Risk Management Framework Subject Matter Expert

Risk Management Framework (RMF) Subject Matter Expert

The RMF Subject Matter Expert (SME) supports cybersecurity and compliance efforts across multiple customer environments and system types within the Department of Defense and Intelligence Community. This role combines elements of ISSO, ISSM, and Security Control Assessor (SCA) responsibilities to support all phases of the Risk Management Framework (RMF) lifecycle in accordance with NIST SP 800-37 Rev. 2.

The RMF SME will provide technical guidance, assessment support, operational security oversight, and authorization package development while partnering with system owners, engineers, ISSOs, SCAs, and government stakeholders to maintain compliant and secure environments.

RMF SME responsibilities include, but are not limited to:

• Support RMF activities across all six RMF steps: Categorize, Select, Implement, Assess, Authorize, and Monitor.
• Develop, review, and maintain RMF documentation including SSPs, SARs, SAPs, RARs, POA&Ms, contingency plans, and authorization packages.
• Support security control selection, tailoring, implementation, and assessment activities aligned to NIST SP 800-53 Rev. 5.
• Conduct or support independent security control assessments and validation activities.
• Perform ISSO operational security responsibilities including account reviews, audit reviews, vulnerability tracking, configuration management coordination, and continuous monitoring activities.
• Utilize eMASS, Xacta, or equivalent GRC/A&A platforms to manage RMF activities and system artifacts.
• Interpret and analyze STIG findings, SCAP scans, ACAS results, and vulnerability assessment data to support remediation efforts.
• Develop and track POA&Ms and coordinate remediation activities with technical and program teams.
• Support ongoing continuous monitoring (ConMon) strategies, reporting, and compliance reviews.
• Provide cybersecurity guidance to system owners, engineers, and leadership regarding RMF compliance and risk posture.
• Ensure cybersecurity documentation and processes align with DoD RMF requirements, DoDI 8510.01, ICD 503, CNSSI 1253, and applicable customer guidance.
• Support cloud and hybrid environments as applicable, including AWS and Azure-based systems.
• Assist with executive-level briefings, risk discussions, and authorization recommendations.

The RMF SME is expected to perform additional duties as assigned in support of Apavo cybersecurity services and strategic growth initiatives.

Requirements

• Strong working knowledge of NIST SP 800-37 Rev. 2 and NIST SP 800-53 Rev. 5.
• Experience supporting DoD RMF and/or Intelligence Community RMF frameworks including ICD 503 and CNSSI 1253.
• Hands-on experience with eMASS, Xacta, or equivalent GRC/A&A platforms.
• Experience developing and reviewing RMF artifacts and ATO packages.
• Familiarity with STIGs, SCAP, ACAS, vulnerability management, and remediation processes.
• Understanding of continuous monitoring strategies and compliance reporting.
• Strong analytical, communication, and documentation skills.
• Ability to collaborate effectively with technical teams, security leadership, and government stakeholders.
• Experience supporting cloud-based environments and security authorizations is preferred.
• Bachelor's Degree in Cybersecurity, Information Technology, Computer Science, or related technical discipline preferred.
• Active TS/SCI clearance required. Candidates must be eligible for CI Polygraph processing or willing to obtain one if required.
• Must possess a DoD 8570/8140 IAM Level II or IAT Level III compliant certification such as CISSP, CISM, CASP+, or equivalent.
• Preferred certifications include CAP/CGRC, CCSP, or other RMF/GRC-focused certifications.

Apavo is considering candidates across multiple experience levels:

• Mid-Level: 5–8 years of RMF, ISSO, SCA, or cybersecurity compliance experience
• Senior-Level: 8–12 years of progressively responsible RMF and cybersecurity experience
• Principal-Level: 12+ years of experience, including prior leadership experience as an ISSM, ISSO Lead, SCA Lead, or equivalent cybersecurity management role

This is typical office or administrative work, and there is no exposure to adverse environmental conditions.

This position requires sedentary work. Sedentary work is defined as: Exerting up to 10 pounds of force occasionally and/or a negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects, including the human body. Sedentary work involves sitting most of the time. Jobs are sedentary if walking and standing are required only occasionally, and all other sedentary criteria are met.

Apavo Corporation provides equal employment opportunities to all applicants and employees and strictly prohibits any type of harassment or discrimination in regards to race, religion, age, color, sex, disability status, national origin, genetics, sexual orientation, protected veteran status, gender expression, gender identity, or any other characteristic protected under federal, state, and/or local laws.

Consistent with the Americans with Disabilities Act (ADA), it is the policy of Apavo Corporation to provide reasonable accommodation when requested by a qualified applicant or employee with a disability, unless such accommodation would cause an undue hardship. The policy regarding requests for reasonable accommodation applies to all aspects of employment, including the application process. If reasonable accommodation is needed, please contact Apavo Human Resources.

Employment with Apavo Corporation is on an at-will basis, meaning either you or the Company can terminate the employment relationship, at any time, for any or no reason, and with or without cause or notice. As an at-will employee, your employment with Apavo Corporation is not guaranteed for any length of time.