FedRAMP Analyst

This is a fully remote position, open to applicants in Washington.

📋 Description

• Implement the monthly FedRAMP Continuous Monitoring (CONMON) calendar, ensuring all necessary artifacts and submissions are completed on time.

• Manage the monthly tracking of vulnerability remediation: process scan outputs, monitor and track remediation tickets, verify closure evidence, and ensure compliance with SLAs (e.g., 30/90/180-day timelines).

• Update and maintain the Plan of Action and Milestones (POA&M): create/update POA&M items, document milestones, track deadlines, coordinate risk statements with the Legal team, and facilitate approvals.

• Produce and keep monthly inventory and configuration evidence current (e.g., Integrated Inventory Workbook/IIW updates, authorized software documentation, baseline/configuration drift support).

• Compile monthly CONMON reporting packages, which include Monthly Security Status Reports, inputs for the CONMON Executive Summary, deviation requests, and other reports needed by the Sponsoring Agency, FedRAMP PMO, or Authorizing Official.

• Prepare requests for deviations and exceptions: collect technical justifications, documentation of compensating controls, scope/impact statements, and route for necessary approvals.

• Assist with continuous monitoring governance activities: provide access review evidence, log/monitoring review evidence, and coordinate corrective actions with Engineering and Security & IT.

• Organize the CONMON and ATO artifact repository in Google Drive (or designated system): manage version control, naming conventions, evidence indexing, and ensure an audit-ready structure.

• Facilitate annual security testing activities (e.g., penetration tests, red-team exercises if applicable, IR/ISCP tabletop exercises) by tracking schedules, gathering artifacts, and documenting the status of remediation.

• Aid in the coordination of annual 3PAO assessments: collect evidence, schedule interviews, track assessor Q&A, and monitor findings remediation in collaboration with the VP of Federal Operations.

• Assist with significant change workflows: evaluate the impact on compliance, document change narratives, update SSP appendices as necessary, and preserve change evidence for CONMON.

• Monitor training compliance for federal systems (Rules of Behavior acknowledgments, required awareness training completion) in collaboration with People Ops and Security & IT.

• Act as the primary contact for internal stakeholders regarding FedRAMP evidence requests and compliance status updates; escalate risks and obstacles to the VP of Federal Operations.

⛳️ Requirements

• Minimum of 3 years of experience in cybersecurity compliance, Governance, Risk Management, and Compliance (GRC), or managing regulated cloud environments (FedRAMP, DoD IL, CJIS, HIPAA, PCI, ISO 27001/42001, or similar).

• Proven experience in executing continuous monitoring or recurring compliance reporting programs, with a preference for monthly cadence.

• Familiarity with NIST 800-53 and FedRAMP concepts (management of POA&M, SSP/ATO artifact structure, and expectations for assessment evidence).

• Experience in coordinating vulnerability remediation tracking and translating technical findings into compliance artifacts (tickets, evidence, milestones, risk language).

• Strong project management and organizational abilities; adept at managing multiple deadlines and input from various stakeholders.

• Excellent communication skills for creating audit-ready narratives, status reports, and executive summaries.

• Comfortable collaborating with technical teams (Engineering, Security) to gather evidence and verify remediation results.

• Experience utilizing common tools for evidence and workflow tracking (Google Drive, Jira/Linear, spreadsheets, ticketing systems).

• Capability to handle confidential and sensitive cybersecurity information.

• Candidates must be able to meet government security clearance requirements as necessary for this position.

• **Preferred Qualifications:**

• Direct experience supporting a FedRAMP Moderate/High authorization, annual 3PAO assessment, or agency ATO process.

• Experience with SecondFront/Game Warden or other FedRAMP-adjacent platforms and inherited-control models.

• Understanding of vulnerability scanning, SIEM/log review concepts, and secure SDLC evidence (SAST/DAST, threat modeling).

• Experience with evidence automation or compliance engineering methodologies (repeatable evidence packets, templates, control mapping).

• Relevant certifications (e.g., Security+, SSCP, CISSP Associate, CAP, CISA, PMP).

🏝️ Benefits

• Medical, Dental, Vision, STD and LTD Plans

• FSA - Medical and Dependent Care

• EAP and wellness programs

• 13 Paid Holidays

• Unlimited PTO

• Flexible work environment - 100% remote

• 401(k) plan