts regarding approximately 30 Interconnection Security Agreements (ISAs) as well as Memoranda of Understanding (MOUs). Develop and execute a workflow that ensures that every ISA/MOU is reviewed and, as needed, updated at least once per year.
  • Make data calls to stakeholders throughout our client’s enterprise, and collect status, artifacts, and other relevant information regarding security findings, remediation and corrective action plans, and POA&M items. Maintain meticulous records and the authoritative inventories of all such actions.
  • Support the PM by providing information for status reports, status briefings, schedules, project plans, etc., both in written and oral form.
  • Help ensure that the team provides deliverables of impeccable quality. Never settle for “good enough,” and foster a culture in others to do the same. As needed, step in and support any project underway with the team.


Required Experience and Abilities:

  • Strong understanding of the NIST SP 800-3X series and SP 800-18, and a working knowledge of all other NIST FISMA issuances, as well as federal statute, security-relevant OMB circulars and memoranda, federal information processing standards, and other federal security doctrine.
  • Ability to participate as a member of a technical team that is performing audit support, POA&M management, and SSP process and artifact design and development. Note that the actual SA&A lifecycle is managed by another group, and is not part of this job. Instead, this is a specialized team with a strong emphasis on technical expertise in just these areas, even if they do contribute to the SA&A lifecycle.
  • Understanding of GRC frameworks, such as that supplied by the CSAM tool, and how to use such tools to support information security objectives. Strong preference is given to candidates with hands-on CSAM tool experience. Experience with other GRC tools, such as RSAM, or experience with SA&A tools, such as Xacta, is also of significant value.
  • Ability to tailor information security processes and tools, based on ever-evolving and changing landscapes, doctrine, and risk scenarios.
  • Proficiency in performing work in a federal agency that has FISMA, OMB Cybersecurity & Privacy, and NIST SP/FIPS compliance requirements.
  • Fluency in both spoken and written US English, including the ability to work with highly technical and specialized content. Must be able both prepare and deliver such content, verbally and in writing, but also comprehend such content from others, in both spoken and written form.
  • Ability to prepare deliverables with sufficient quality such that very few minor, or no, edits are required to be made prior to conveyance to the client.
  • Quickly review the work products of others, employ your own fluency in federal security doctrine, and ensure that timely and accurate feedback and recommended edits are delivered to the author(s). All work products should be ready for delivery to the client after only one review has been performed.



VariQ is an equal opportunity employer.


Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed