RMF & ISSM Support Specialist

RMF & ISSM Support Specialist

Sentar is proud to be an employee-owned company, fostering a culture of empowerment, collaboration, and innovation. Sentar is dedicated to developing the critical talent that the connected world demands to create solutions to address the convergence of cybersecurity, intelligence, analytics, and systems engineering. We invite you to join the team where you can build, innovate, and secure your career.

Sentar is seeking a RMF & ISSM Support Specialist that sits remotely!

The Defense Health Agency (DHA) supports the delivery of integrated, affordable, and high-quality health services to Military Health System (MHS) beneficiaries and is responsible for driving greater integration of clinical and business processes across the MHS. Our DHA teams make a difference daily by ensuring the security of the health records of active duty and retired military and their families!

The Defense Health Cyber Risk Management Team requires a RMF & ISSM Support Specialist to provide key services to a government client. This individual will be responsible for assigned Information Systems Security Manager (ISSM) efforts to complete RMF packages (Security Plans, Annual Security Reviews, Authorizations, POA&Ms, etc.), conduct continuous monitoring of assigned systems, and provide relevant cyber security expertise to ongoing programmatic lines of effort.

This position for JOMIS Cyber Support, Risk Management Executive Division (RMED) supported by the Defense Health Agency (DHA). The RMF & ISSM Support SME navigates and coordinates workflow, activity, and documentation necessary to achieve successful RMF objectives for DHA medical devices and systems.

Duties: Cloud & Application Security Engineering

• Architect and implement secure, zero trust, defense-in-depth solutions across infrastructure, platform, and application layers for cloud-hosted and DDIL environments;
• Develop and enforce cloud security baselines and automated policy guardrails using IaC tools (Terraform, Ansible, AWS Config Rules, Azure Policy);
• Engineer IAM solutions including RBAC, ABAC, MFA, least-privilege, and PAM across cloud and application environments;
• Secure containerized workloads (Kubernetes/OpenShift) including pod security policies, network policies, secrets management, and runtime threat detection (Falco, Prisma Cloud/Twistlock);
• Embed security into CI/CD pipelines per the DoD DevSecOps Reference Design, automating SAST, DAST, SCA, container image scanning, and STIG compliance validation;
• Integrate application security across the SDLC including secure code review, SAST, DAST, SCA, and API security testing;
• Design and implement cloud-native SIEM/monitoring capabilities (AWS Security Hub, CloudTrail, Azure Sentinel) supporting continuous monitoring and RMF compliance;
• Implement data protection strategies including encryption at rest/in transit and cryptographic key management (AWS KMS, Azure Key Vault);
• Lead threat modeling and security architecture reviews for new and evolving JOMIS capabilities;
• Evaluate and harden DDIL/edge security configurations for disconnected and bandwidth-constrained operational environments;

RMF & Compliance

• Execute end-to-end RMF authorization activities including SSP development, SCAs, POA&M management, and ATO package maintenance in eMASS, CMRS, COAMS, and Phoenix;
• Apply NIST SP 800-53 controls, DISA STIGs/SRGs, and DoD/DHA IA requirements to assess, document, and remediate system security posture;
• Conduct vulnerability analysis using ACAS/Nessus, STIG Viewer, and SCAP; analyze HBSS/ESS output and configurations; perform root cause analysis on cybersecurity shortfalls;
• Review and validate authorization boundary diagrams, architecture/data flow diagrams, hardware/software inventories, IP/subnet assignments, and Med-COI Zone taxonomy artifacts;

Stakeholder Engagement & Reporting

• Serve as senior technical security advisor to program leadership, IPTs, and government stakeholders through engineering review boards and architecture working groups;
• Coordinate with ISSMs, system/network administrators, software engineers, and CIOs to validate and document control implementation;
• Submit Weekly Status Reports (WSRs) and lead/attend stakeholder meetings on RMF and security engineering status.

Qualifications:

• 6–8+ years of hands-on cybersecurity engineering experience in DoD or Federal environments, with demonstrated depth across RMF, cloud security, and application security domains;
• RMF/Compliance: Hands-on eMASS experience; proven ability to develop and manage ATO packages, SSPs, SCAs, and POA&Ms proficiency with ACAS/Nessus, SCAP, STIG Viewer, HBSS/ESS analysis;
• Cloud Security: 3+ years securing AWS GovCloud and/or Azure Government environments; experience with cloud-native security tooling (Security Hub, CloudTrail, Azure Sentinel, Defender), secure landing zone design, and network micro-segmentation;
• IaC & Automation: Proficiency with Terraform, Ansible, CloudFormation, or Helm for automated, policy-compliant infrastructure deployment and security hardening;
• Application Security: Experience with SAST, DAST, SCA, and API security testing integrated into CI/CD pipelines (GitLab, Jenkins, or equivalent); familiarity with secure SDLC practices per DoD DevSecOps Reference Design;
• Containers & Microservices: Hands-on Kubernetes/OpenShift security including pod security standards, image scanning, secrets management, and runtime detection tooling;
• IAM/Zero Trust: Demonstrated implementation of RBAC, ABAC, MFA, PAM, and zero trust access models in cloud and application environments;
• DDIL/Edge: Familiarity with DDIL architecture security challenges including offline operations, data synchronization, and edge hardening;
• Frameworks: Strong working knowledge of NIST SP 800-53, NIST SP 800-144, NIST SP 800-115, DISA STIGs/SRGs, DoD DevSecOps Reference Design, and DoD 8570/8140;
• Strong written and verbal communication skills; ability to translate complex technical findings for both technical and executive audiences.

Clearance Level: Active Secret Clearance

Education: Bachelor's Degree in Cybersecurity, Computer Science, Systems Engineering, or related STEM field; or equivalent demonstrable experience

Certifications:

IAT Level II required (e.g., CompTIA Security+ CE); One or more of the following strongly desired: CISSP, CASP+, CCSP, AWS Certified Security – Specialty, Microsoft Certified: Azure Security Engineer Associate; Additional certifications such as CSSLP, GWEB, GPEN, or CEH are a plus

Benefits at Sentar: Our unique ownership model attracts top talent, giving employees the freedom to take initiative and drive meaningful improvements. In addition to cultivating a thriving and inclusive work environment, Sentar offers an extensive benefits package designed to support the well-being of employees and their families. Employee ownership is the foundation of our culture, promoting participation, teamwork, and accountability while ensuring long-term financial security and a commitment to excellence.

• Voluntary Medical, Dental, Vision, with Health Savings or Flexible Spending Plan options
• Voluntary Life, Critical Illness, Accident, and Long Term Care insurance options
• Group Term Life, Short-Term and Long-Term Disability is provided by Sentar to all qualifying employees
• Generous 401(k) match
• Competitive PTO plan that graduates quickly with years of service
• Other leave programs; holiday schedule along with bereavement, maternity, jury and military duty
• Mental health awareness programs
• Tuition reimbursement
• Professional development reimbursement
• Recognition and Awards programs

If you are not ready to apply for this position, submit your resume here to join our talent community. We'll keep you updated occasionally on new job opportunities.

Sentar is an Affirmative Action and Equal Opportunity Employer M/F/Vets/Persons with Disabilities. Our culture is one of inclusivity and support. Sentar is proudly an Equal Opportunity and VEVRAA Federal Contractor Employer M/F/Vets/Persons with Disabilities. Follow these links to learn more about your