Security / RMF Engineer

Role Overview

Aretum is seeking a Security / RMF Engineer to ensure compliance with VA security requirements and to manage the ATO (Authorization to Operate) lifecycle. The role may involve handling Controlled Unclassified Information (CUI) and following applicable safeguarding and compliance requirements.

Responsibilities

• Develop and maintain RMF documentation including:
  • SSP (System Security Plan)
  • POA&M (Plan of Actions & Milestones)
  • SAR (Security Assessment Report) inputs
• Map and implement security controls across system layers
• Coordinate with VA security stakeholders
• Support vulnerability scanning and remediation
• Enable continuous monitoring and ongoing compliance

Requirements

• RMF (NIST SP 800-53) experience, including understanding of control families and tailoring
• Strong ATO process experience (SSP development, POA&M management, authorization workflows)
• ServiceNow GRC (or similar) for documentation and tracking
• Cloud security experience with AWS, including shared responsibility concepts
• Identity & Access Management concepts (RBAC, least privilege, federation)
• Encryption: TLS, data-at-rest encryption, and key management (KMS)
• Vulnerability management using scanning tools and remediation workflows
• Logging & monitoring and SIEM integration concepts (e.g., Splunk, Datadog)
• Network security: segmentation, ingress/egress control, and awareness of TIC requirements
• Compliance familiarity:
  • HIPAA awareness
  • FISMA/FEDRAMP basics
• DevSecOps integration: security in CI/CD pipelines
• Risk assessment: identifying and documenting system risks and mitigations

Nice-to-Haves / Additional Notes

• Public Trust eligibility required (and ability to obtain/maintain it based on agency background investigation requirements)
• U.S. citizenship required for federal contract

Travel / Work Location

• Remote position with occasional travel (<10%) for project needs, client meetings, team events, or training.