Be on Alert – Fraudulent Employment Offers. Learn More

Hampton, Virginia, United States of America
JOB #R2003561

Cybersecurity Systems Control Support Analyst

ICF is seeking a Cyberspace Operations professional, with prior military, civil service and/or contractor experience within HQ Air Combat Command (ACC), and/or 15th/16th AF staff/subordinate units.  Candidate will provide cyberspace operations support and technical expertise to facilitate Air Operations Squadron (AOS) support to properly implement and sustain DOD cybersecurity and Risk Management Framework (RMF) requirements as identified. The support service areas: RMF and AOS policy, guidance, procedure and templates; security control implementation and testing; security control assessments; and RMF training. Work requirement also includes drafting and coordinating with ACC Directorate of Information Dominance (A6) and Air Force Enterprise Action Officers (AO) to obtain recurring software certification of CARP and addition of the software to Joint Mission Planning System (JMPS) Approval to Operate (ATO).  This includes any further follow-on enterprise which may replace ADIS and/or CARP.

Duties include support for all traditional elements of A-Staff support within a MAJCOM, coordination from the strategic level to operations level of war.  In addition, there are numerous technical opportunities across the USAF’s cyber weapon systems portfolio.  The workplace is at ACC headquarters, Joint Base Langley-Eustis in Hampton, Virginia. 

Provides weapon system team management support for defensive and offensive cyberspace weapon system programs.  Assists, coordinates, and provides recommendations on cyber weapon system modernization strategies, and sustainment issues.     

Key Tasks to be accomplished:

  • Assess approved technical and non-technical security features of AOS domain enclave of the Air Force Enterprise to address known threats and vulnerabilities. The assessment must consider and identify impacts as well as consideration of existing risk mitigation strategies.
  • Act as an independent and impartial assessor to determine and certify aggregate cybersecurity risk for recommendations for AOS domain enclave of the Air Force Enterprise.
  • Develop a Security Assessment Plan (SAP) for AOS domain enclave of the Air Force Enterprise within Enterprise Mission Assurance Support Service (eMASS), describing the objectives of the security control assessment and providing a detailed roadmap for performing the assessment, to include:
    • Security Plan (SP)
    • Security Assessment Report (SAR)
    • Risk Assessment Report (RAR)
    • Up-to-date POA&M
  • Participate in Checkpoints (as described in Appendix K of Risk Management Framework Process Guide, Version 2.0, 4 August 2017) and provide recommendations for the SAP, ensuring all appropriate security controls will be assessed for compliance.
  • Provide quality assurance of an RMF SAP related to cybersecurity risk for the AOS domain enclave of the Air Force Enterprise.
  • Provide guidance to AOS Stakeholders on the following:
    • Understanding of the RMF risk assessment process.
    • Knowledge of implementation and applicability of security controls.
    • Use of appropriate test procedures and tools.
    • Recommending mitigation measures for specific vulnerabilities.
    • Reviewing and concurring/non-concurring with Validator’s residual risk.
    • Traceability of test results to system components and the risk assessment, as reflected in the relevant RMF documentation.
    • Understanding of cybersecurity policies and the effects of specific policies to the risk of a system.
  • Select, Implement, Assess, and Monitor Security Controls IAW RMF/NIST standards

What you need to be considered:

Experience/knowledge of a full range of USAF cyberspace operations principles, directives, methodologies, and approaches used in developing, operating, managing, and maintaining services and capabilities that support functional requirements.

Required Qualifications:

  • Must possess IAM Lvl III certifications that meet current DoD 8570.01-M
  • The candidate supporting this task are designated as Information Assurance Management (IAM) level III.
  • Desired the candidate possesses an active Certified Information Systems Security Professional (CISSP) certification
  • However, DoD 8570.01-M allows for other management level III cybersecurity certifications. Any of the other DoD-approved IA management level III baseline certifications are suitable for this task.
    • The candidate supporting this task must have extensive (3 years) DoD Information Assurance Certification & Accreditation Process (DIACAP), RMF and NIST experience in security control assessments and risk assessments utilizing:
  • NIST SP 800-34 Contingency Planning Guide for Federal Information Technology Systems
  • NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems
  • NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
  • OMB A-130 Managing Information as a Strategic Resource
  • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, current edition
  • NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems
  • NIST SP 800-30 Guide for Conducting Risk Assessments, current edition
  • NIST SP 800-39 Managing Information Security Risk, current edition
  • Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, March 15, 2012 as amended.
  • Subchapter III of chapter 35 of Title 44, United States Code (also known as the Federal Information Security Management Act (FISMA of 2002)
  • NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems Organizations, current edition
  • The candidate must have a minimum 3 years of experience in cybersecurity documentation and system authorization artifacts (System Security Plan, lifecycle documentation, continuous monitoring plan, Security Assessment Plan, Security Assessment Report, Risk Assessment, etc.).
  • The candidate must have working knowledge of the DoD CS policy requirements set forth in DoDI 8500.01, “Cybersecurity,” and DoDI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology” and their successors.
    • Available at
  • The candidate must have strong critical thinking/analytical skills, creativity, a proven drive for quality, and excellent oral and written communication skills.
  • The candidate must have strong technical writing skills.
  • The candidate must be able to work under only general direction and be able to independently determine and develop an approach to assessor solutions, only needing review upon completion for adequacy in meeting objectives. Must be able to interpret and provide consulting on the development of security guidance, and serve as a RMF SME at key stakeholder meetings
  • The ability to complete accurate documentation in all Microsoft product formats and effectively brief agency management, Security Control Assessors and Authorizing Official is also required.

Desired qualifications - Direct or Related experience in 

  • USAF MAJCOM preferred, however a sister Service also acceptable
    • Staff expertise
  • Operations level of war recommended (ex. AOC, Wing, NAF, MAJCOM, Air Staff or Service equivalent)
  • One  year MAJCOM Action Officer experience or higher experience
  • Desired the candidate possesses an active Certified Information Systems Security Professional (CISSP) certification

Additional qualities for specific team positions

  • Active Top Secret government clearance, with eligibility for Special Compartmentalized Information Indoc (SCI) upon client request 

Willingness and Ability to work full time in the Hampton, VA area.  Potential for approximately 5 – 10% CONUS travel (National Capitol Region (NCR), Alabama, Colorado, Georgia, Illinois, Massachusetts, Ohio, and Texas), dependent on mission need on client request.

Working at ICF

Working at ICF means applying a passion for meaningful work with intellectual rigor to help solve the leading issues of our day. Smart, compassionate, innovative, committed, ICF employees tackle unprecedented challenges to benefit people, businesses, and governments around the globe. We believe in collaboration, mutual respect, open communication, and opportunity for growth. If you’re seeking to make a difference in the world, visit to find your next career. ICF—together for tomorrow.

ICF is an equal opportunity employer that values diversity at all levels. (EOE – Minorities/Females/ Protected Veterans Status/Disability Status/Sexual Orientation/Gender Identity). For more information, please read our EEO & AA policy.

Reasonable Accommodations are available for disabled veterans and applicants with disabilities in all phases of the application and employment process. To request an accommodation please email and we will be happy to assist. All information you provide will be kept confidential and will be used only to the extent required to provide needed reasonable accommodations. Read more about non-discrimination:  EEO is the law and  Pay Transparency Statement.

Virginia Client Office (VA88)

Who is ICF?

A global consulting services company with +7,000 people across +70 countries, but we are not your typical consultants.

More jobs you might like

Feb 22, 2021
Arlington, Virginia, United States of America
Feb 8, 2021
Multiple locations
Jan 21, 2021
Hampton, Virginia, United States of America
Nov 3, 2020
Atlanta, Georgia, United States of America
See All Jobs

Join our talent network

ICF is growing, and we add new open roles to our site regularly. If you're waiting for that perfect opportunity at ICF or want an inside look at what it's like to do world-changing work, join our talent network to stay updated.

Join our talent network

ICF is growing, and we add new open roles to our site regularly. If you're waiting for that perfect opportunity at ICF or want an inside look at what it's like to do world-changing work, join our talent network to stay updated.