FedRAMP Compliance Consultant - Information Systems Security Analyst (Contractor)
Role Overview:
We are seeking a FedRAMP Compliance Consultant to support our IT Security team in achieving and maintaining compliance with federal and public sector security requirements. This is a contract, time and materials (T&M) engagement, focused on assisting with FedRAMP assessment, documentation, and continuous monitoring activities. The ideal candidate will bring practical experience with FedRAMP and NIST frameworks, possess strong organizational skills, and demonstrate the ability to collaborate effectively with internal and external stakeholders.
Responsibilities:
- Assist with FedRAMP assessment and authorization processes, including managing artifacts and evidence collection.
- Update and maintain System Security Plans (SSPs) and other compliance documentation.
- Support audit preparation activities, including third-party auditor walkthroughs and interviews.
- Collaborate with cross-functional teams to implement and validate security controls.
- Conduct security control assessments and document findings.
- Analyze vulnerability scan results from tools such as Tenable, Qualys, and Wiz, and assist with remediation planning.
- Provide support for continuous monitoring (ConMon) activities and risk management tasks.
- Develop and update security policies and procedures as required.
Minimum Qualifications:
- 3–5 years of experience working with FedRAMP compliance or similar public sector compliance programs.
- Solid understanding of NIST 800-53 security controls and risk management frameworks (RMF).
- Hands-on experience developing and maintaining FedRAMP-related documentation, including SSPs.
- Familiarity with vulnerability scanning tools (e.g., Tenable, Qualys, Wiz) and interpreting scan results.
- Strong organizational skills with the ability to manage multiple tasks and priorities.
- Excellent written and verbal communication skills.
Preferred Qualifications (Not Required):
- Experience supporting FedRAMP audits or working with third-party assessment organizations (3PAOs).
- Knowledge of additional compliance frameworks, such as StateRAMP or DoD IL4.
- Prior experience in cloud security or SaaS environments.
Contract Details:
- Duration: 6 months to 1 year
- Location: Remote or hybrid (with occasional onsite requirements in the Bay Area, if necessary)
- Start Date: January 15-30, 2025
Scope of Work:
- Conduct comprehensive FedRAMP assessment and authorization activities
- Develop, update, and maintain System Security Plans (SSPs) with meticulous attention to detail
- Coordinate and support audit evidence collection processes and internal SME third-party auditor walkthroughs/interviews
- Assist in planning and preparing for security audits and assessments
- Collaborate with cross-functional teams to implement and validate security controls and capture implementation details in SSP
- Perform security control assessments and document findings
- Support continuous monitoring and risk management activities
- Gain a thorough understanding of system architecture and security capabilities
- Analyze vulnerability scans from tooling such as Tenable Security Center, Wiz, Qualys, etc.
- Assist in developing and updating security documentation and policies
Defined scope on FedRAMP assessment and authorization activities
- Onboarding of new services for FedRAMP risk management security requirements
- Support remediation activities for Public sector risks across the organization.
- Drive Continuous monitoring strategy with federal, state, and local government agencies.
- Drive Collection 400+ Assessment evidence artifacts
- Co-own Risk Management Framework (RMF), Assessments, and Authorization (A&A) process and packages (i.e. System Security Plans)
- Risk mitigation across the organization.
- ConMon is currently a single point of failure, and is a critical contractual and regulatory requirement.
- Maintain DoD IL4, FedRAMP, StateRAMP, TxRAMP authorizations.
Skills and Experience
- Experience with industry compliance standards as they relate to Software as a Service and Cloud Computing with a particular focus on Public Sector / US Federal standards such as FedRAMP, StateRAMP, NIST, CMMC
- Demonstrated experience with FedRAMP authorization processes
- In-depth understanding of NIST SP 800-53 security controls
- Knowledge of NIST risk management framework (RMF)
- Experience with developing security documentation (i.e. FedRAMP templates), from start to finish
- Strong analytical and problem-solving skills
- Built or significantly improved an organization’s common controls framework
- Excellent written and verbal communication abilities
- Preferred Qualifications
- Past FedRAMP audit and/or Big 4 consulting experience