Sr. Security RMF Audit Analyst

Who We Are: Oasys International, LLC (Oasys) is a rapidly expanding firm that has been recognized on Inc. 5000 magazine's list of the fastest-growing companies for five consecutive years. We are a dynamic organization dedicated to providing world-class technology consulting services through our team of expert technologists, consultants, engineers, and subject matter experts. At Oasys, we prioritize continuous learning, a healthy work-life balance, and a collaborative work environment. Our culture is merit-based, recognizing and rewarding performance and fostering a supportive and social atmosphere.

Position Summary:

Oasys is seeking a Sr. Security RMF Audit Analyst to support the United States Coast Guard (USCG) at the Aviation Logistics Center (ALC)-Information Systems Division (ISD). The Sr. Security RMF Audit Analyst will lead audit preparation and execution, support continuous RMF lifecycle activities, and oversee compliance with federal cybersecurity requirements across on-premises, virtual, and cloud-hosted systems.

This position will serve as a senior technical advisor in security compliance efforts, guiding cross-functional teams through POA&M development, control remediation, ATO documentation, and continuous monitoring in accordance with NIST 800-53, DHS 4300A, and FISMA standards.

Primary Responsibilities:

• Oversee the Risk Management Framework (RMF) lifecycle, including assessment, authorization, and continuous monitoring across all ALC-ISD systems.
• Lead and coordinate internal and external cybersecurity audits, including pre-audit readiness assessments and post-audit remediation tracking.
• Validate the implementation of security controls (NIST SP 800-53 Rev. 5) and ensure they are effectively documented within System Security Plans (SSPs), Security Assessment Reports (SARs), and related artifacts.
• Design and implement vulnerability management strategies, assess threat vectors, and develop comprehensive Plans of Action and Milestones (POA&Ms).
• Analyze cyber risks and provide guidance on remediation strategies aligned with DHS policy and evolving cybersecurity threats.
• Perform and document risk assessments, penetration testing coordination, and impact analyses to evaluate the security posture of information systems.
• Collaborate with Security Control Assessors (SCAs), engineers, ISSOs, and DevSecOps teams to ensure audit alignment with enterprise system modernization efforts.
• Manage and maintain audit packages, compliance dashboards, and evidence repositories using platforms like Jira, Confluence, and SharePoint.
• Assess and validate configurations of infrastructure (e.g., Windows, Linux, databases, Active Directory) for compliance with security benchmarks (e.g., DISA STIGs, CIS).
• Draft and update security-related documentation including SOPs, incident response plans, and security test procedures.
• Serve as a subject matter expert to stakeholders on RMF best practices, ATO sustainment, and security documentation management.
• All other duties as assigned by management.

Skills/Qualifications:

• Advanced knowledge of NIST RMF, NIST SP 800-37, 800-53, DHS 4300A, and FISMA compliance.
• Experience preparing and maintaining RMF ATO documentation and conducting system assessments.
• Familiarity with Security Information and Event Management (SIEM) platforms for log analysis and incident monitoring.
• Proficient in evaluating and documenting security configurations and technical implementations for federal systems.
• Strong understanding of cybersecurity audit workflows, control testing, and risk-based prioritization of vulnerabilities.
• Excellent writing and communication skills, capable of producing technical documentation and executive summaries.
• Experience in Agile or DevSecOps environments, with a strong understanding of security integration within CI/CD pipelines.

Education/Experience Requirements:

• Bachelor's or Associate's degree in Computer Science, Math, Information Technology, Engineering, or related field. Two (2) years of directly relevant experience may substitute for one (1) year of formal education.
• Minimum of five (5) years of experience in Information security with auditing and IT controls design experience.
• Minimum of five (5) years of experience with Security Information and Event Management (SIEM).
• Minimum of five (5) years of experience in the risk management framework.
• Hands-on experience with Active Directory, Windows/UNIX systems, and relational databases in secure environments.
• Previous support of federal government enterprise systems or DHS/DOD programs is strongly preferred.

Clearance:

• U.S. citizenship required
• Must have an active DoD Secret Clearance.

Certification Requirement

• CompTIA Security+
• Additional certifications (Network+, AWS Certified Cloud Practitioner, Microsoft Azure Fundamentals, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), ITIL Foundation, TOGAF, or other cybersecurity architecture certifications) are a plus.

Work Location:

• Elizabeth City, NC - Hybrid
• North Carolina Region - Must be able to go on-site at least three days a week

Oasys is proud to be an equal opportunity employer for all protected groups, including protected veterans and individuals with disabilities.