Security Control Assessor (SCA)

Description

Bizzell US is seeking an experienced Security Control Assessor (SCA) to lead security assessment activities for FOH systems and applications. The SCA will conduct testing, prepare Authority to Operate (ATO) documentation, and coordinate directly with the HHS Office of the Chief Information Officer (OCIO) and Information System Security Officers (ISSOs) to ensure systems meet all federal and HHS cybersecurity standards.

This role is critical in ensuring secure deployment and ongoing compliance of FOH’s information systems.

Key Responsibilities

Security Assessments & Testing

• Conduct comprehensive Security Control Assessments (SCAs) for GOTS and custom applications.
• Validate the implementation and effectiveness of NIST SP 800-53 controls and FIPS-199 categorizations.
• Perform technical testing as outlined in SCA Test Plans, including vulnerability scans, penetration testing (as required), and security documentation review.

ATO Documentation & Reporting

• Develop and maintain all required artifacts for ATO submissions, including:
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • POA&M (Plan of Action and Milestones)
  • Risk Assessment Reports
• Ensure deliverables comply with HHS policy and templates provided by the OS Compliance Management Team.

Stakeholder Coordination

• Collaborate with HHS OCIO, ISSOs, system owners, developers, and infrastructure teams to collect evidence and address control gaps.
• Coordinate and schedule assessments, walkthroughs, and evidence reviews.
• Participate in security briefings, data calls, and ATO working sessions.

Policy Alignment & Quality Control

• Ensure alignment with federal cybersecurity standards such as NIST 800-37, 800-53, FISMA, and HHS security policies.
• Maintain a thorough understanding of evolving compliance requirements and best practices.
• Support continuous monitoring efforts and provide recommendations for improvement based on control effectiveness reviews.

Requirements

 Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Systems, or related field.
• 5+ years of experience conducting SCAs or working in a security compliance role.
• Strong knowledge of NIST Risk Management Framework (RMF), ATO process, and federal IT security controls.
• Experience developing ATO documentation and interfacing with federal security leads.
• Proficient with vulnerability assessment tools (e.g., Nessus, Tenable) and documentation platforms.

Preferred Qualifications

• Active CISSP, CISA, CAP, or similar cybersecurity certification.
• Prior experience supporting HHS or other federal health agencies.
• Experience using ServiceNow GRC or similar governance tools.
• Familiarity with GOTS systems and HHS OS Compliance Management SharePoint structure.

Work Environment

• Hybrid work with some on-site presence in Rockville, MD.
• Must be available for security briefings, document walkthroughs, and audit prep activities during core business hours (EST).