RMF / ISSO Lead
Bethesda, MD
Full Time
Senior Manager/Supervisor
Company Overview
Development InfoStructure LLC., (Devis) is a leading provider of innovative software development, management, and consulting services, specializing in cutting-edge technologies such as DevSecOps, AI, and Machine Learning. With over 30 years of experience, we have established ourselves as a trusted partner for government agencies, delivering tailored, mission-critical solutions that drive digital transformation and operational excellence. Our client-centric approach, coupled with our deep domain expertise and technical prowess, enables us to forge enduring relationships and consistently deliver high-impact, adaptive solutions that resonate with the unique needs of the public sector.
Job Overview
The RMF / ISSO Lead serves as the leader for the Risk Management Framework (RMF) program and Authority to Operate (ATO) lifecycle under the Information Security Program Support Services (ISPSS) effort supporting the NIH Office of the Director, Office of Information Technology (OD OIT), responsible for managing the RMF lifecycle under NIST 800-53 Rev. 5, leading Assessment and Authorization (A&A) package development, and maintaining the enterprise risk register and POA&Ms. This role drives execution across system categorization and authorization, continuous monitoring, audit and assessment support, and RMF guidance to system owners and ISSOs in close coordination with NIH/OD OIT leadership.
This is a full-time position with work performed primarily offsite, though travel to NIH/OD facilities in the Bethesda, MD area will be required on an as-needed basis. Core hours are Monday-Friday, 7:00 AM - 6:00 PM EST, and after-hours support for emergency incidents will be required as needed by NIH/OD. Position is contingent upon award and client approval.
Primary Duties
Lead RMF Program & GovernancePreferred Qualifications
Clearance
Salary Range
Development InfoStructure LLC., (Devis) is a leading provider of innovative software development, management, and consulting services, specializing in cutting-edge technologies such as DevSecOps, AI, and Machine Learning. With over 30 years of experience, we have established ourselves as a trusted partner for government agencies, delivering tailored, mission-critical solutions that drive digital transformation and operational excellence. Our client-centric approach, coupled with our deep domain expertise and technical prowess, enables us to forge enduring relationships and consistently deliver high-impact, adaptive solutions that resonate with the unique needs of the public sector.
Job Overview
The RMF / ISSO Lead serves as the leader for the Risk Management Framework (RMF) program and Authority to Operate (ATO) lifecycle under the Information Security Program Support Services (ISPSS) effort supporting the NIH Office of the Director, Office of Information Technology (OD OIT), responsible for managing the RMF lifecycle under NIST 800-53 Rev. 5, leading Assessment and Authorization (A&A) package development, and maintaining the enterprise risk register and POA&Ms. This role drives execution across system categorization and authorization, continuous monitoring, audit and assessment support, and RMF guidance to system owners and ISSOs in close coordination with NIH/OD OIT leadership.
This is a full-time position with work performed primarily offsite, though travel to NIH/OD facilities in the Bethesda, MD area will be required on an as-needed basis. Core hours are Monday-Friday, 7:00 AM - 6:00 PM EST, and after-hours support for emergency incidents will be required as needed by NIH/OD. Position is contingent upon award and client approval.
Primary Duties
Lead RMF Program & Governance
- Manage the RMF lifecycle for new and existing systems and maintain continuous compliance with the NIST 800-53 Rev. 5 baseline
- Maintain the enterprise Risk Management Strategy, RMF Program Plan, common controls, and tailored baselines
- Provide RMF subject matter expertise and guidance to system owners, ISSOs, and stakeholders
- Support C-SCRM and EO 14028 requirements, including third-party/SBOM risk analysis
- Develop and maintain RMF authorization artifacts: SSP, BIA, FIPS 199 categorization, PTA/PIA, Configuration Management Plan, and e-Authentication documentation
- Develop boundary/architecture documents (BSM, ABND) and support control scoping, tailoring, and overlays (e.g., OD AI Overlay; NIST AI RMF 1.0 for AI/ML systems)
- Provide governance and final QA review of System Authorization Packages prior to submission to the Authorizing Official
- Maintain independence: package developers shall not perform SCA/SAR validation for the same system
- Populate and maintain the enterprise Risk Management Register and manage POA&Ms to timely remediation
- Identify, prioritize, and provide enhanced oversight for High Value Assets (HVAs)
- Coordinate and execute annual Contingency Plan Tests and maintain ConMon plans
- Communicate risk posture, compliance status, and authorization updates to senior leadership
- Support internal/external assessments and audits (OIG, GAO, HHS, independent assessors) and track corrective actions
- Manage the Risk Mitigation Waiver Register and annual waiver reassessment
- Facilitate RMF training, office hours, and how-to guides for system owners and technical staff
Required Qualifications
Education & Experience
- Bachelor’s degree in Information Systems, Cybersecurity, Computer Science, or a related field (or equivalent experience)
- Minimum 7 years in RMF / A&A / ISSO support for federal systems
- Demonstrated experience managing the ATO lifecycle and POA&Ms under NIST 800-53
- CISSP, CAP, or CGRC (or comparable RMF/GRC certification)
- Strong working knowledge of NIST RMF, NIST 800-53 Rev. 5, FIPS 199/200, and FISMA
- Experience authoring SSPs and full A&A packages; familiarity with GRC/compliance tools (e.g., JCAM)
- Familiarity with FedRAMP CSP package review and control inheritance
- Clear written documentation and the ability to guide system owners through complex RMF processes
- Strong organization and tracking discipline across many concurrent authorizations
- Prior NIH/HHS RMF or ISSO support experience
- Experience with AI/ML security overlays and NIST AI RMF 1.0
- Cloud A&A experience (FedRAMP, NIH STRIDES)
Clearance
- Must be able to obtain and maintain the NIH/OD/OIT required clearance level and complete all suitability/onboarding requirements
Salary Range
- $110,000 - $130,000
Devis is an AA/EOE/M/F/Disabled/VET Employer committed to providing equal employment opportunity without regard to an individual’s race, color, religion, age, gender, sexual orientation, veteran status, national origin or disability.
Apply for this position
Required*