• RMF Test & Evaluation SME

    Koniag Government Services (Alexandria, VA)


    Koniag IT Systems, a Koniag Government Services company, is hiring an experience Test & Evaluation SME with a TS/SCI clearance to support KITS and our government customer in Alexandria, VA. This is a Hybrid position.

     

    We offer competitive compensation and an extraordinary benefits package including health, dental and vision insurance, 401K with company matching, flexible spending accounts, paid holidays, three weeks paid time off, and more.

     

    The Test & Evaluation SME plays a critical role in enabling the Department of War’s CSRMC initiative by providing deep expertise in testing, evaluating and validating cybersecurity controls and risk-management processes associated with systems authorized under the legacy Risk Management Framework (RMF) and transitioning into the CSRMC lifecycle. This individual will lead or advise on test planning, execution, independent verification and validation of security, resiliency, survivability and continuous monitoring activities. They will partner with system owners, developers, cybersecurity engineers, authorizing officials (AOs), and program test teams to ensure systems meet evolving risk posture, mission assurance and cybersecurity requirements consistent with the CSRMC’s five-phase lifecycle (Design → Build → Test → Onboard → Operations) and ten foundational tenets (Automation, Critical Controls, Continuous Monitoring, DevSecOps, Cyber Survivability, Training, Enterprise Services & Inheritance, Operationalization, Reciprocity, Cybersecurity Assessments).

    Key Responsibilities:

    + Serve as the SME for cybersecurity test & evaluation (T&E) activities associated with RMF/CSRMC-governed systems — including defining test strategies, planning assessment events, coordinating independent verification and validation (IV&V), and integrating security testing into system lifecycle.

    + Develop and/or review test artifacts (e.g., Test & Evaluation Master Plan (TEMP) segments, T&E event plans, cybersecurity test plans, threat-informed test scenarios, penetration test/Red Team inputs, vulnerability assessment results, system stress/failover/resiliency tests) tailored to CSRMC requirements.

    + Ensure testing covers critical controls, cyber-survivability metrics and continuous monitoring capabilities — validating that controls are implemented correctly, operating as intended, and achieving desired mission outcomes (akin to RMF “Assess” step) but aligned with CSRMC’s dynamic operational posture.

    + Lead or interface with assessment teams (including system owner, developer, cybersecurity engineering, test-eval, ISSM/ISSO) to execute security control assessments, Red/Blue Team exercises, resilience testing in contested environments, and continuous monitoring verification.

    + Analyze test results and findings, produce Test Reports, provide recommendations for corrective actions (Plans of Action & Milestones (POA&Ms) where applicable), track remediation status, and provide visibility to Authorizing Officials (AOs) and cybersecurity leadership.

    + Support authority-to-operate (ATO/ATO-equivalent) decisions by providing test evidence, risk-based assessments of control implementation, system vulnerabilities, and threat-informed scenario outcomes.

    + Facilitate integration of T&E activities into DevSecOps pipelines, system development and deployment workflows to meet CSRMC’s emphasis on automation, continuous verification and operational readiness.

    + Provide subject-matter advice on T&E methodologies, toolsets, techniques (including automated scanning, STIG/SCAP compliance tools, threat-informed testing, mission-based T&E) to enhance cybersecurity posture and support program test communities.

    + Mentor, coach or assist less-experienced cybersecurity/test staff, and contribute to refining organizational test processes, templates and best practices for RMF/CSRMC alignment.

    + Stay abreast of evolving DoW cybersecurity policy, guidance and test & evaluation standards (e.g., DoDI 8510.01, NIST SP 800‑37, T&E Guidebooks) and ensure test activities reflect current requirements.

    Required Qualifications:

    + Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, Engineering or related discipline (or equivalent relevant experience).

    + Minimum of 8-12 years of cybersecurity and/or test & evaluation experience within the DoW, defense industry, or equivalent mission-critical environment.

    + At least 5 years of direct experience in test & evaluation of cybersecurity controls, system authorizations, or RMF/A&A activities in a DoW or Government context.

    + Demonstrated experience planning and executing cybersecurity test events (control assessments, penetration testing, resiliency tests, vulnerability scanning, threat-informed scenario testing) for complex systems, with documented results and remediation tracking.

    + Strong familiarity with the RMF process (Steps: Categorize, Select, Implement, Assess, Authorize, Monitor) and associated artifacts (SSP, SAR, POA&Ms) for DoW systems.

    + Knowledge/experience of the CSRMC initiative or ability to rapidly adapt to it — including understanding of continuous monitoring, automation, cyber-survivability, DevSecOps integration and the five-phase lifecycle.

    + Strong analytical, problem-solving and risk-based thinking skills — capable of assessing security posture, communicating test findings, supporting risk decisions, and advising senior leadership.

    + Excellent communication (verbal and written), coordination and stakeholder engagement skills — able to work across program management, system engineering, cybersecurity, test & evaluation, operations and authorizing officials.

    + Must hold (or be eligible to obtain) a DoW To Secret or higher security clearance

    + Professional cybersecurity certifications such as CISSP, CISM, CAP, CEH, or equivalent; and/or test & evaluation credentials are strongly preferred.

    Preferred Qualifications:

    + Advanced degree in cybersecurity, engineering or related discipline.

    + Experience working in contested, mission-critical or warfighter-embedded environments (air, land, sea, space, cyberspace).

    + Familiarity with test & evaluation infrastructure/tools and frameworks (e.g., automated scanning tools [ACAS, Nessus], STIG/SCAP compliance, threat-informed test frameworks, resilience/failover testing).

    + Experience working with DevSecOps pipelines, continuous integration/continuous deployment (CI/CD) tools, and embedding security testing into agile development workflows.

    + Prior experience working with DoD programs migrating from RMF to CSRMC or similar risk models (or large-scale cybersecurity transformation initiatives).

    Performance Metrics:

    + Timely completion of cybersecurity test plans, test execution events and deliverables in alignment with system milestones.

    + Quality and relevance of test findings: percentage of critical/major deficiencies identified and remediated, effectiveness of corrective actions.

    + Ability to support systems achieving ATO or equivalent authorization in alignment with CSRMC timelines.

    + Integration of test results into continuous monitoring and operational dashboards, supporting the “real-time” posture envisioned in CSRMC.

    + Stakeholder satisfaction: responsiveness, clarity of communications, guidance provided to test and program teams, support of warfighter needs.

    + Contribution to process improvement: development of reusable test templates, automation of test workflows, embedding T&E into DevSecOps pipelines.

     

    Our Equal Employment Opportunity Policy

     

    The company is an equal opportunity employer. The company shall not discriminate against any employee or applicant because of race, color, religion, creed, ethnicity, sex, sexual orientation, gender or gender identity (except where gender is a bona fide occupational qualification), national origin or ancestry, age, disability, citizenship, military/veteran status, marital status, genetic information or any other characteristicprotected by applicable federal, state, or local law. We are committed to equal employment opportunity in all decisions related to employment, promotion, wages, benefits, and all other privileges, terms, and conditions of employment.

     

    The company is dedicated to seeking all qualified applicants. If you require an accommodation to navigate or apply for a position on our website, please get in touch with Heaven Wood via e-mail at [email protected] or by calling 703-488-9377 to request accommodations.

     

    _Koniag Government Services (KGS) is an Alaska Native Owned corporation supporting the values and traditions of our native communities through an agile employee and corporate culture that delivers Enterprise Solutions, Professional Services and Operational Management to Federal Government Agencies. As a wholly owned subsidiary of Koniag, we apply our proven commercial solutions to a deep knowledge of Defense and Civilian missions to provide forward leaning technical, professional, and operational solutions. KGS enables successful mission outcomes for our customers through solution-oriented business partnerships and a commitment to exceptional service delivery. We ensure long-term success with a continuous improvement approach while balancing the collective interests of our customers, employees, and native communities. For more information, please visit_ _www.koniag-gs.com._

     

    _Equal Opportunity Employer/Veterans/Disabled. Shareholder Preference in accordance with Public Law 88-352_

    Job Details

    Job Family** **IT, Cyber Security, Network Systems

     

    Pay Type** **Salary