Cyber Risk Management Analyst

About FedSync:

Since our inception, FedSync has stood for Accountability, Integrity, Teaming, Value, Innovation, and Quality-the core values that define who we are. Our vision is to collaborate with innovative, forward-thinking leaders to deliver solutions that look beyond today. Our mission is to provide the federal government with proven, innovative solutions that transform organizations by equipping them with the right tools and people to meet tomorrow's challenges. At FedSync, our people matter-both our employees and our clients.

Position Overview

The Cyber Risk Management Analyst drives enterprise cybersecurity risk management by transforming compliance into a strategic advantage. This role quantifies risks, assesses control effectiveness, and ensures alignment with NIST 800-53 and FISMA frameworks. The Analyst collaborates with Cybersecurity Engineers and Business Analysts to define compliance guardrails, prioritize remediation, and track key cyber risks across the DOE environment. Two (2) Cyber Risk Management Analysts are required for this engagement. Work will be a hybrid schedule withe 3 days in the office and 2 days of telework.

Key Responsibilities

• Lead enterprise-wide risk assessments using GRC methodologies to identify, evaluate, and prioritize risks, translating technical vulnerabilities into business impact for stakeholders.
• Ensure ongoing compliance with federal frameworks including NIST SP 800-53 and 800-37 (RMF) through periodic audits and Security Impact Analyses for new and existing system interconnections.
• Maintain and manage the enterprise Risk Register, tracking key cyber risks and overseeing the full lifecycle of Plans of Action and Milestones (POA&M).
• Continuously monitor and report critical cyber risks using risk dashboards and metrics to provide actionable insights to leadership and maintain enterprise risk posture.
• Design and implement security awareness programs and phishing simulations to reduce social engineering risks and strengthen organizational security culture.
• Collaborate with Cybersecurity Engineers and Business Analysts to define compliance guardrails and prioritize remediation activities based on risk impact.
• Leverage GRC platforms and tools to generate automated risk metrics, heat maps, and executive-level security posture reports.
• Conduct security awareness training for both central and instructional employees, and develop age-appropriate student programs.
• Aggregate risk data and produce executive reports on the organization's security posture and regulatory compliance status (monthly/quarterly).

Minimum Qualifications

• 3+ years of experience in cyber risk management, GRC, or a related cybersecurity compliance role.
• Expertise in GRC methodologies, third-party risk management (TPRM), and federal compliance (NIST SP 800-53, 800-37).
• Skilled in Risk Register tracking, Security Impact Analyses, and managing the POA&M lifecycle.
• Experience developing security awareness content and phishing simulation programs.
• Strong data visualization and analytical reporting skills.

Required Certifications (one or more)

• CISA, CRISC, CGEIT, CISSP
• CompTIA Security+, CCSK, or CGRC

Technologies/Tools

• GRC Platforms: Archer / ServiceNow
• TPRM Tools: OneTrust / Prevalent
• Awareness Platforms: KnowBe4 / Proofpoint
• MS Power BI, Excel (Advanced), JIRA