Governance Risk and Compliance (GRC) Analyst 3

C2 Labs [www.c2labs.com] partners with clients on their IT transformation journey via
data-driven IT strategic planning, application rationalization and redevelopment, and innovative
research and development of new industry standards and technologies. C2 Labs provides
specialized products and services that allow our clients to innovate with speed and scale
seamlessly while maintaining a robust and effective security posture. C2 has a unique approach
to client success enablement that is empowered by ART (Application Rationalization and
Transformation) and SCIENCE (Strategic Client Interview and Engineering to assess, design,
and implement Cloud Ecosystems) to couple creative new approaches/technologies with proven
methodologies that deliver rapid results.

Must Live in the Knoxville, Tennessee metro area and Must be a US Citizen and capable
of passing a Public Trust background investigation. This is a two year contract.

Job Summary:
As a Governance Risk and Compliance (GRC) Analyst 3 at C2 Labs you will work with a
team of security analysts and engineers to implement regulatory frameworks such as the
Federal Information Security Modernization Act (FISMA), the Federal Risk Authorization
Management Program (FedRAMP) and the State Risk Authorization Management Program
(StateRAMP). You will leverage GRC tools to develop security authorization package
documentation such as the System Security Plan (SSP), Security Assessment Plan (SAP),
Security Assessment Report (SAR), and the Plan of Actions & Milestones (POA&M) in human
readable and machine-readable formats. You will draft security control implementation
statements with enough detail to facilitate the testing of the controls and will develop supporting
documentation including the Contingency Plan (CP), Incident Response Plan (IRP), and
Configuration Management Plan (CMP). As a GRC Analyst 3 your primary responsibility will be
to ensure the timely development of the security authorization package in accordance with C2
Labs quality standards.

Job Responsibilities:

1. Categorize systems in accordance with Federal Information Processing Standards (FIPS) 199
   and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60.
2. Select and tailor security controls by applying scoping guidance in accordance with NIST SP
   800-53 and FedRAMP specific guidance. Document the implementation characteristics for
   security controls with enough detail to permit the testing of the security control by an
   independent assessor/Third Party Assessment Organization (3PAO).
3. Develop, review, and update security authorization package documentation to include
   the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment
   Report (SAR), and Plan of Actions and Milestones (POA&M).
4. Develop, review, and update supporting documentation including the Contingency Plan
   (CP), Incident Response Plan (IRP), and Configuration Management Plan (CMP).
5. Conduct Security Impact Assessments (SIAs) on changes to information systems.
6. Create the Control Implementation Summary (CIS)/Customer Responsibility Matrix
   (CRM) workbook outline Cloud Service Provider (CSP) and customer responsibilities.
7. Develop, review, and update policies and procedures to support the implementation of
   the NIST 800-53 control families.
8. Leverage the next generation of Governance Risk and Compliance (GRC) tools to
   automate the creation of the SSP.
9. Review current security assessment and authorization processes and provide
   recommendations for improvement.
10. Develop Risk Assessment Reports (RAR).
11. Provide guidance on NIST 800-53, FedRAMP, and StateRAMP control requirements.
12. Develop and deliver training to educate stakeholders on the various tasks and activities
    associated with the RMF.

Qualifications:

1. Minimum 3-5 years’ experience in IT consulting specializing in Governance, Risk, and
   Compliance using the RMF.
2. CISSP, CISM, or CAP certification is preferred.
3. Excellent communication and interpersonal skills, with the ability to build a rapport and
   trust with clients.
4. Knowledge of the cybersecurity industry to include regulatory frameworks such as the
   National Institute of Standards in Technology (NIST) Risk Management Framework
   (RMF), Federal Risk Authorization Management Program (FedRAMP), Department of
   Defense (DoD) Impact Levels (2-6), and the State Risk Authorization Management
   Program (StateRAMP).
5. Possesses an in-depth understanding of the FedRAMP authorization process and
   associated templates and deliverables.
6. Must have experience creating security authorization package documentation (i.e., SSP,
   SAP, SAR, & POA&M) and managing system authorization artifacts for a FedRAMP
   authorized cloud environment.

Working knowledge of:

1. NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and
   Organizations.
2. FedRAMP Security Controls Baselines (i.e., Low, Moderate, High, and Li-SaaS).
3. StateRAMP Security Control Baselines (i.e., Low Impact Ready, Low Impact Authorized,
   Moderate Impact Ready, Moderate Impact Authorized).
4. NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal
   Information Systems.
5. Must have strong technical writing skills.
6. Must be able to work independently under only general direction.
7. Must be able to interpret and provide consulting expertise on FedRAMP security
   requirements.
8. Must have extensive knowledge in reviewing, analyzing, and documenting the secure
   implementation of logical controls, physical controls, environmental controls, personnel
   security, and incident handling.
9. Experience preparing monthly continuous monitoring deliverables (e.g., vulnerability
   scans, POA&Ms, and asset inventory) for submission to the FedRAMP PMO.
10. Must be a US Citizen and capable of passing a Public Trust background investigation.