Cybersecurity Compliance Auditor / Security Control Assessor (SCA)

Do you enjoy assessing complex systems and ensuring they meet the highest cybersecurity standards in support of national security, space exploration, and advanced technologies?

If so, we are looking for someone like you to join our team at APL.

Recognized as one of Computerworld's Top Places to Work in IT for seven consecutive years, APL is expanding its cybersecurity compliance and assessment capabilities.

We are seeking a Cybersecurity Compliance Auditor / Security Control Reviewer (SCR) to perform independent security control assessments across classified information systems to determine the overall effectiveness of the controls.

Our team is mission-driven-focused on securing systems that enable critical national security objectives. We operate in a collaborative, technically rigorous environment where your expertise directly impacts mission success.

As a Cybersecurity Compliance Auditor / Security Control Reviewer (SCR), you will:

• Planning, conducting, and performing independent security control assessments of classified systems in accordance with Risk Management Framework (RMF), Joint Special Access Program (SAP) Implementation Guide (JSIG), and applicable DoD/IC standards.
• Evaluate the implementation and effectiveness of security controls across a wide range of technologies and environments.
• Conduct risk-based assessments to determine system compliance and identify vulnerabilities, control gaps, and areas for process improvement.
• Analyze system documentation, test results, and artifacts to validate control implementation and authorization readiness.
• Develop clear, concise, and defensible assessment reports, including findings, risk determinations, corrective actions, and recommendations to address identified vulnerabilities.
• Collaborate with Program Managers/System Owners, ISSMs, ISSOs, system engineers/administrators, and program teams to resolve findings and improve security posture.
• Support internal security reviews and external inspections (e.g., DCSA, DoD, IC), ensuring systems are prepared for independent evaluation and compliance inspections.
• Interpret and apply cybersecurity policies and frameworks, including RMF, NISPOM, DAAG/DAAPM, and JSIG.
• Evaluate the effectiveness and implementation of Continuous Monitoring Plans
• Contribute to the continuous improvement of assessment methodologies, tools, and processes.

You meet our minimum qualifications for the job if you:

• Hold a Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or a related field (or equivalent experience).
• Have at least 5 years of cybersecurity experience, including involvement in RMF, Certification & Accreditation (C&A), or Assessment & Authorization (A&A) processes.
• Have experience performing or supporting Security Control Assessments or independent validation of security controls.
• Have experience in three or more of the following areas:
• Network, endpoint, and application security
• Identity and access management
• Vulnerability and configuration management
• Encryption and data protection technologies
• Incident response and monitoring
• Hold a relevant certification such as CISA, GSNA, CASP+ CE, CISSP, CISM or DoD 8570/8140 IAT/IAM Level II/III equivalent.
• Have experience applying cybersecurity standards such as:
• NISPOM
• DAAG/DAAPM
• JSIG
• NIST SP 800-53 / RMF
• Demonstrate strong technical understanding of operating systems, networking, virtualization, AI/ML, and cloud environments.
• Possess strong written and verbal communication skills, with the ability to clearly document and communicate risk.
• Hold an active Secret clearance with the ability to obtain a Top-Secret clearance. If selected, you will be subject to a government security clearance investigation and must meet the requirements for access to classified information. Eligibility requirements include U.S. citizenship.

You'll go above and beyond our minimum requirements if you:

• Have direct experience functioning as a Security Control Assessor (SCA) in DoD or IC environments.
• Have served in roles such as ISSO, ISSM, ISSE, Security Engineer, or Cyber Risk Analyst.
• Possess deep expertise in RMF, NIST SP 800-37, NIST SP 800-53, and CNSSI 1253.
• Have supported DCSA, DoD, or IC inspections and understand external assessment expectations.
• Experience with GRC/RMF Tools such as eMASS, ServiceNow (SNOW), XACTA
• Have 8+ years of cybersecurity experience in classified environments.
• Are familiar with JHU/APL systems, processes, and mission areas.
• Hold an active TS/SCI (or TS/SCI with polygraph).

Why Work at APL?

The Johns Hopkins University Applied Physics Laboratory (APL) brings world-class expertise to our nation's most critical defense, security, space and science challenges. While we are dedicated to solving complex challenges and pioneering new technologies, what makes us truly outstanding is our culture. We offer a vibrant, welcoming atmosphere where you can bring your authentic self to work, continue to grow, and build strong connections with inspiring teammates.

At APL, we celebrate our differences of perspectives and encourage creativity and bold, new ideas. Our employees enjoy generous benefits, including a robust education assistance program, unparalleled retirement contributions, and a healthy work/life balance. APL's campus is located in the Baltimore-Washington metro area. Learn more about our career opportunities at

All qualified applicants will receive consideration for employment without regard to race, creed, color, religion, sex, gender identity or expression, sexual orientation, national origin, age, physical or mental disability, genetic information, veteran status, occupation, marital or familial status, political opinion, personal appearance, or any other characteristic protected by applicable law.APL is committed to providing reasonable accommodation to individuals of all abilities, including those with disabilities. If you require a reasonable accommodation to participate in any part of the hiring process, please View email address on click.appcast.io.

The referenced pay range is based on JHU APL's good faith belief at the time of posting. Actual compensation may vary based on factors such as geographic location, work experience, market conditions, education/training and skill level with consideration for internal parity. For salaried employees scheduled to work less than 40 hours per week, annual salary will be prorated based on the number of hours worked. APL may offer bonuses or other forms of compensation per internal policy and/or contractual designation. Additional compensation may be provided in the form of a sign-on bonus, relocation benefits, locality allowance or discretionary payments for exceptional performance. APL provides eligible staff with a comprehensive benefits package including retirement plans, paid time off, medical, dental, vision, life insurance, short-term disability, long-term disability, flexible spending accounts, education assistance, and training and development. Applications are accepted on a rolling basis.

Required

Preferred

Job Industries

• Other