We use cookies. Find out more about it here. By continuing to browse this site you are agreeing to our use of cookies.
I agree and accept cookies
Main menu
Post a Job
Request a Demo
Yes
No
Both
Advanced search
#alert
Back to search results / More jobs like this
Back to search results
New
Edgewater Federal Solutions jobs

Senior Control Assessment Analyst

Edgewater Federal Solutions
medical insurance, dental insurance, life insurance, vision insurance, paid time off, 401(k)
United States, D.C., Washington
Dec 20, 2025

Senior Control Assessment Analyst
Job Locations

US-DC-Washington




ID
2025-4233
 Category
Information Technology
 Type
Full Time


Overview

Edgewater is seeking a Sr. Control Assessment Analyst to perform as the FISMA control analyst supporting the Cloud Architecture and Administration. The candidate must be able to demonstrate working knowledge of M365 products, Xacta360, NIST 800-53, AWS, Azure, and Terraform. The successful candidate is self-motivated, has strong analytical skills, possesses the ability to learn quickly and can handle multiple projects simultaneously.

The work will be performed onsite in Washington, DC.



Responsibilities

Board's Assessment and Authorization (A&A) program operates in alignment with the NIST Risk Management Framework (RMF) as outlined in the current release of NIST SP 800-37. The objective of Control Assessment task is to provide security subject matter expertise to develop A&A methodologies, maintain accurate assessment schedules, and conduct control assessment activities for newly developed or acquired information systems, as well as for systems and common controls in ongoing authorization.

Assessment Methodology

    Develop a methodology for conducting control assessments for software-as-a-service (SaaS) solutions operated by a vendor on behalf of the Board that have not received FedRAMP authorization, and assessing external organizations and systems that process, store, or transmit Board information.
  • Align those assessment methodologies with principles set forth in FISMA, OMB, and NIST standards and publications, and consider efficient and cost-effective means of assessment to allow Board senior leaders and stakeholders to make risk-based authorization decisions.

Planning and Scheduling

  • Develop and maintain a Master Assessment Schedule that tracks new information systems that require full control assessments and existing information systems and common controls under ongoing authorization that are in the continuous monitoring phase of the RMF.
  • Develop the Master Assessment Schedule such that it shall adjust estimated completion dates in real-time to account for unplanned assessments, changes in prioritization, delays, or changes in resource availability. Enable Board security staff to provide stakeholders with estimated completion dates for all scheduled A&As at any given time.

Control Tailoring and Overlays

  • Review and update Control Overlays that define and justify the applicable security and privacy controls for information systems with common characteristics, such as internally developed web applications, FedRAMP authorized SaaS solutions, etc.

Control Assessment Plans

  • Based on the receipt and review of artifacts provided by system owners or support staff that may include, but are not limited to, FIPS-199 Categorization Memos, System Security and Privacy Plans (SSPP), Contingency Plans, etc., develop control assessment plans (CAPs) for each system, service, or common control provider to be assessed, that includes, at minimum:
    • The assessment methodology to be followed.
    • The objectives and scope of the assessment.
    • System points of contact and the control assessment team members.
    • Any recommended changes to, or questions related to, the system control baseline.
    • Controls to be assessed and the assessment procedure for each control.
    • Tasks to be accomplished, dependencies, time allocated per task, and resources allocated for each task.
    • The CAP shall identify all system access, demonstrations, interviews, or other accommodations needed by the assessment team prior to control assessments.
    • CAPs for systems and common controls in ongoing authorization shall ensure that all applicable controls are assessed within a three-year cycle.

Control Assessments

  • Ensure that control assessors maintain independence and avoid potential or perceived conflicts of interest with respect to the control assessments.
  • Work with system owners, support teams, developers, vendors, and other stakeholders as necessary to conduct control assessments for all security and privacy controls described in the CAP. Control assessments shall be conducted in accordance with NIST SP 800-53A (current version) or NIST SP 800-171A (current version) guidance, and will include assessments of technical, operational, and management controls.
  • Document the results of each control assessed, to include the outcome of the assessment and the artifacts or evidence evaluated to support the assessment result.
  • Include in each control assessment a review of control selections for each system or common control provider, validating control inheritance decisions, and control overlays. Ensure that applicable controls are not omitted from SSPPs or Customer Controls.

Control Assessment Reports and Authorization Package Support

  • Support the finalization of the A&A package by providing a summary of the control assessment findings in a Control Assessment Report (CAR). The CAR shall describe the risk associated with all findings resulting from the control assessment and recommendations for correcting any deficiencies. The CAR shall include a statement from the control assessor summarizing the overall risk to the Board of operating the system or service as it relates to the authorization to operate decision.
  • Participate in issue resolution discussions and authorization briefings to describe control deficiencies and necessary remedial actions to stakeholders and authorization officials.
  • Post Authorization Assessment
  • Develop a post-authorization assessment process for internally developed systems intended to validate the carryover of specific controls from development or test environments into production. Carry out the post-authorization review and include the results as an addendum to the CAR.

Control Monitoring

  • Impact Analysis
    • Complete Security Impact Analysis (SIAs) to determine the security impact associated with changes to Board information systems. The SIA shall identify the risk associated with the change, identify any impacted security controls, and define applicable control assessment procedures to verify that impacted controls are still in place and operating as intended.
  • Ongoing Control Assessments
    • Assess a selected subset of the technical, management, and operational controls employed by the Board information systems and common control providers in accordance with the Board's continuous monitoring strategy.
    • Annually, develop a report to summarize the results of the control assessments of systems in ongoing authorization conducted throughout the fiscal year. This annual report shall identify any systemic risks, lessons learned, or recommendations based on the results of control assessments and A&A activities.

The candidate shall demonstrate the below knowledge and experience:

  • Managing FISMA work with a cyber risk and compliance automation platform (eg. Xacta360)
  • Have supported Authorizations to Operate (ATO) per FISMA guidelines
  • Familiarity with AWS, Azure, Terraform systems and control requirements


Qualifications
  • All candidates must be US citizens.
  • At least five years of experience performing the functions associated with this labor category.
  • Experience performing control assessments as part of a team in accordance with applicable NIST standards (NIST 800-53, Rev 5, or newer version, as applicable).
  • Experience preparing control assessment plans, executing technical and non-technical assessments actions, evaluating the risk associated with areas of deficiency, and
  • documenting detailed findings and executive-level summaries of assessment results.
  • Experience briefing stakeholders on key findings, recommendations, risks, and impacts.
  • Experience providing direct support of information security compliance activities, including managing plans of actions and milestones (POA&Ms) and inventories of information systems.

Desired Certifications:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Analytics Professional (CAP) Preferred or equivalent

Additional benefits include:

  • Paid Time Off & Holiday Pay
  • Medical Insurance
  • Dental Insurance
  • Vision Insurance
  • Disability, Life Insurance, and AD&D
  • Flexible Spending Accounts
  • Pre-Tax 401K and/or After-Tax Roth IRA (with employer matching contribution)
  • Tuition and Technical Training Reimbursement
  • Exercise Reimbursement
  • Employee Assistance Program

About Us:

Edgewater Federal Solutions is a privately held government contracting firm located in Frederick, MD. The company was founded in 2002 with the vision of being highly recognized and admired for supporting customer missions through employee empowerment, exceptional services and timely delivery. Edgewater Federal Solutions is ISO 9001, 20000-1, 270001 certified, appraised at CMMI Level 3 Maturity for Development and Services, and has been named in the Top Workplaces in the Greater Washington Area Small Companies for 2018 through 2025.

It has been and continues to be the policy of Edgewater Federal Solutions to provide equal employment opportunities to all employees and applicants for employment without regard to race, color, religion, gender, sexual orientation, national origin, age, disability, marital status, veteran status, and/or other statuses protected by applicable law.

#LI-SW1

Applied = 0
MORE JOBS LIKE THIS

(web-df9ddb7dc-h6wrt)