Consultant – Fedramp Assessment

Consultant – Fedramp Assessment

Requirements

• Minimum 2-3 years of experience in the Cloud Technology or IT Audit industry
• Strong familiarity with the NIST Special Publications 800-37, 800-53, and 800-53A desired
• Familiarity with major cloud service offerings (AWS, Azure, Google Cloud)
• Read and interpret all NIST control families, understand risks associated with specific controls
• Familiarity with or other comparable frameworks (PCI, SOC, HITRUST etc) authorization process
• Growing ability to independently research a technical topic and develop logical testing approaches to validate 800-53 control implementations
• Proficient ability to assist with artifact collection and validation against requirements
• Basic proficiency at interpreting technical evidence like cloud configurations and network/boundary/data flow diagrams
• Strong written and verbal communication skills including the ability to explain technical matters to a non-technical audience
• Strong personal initiative to appropriately manage time and meet deadlines
• Strong Consulting skills: ability to advise, challenge the status quo while building strong relationships, credible writing and verbal communicator
• High attention to detail
• Diplomatic and broad minded
• Ability to travel up to 20%

Responsibilities

• Partner with a team of assessors as a compliance subject matter expert in at least one domain and contribute to client assessment planning
• Draft audit programs that address both regulatory requirements and the complexity of client environments
• Autonomously leads interview and inquiry walkthroughs with clients to determine the conformity of environments against stated requirements
• Analyze security vulnerabilities against the appropriate security frameworks
• Perform remote reviews of client-provided documentation; identify and flag items for follow-up or clarification
• Evaluate client evidence for compliance across various standards
• Prepare, review, and contribute to formal assessment reports
• Clearly communicate compliance concepts and recommendations to clients
• Ensure high-quality deliverables are provided on time, aligned with Coalfire’s standards
• Pursue ongoing professional development; maintain current industry certifications and subject matter expertise
• Execute assessment procedures, including interviews and technical testing, aligned with applicable controls
• Review and assess respective information system security plans (SSP) to ensure control requirements are met
• Understand how to apply quality standards and adheres to a minimum benchmark for quality assurance throughout the documentation of each work product or deliverable
• Take ownership of assigned responsibilities, demonstrating accountability and initiative in driving tasks to completion with minimal oversight
• Apply analytical thinking to identify trends, evaluate compliance effectiveness, and support data-driven decision-making
• Actively contribute to the evolution of compliance assessment practices, providing input and feedback to enhance methodology
• Collaborate with internal teams to develop tools, templates, and repeatable processes that streamline workflows and increase operational efficiency
• Is team oriented and supports the overall teams development and contributes to the culture

Preferred Qualifications

• CISSP (or Associate), CISA, CCSP, Cloud+, CySA+, CASP+, or other R311 required “3PAO Junior Assessor” cybersecurity certification. BCR desired completion, but not required
• Cloud certifications demonstrating basic cloud proficiency preferred: AWS Cloud Practitioner, Azure Fundamentals, Google Foundational
• Expertise in other security frameworks area positive but not required (SOC 2, ISO, NIST RMF or FISMA, COBIT, HIPAA/HITECH, HITRUST or PCI)
• Experience working with technologies hosted via cloud computing environments (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform)
• Experience reviewing Nessus output a plus, along with basic knowledge of networking components and various operating systems in a cloud environment, including UNIX and Microsoft