Analyst FedRAMP Compliance Program
The Compliance Analyst, FedRAMP Program is responsible for Qualys’ ongoing FedRAMP compliance efforts, working collaboratively across teams to manage risk within the organization, and assisting to shape the Qualys information security program through enhanced and mature documentation and evaluation of the organization Risk Registers and Plan of Action and Milestones (POA&M). You will be part of a team that works side by side with the Security Operations (SecOps), Information Security teams, Engineering teams, along with others from across the organization to ensure that Qualys protects the confidentiality, integrity, and availability of Qualys internal data and customers’ data and that management, operational, and technical security controls are implemented across all products and solutions in accordance with compliance standards selected by the organization. This role will provide augmentation to the existing Qualys Compliance team with evaluating and assessing the security and compliance related to technology, processes, procedures, operating environment, and people in support of new and ongoing audit and assessment efforts and customer-driven and regulatory compliance initiatives.
This position is open to candidates based in the Foster City, CA (West Coast), Raleigh, NC, Washington, DC area including Northern Virginia & Maryland. This role will be primarily remote with a potential for an estimated 10% travel when safe to do so after Pandemic restrictions are lifted.
- Participates in the development and implementation of an effective FedRAMP program that leverages Department of Defense (DoD), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), and other applicable government standards, policies and regulations (e.g., NIST 800-137, NIST 800-53, 800-37 and 800-39)
- Works closely with internal Qualys teams to ensure timely delivery of daily, weekly, monthly, and annual FedRAMP documents, assisting the Compliance team and company with meeting required FedRAMP milestones and objectives in support of FedRAMP authorization maintenance
- Assesses and reviews FedRAMP Program and strategy effectiveness and develops reports and briefings for leadership on FedRAMP Program and strategy gaps and weaknesses while also recommending solutions to enhance capabilities and address gaps
- Review and document risk tolerance within the enterprise architecture, security architecture, security configurations, planned changes to the enterprise architecture, and available threat information
- Assist in the development and tracking of metrics and measurements (e.g., number and severity of vulnerabilities discovered, remediation timelines and metrics, number of unauthorized access attempts, configuration baseline information, and contingency plan testing dates, and results of testing)
- Analyzes and validates the FedRAMP information collection and reporting process and provides recommendations based upon FedRAMP defined and industry best practices to improves processes and support efforts to integrate Technology outputs to automate ConMon and Annual Authorization reports
- Provides support to the compliance audit and assessment efforts to include with external third-party auditors, customer auditors, and internal audit functions with evidence collection and upload, auditor/customer facing interview support, and auditor walk-throughs of policies, procedures, and related compliance and security documentation through various intranet portals and sites
- Provides support with creating, updating, and maintaining documentation and evidence / artifacts and support internal efforts to create streamlined document repositories to allow ease of use and maintenance long-term
Qualifications and Experience
- Experience in project or program management. PMP or other management certification desired.
- Demonstrable experience in supporting previous FedRAMP, NIST, ISO, SOC2 or other similar governance and compliance frameworks
- Strong understanding of common compliance and governance framework security controls and how security controls are implemented technically for a fast-growing and fast-paced security and compliance product company
- Must possess strong presentation skills and communicate professionally in response to emails, customer responses, auditors, and internal teams.
- Comfortable interacting at all levels within both the internal and with customer organizations (i.e., from C-level to front-line technical staff)
- Organized and analytical, able to identify efficiencies and eliminate internal and external obstacles through creative and adaptive approaches
- 2-5 years Cyber Security, Information Assurance, Security/Solution Architect, technical auditing and assessments or other related experience
- Bachelor’s Degree or equivalent experience and/or certifications (CISSP, CCSK, CCSP, or other related) desired
- Strong working knowledge with the ability to competently demonstrate the use of tools such as Microsoft Office, MS SharePoint, MS Project, MS Planner, Atlassian JIRA and Confluence
- Recent experience with or understanding of Qualys products and scanners is desired, but not required