Tantus Technologies, Inc. (Tantus) - recognized by the Washington Post as a Top Workplace - is seeking an experienced Senior System Security / Information Assurance Analyst to lead and support enterprise cybersecurity initiatives across complex IT environments. This role is responsible for assessing, developing, and implementing robust security policies and controls aligned with federal and industry standards such as NIST RMF, FedRAMP, FISMA, ISO 27001, and DoD STIGs. The ideal candidate will possess deep expertise in risk management, compliance, incident response, and secure system architecture, with a strong focus on protecting critical assets and ensuring regulatory adherence. This position plays a key role in driving security strategy, managing vulnerabilities, and supporting accreditation processes for both on-premises and cloud-based systems.

Clearance: This position supports a federal contract and requires U.S. citizenship or lawful permanent resident (Green Card holder) status, as well as the ability to obtain a Public Trust clearance.

Location: Prefer a candidate local to the DC metro area able to attend meetings at FAA HQ in DC. Alternatively will consider candidates located near FAA facilities in OK or NJ (namely MMAC in Oklahoma City, or the Tech Center in Egg Harbor, NJ).

• Assess, develop, and implement security policies and procedures to align with frameworks such as NIST RMF, FedRAMP, FISMA, ISO 27001, and DoD STIGs.
• Conduct security risk assessments and gap analyses to identify vulnerabilities in systems and networks.
• Ensure compliance with federal regulations, industry standards, and organizational security policies.
• Assist in the preparation of System Security Plans (SSPs), Security Control Assessments (SCAs), and Authority to Operate (ATO) packages.
• Perform Plan of Action & Milestones (POA&M) management, tracking remediation efforts for security findings.
• Monitor security logs, alerts, and events using SIEM tools (e.g., Splunk, ArcSight, etc.) to detect, investigate, and mitigate cyber threats.
• Respond to security incidents, vulnerabilities, and breaches, conducting forensic analysis and impact assessments.
• Develop and refine incident response plans (IRPs) and participate in cybersecurity exercises and drills.
• Configure and manage security controls, including firewalls, intrusion detection/prevention systems (IDS/IPS), endpoint security, and encryption solutions.
• Support the implementation of Zero Trust Architecture (ZTA) and Identity & Access Management (IAM) controls.
• Perform patch management and vulnerability remediation for IT assets, ensuring compliance with security benchmarks (DISA STIGs, CIS Benchmarks, SCAP).
• Develop and maintain security documentation, policies, and procedures for system accreditation.
• Conduct security awareness training for employees and stakeholders.
• Support audit and certification processes, working with internal and external security assessors.
• Review secure software development lifecycle (SDLC) practices, ensuring applications meet security best practices.
• Assist in securing cloud-based environments (AWS, Azure, Google Cloud) through security controls like CASB, CSPM, and cloud encryption.
• Conduct security reviews for third-party applications and vendors to mitigate supply chain risks.

• Bachelor’s degree and six (6) years of relevant experience.
• Bachelor’s degree must be in Computer Science, Cybersecurity, Engineering, Information Systems, Mathematics, Technology, or other IT degree, engineering, math, and/or science.

• Writing scripts in Python, PowerShell, or Bash for security automation and log analysis.
• Automating security control enforcement using Ansible, Terraform, or cloud-native security tools.
• Securing cloud environments (AWS, Azure, Google Cloud) with Zero Trust, CASB, and cloud-native security controls.
• IAM, Privileged Access Management (PAM), and Role-Based Access Control (RBAC).
• Knowledge of cyber threats, attack vectors, Advanced Persistent Threats (APTs), and malware analysis.
• Security Information and Event Management (SIEM) solutions like Splunk, ArcSight, or QRadar.
• Firewalls, IDS/IPS (Snort, Suricata), VPNs, and endpoint security solutions.
• Secure configurations based on CIS Benchmarks, DISA STIGs, and SCAP tools.

Proficient in analysis activities and capable of applying theoretical body of knowledge, including the ability to apply a variety of standard and advanced analytical techniques and tools.

• Assessing risk impact and security control effectiveness in real-world scenarios.
• Making data-driven decisions to improve security posture while balancing operational requirements.
• Ability to analyze security threats, correlate logs, and identify vulnerabilities in systems and networks.
• Troubleshooting security issues across multi-layered architectures.
• Ability to make decisions in accordance with established policies, guidelines and standards.
• Working with cross-functional teams, executives, and auditors to implement security best practices.
• Training employees on security awareness and compliance programs.
• Staying updated with emerging threats, security technologies, and regulatory changes.
• Ability to quickly adapt security strategies to evolving IT environments and threats.
• Writing security reports, compliance documentation (SSPs, POA&Ms), and security policies.
• Communicating security risks effectively to both technical and non-technical stakeholders
• Strong organizational skills with the ability to multi-task, manage time effectively, and handle tight deadlines.
• Highly responsive to requested needs.
• Proficient in analysis activities and capable of applying theoretical body of knowledge, including the ability to apply a variety of standard and advanced analytical techniques and tools.
• Extensive knowledge of business issues and processes as well as IT and Security resources and enabling technologies.
• Skilled in the use of advanced analysis, facilitation and consultative techniques and tools and the ability to apply them in multiple settings of significant complexity.
• Excellent oral and written communication skills including the ability to effectively consult with stakeholders on a diverse range of IT activities.
• Ability to work with confidential and proprietary information using utmost discretion.

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Certified Authorization Professional (CAP), Security+, Information Technology (IT) certification, or equivalent certification.
• Personnel may obtain the required certification within a period not to exceed one (1) year, where applicable.

The salary range is $110,000-120,000/year. The salary range for this position reflects a variety of factors that influence compensation decisions, including skills, experience, training, certifications, and organizational needs