Security / RMF Engineer

Role Overview

Aretum is seeking a Security / RMF Engineer to ensure compliance with VA security requirements and manage the ATO lifecycle. The role may involve handling CUI and adhering to applicable safeguarding and compliance requirements.

Responsibilities

• Develop and maintain RMF documentation, including:
  • SSP (System Security Plan)
  • POA&M (Plan of Actions and Milestones)
  • SAR inputs (as applicable)
• Map and implement security controls across system layers
• Coordinate with VA security stakeholders
• Support vulnerability scanning and remediation
• Enable continuous monitoring and ongoing compliance

Requirements (Core)

• RMF / NIST: NIST SP 800-53, control families, and tailoring
• ATO Lifecycle: SSP development, POA&M management, authorization workflows
• GRC tooling: ServiceNow GRC (or similar) for documentation and tracking
• Cloud Security: AWS security controls and the shared responsibility model
• Identity & Access Management: RBAC, least privilege, federation concepts
• Encryption: TLS, data-at-rest encryption, key management (KMS)
• Vulnerability Management: scanning tools and remediation workflows
• Logging & Monitoring: SIEM integration (e.g., Splunk/Datadog concepts)
• Network Security: segmentation and ingress/egress controls; TIC awareness
• Compliance Exposure: HIPAA awareness and FISMA/FEDRAMP basics
• DevSecOps: security in CI/CD pipelines
• Risk Assessment: identify and document system risks and mitigations

Nice-to-haves / Additional Notes

• Familiarity with security compliance workflows in federal environments

Travel / Work Location

• Remote position with occasional travel (<10%) as needed for project/client meetings, collaboration, or training.

Eligibility

• Public Trust eligibility required.
• U.S. citizenship required to support a federal government contract (ability to obtain and maintain Public Trust or Suitability determination, as required by the agency).