Job Type: Regular Overview The Information Assurance Systems Analyst provides technical execution of information assurance functions to include operational monitoring, incident response, applying established procedures within a defined scope to governance, compliance, cybersecurity and risk management to protect information assets, and to facilitate compliance with federal, state and local cybersecurity requirements (e.g., NIST 800-171, CMMC Cybersecurity Maturity Model Certification). This position analyzes sensitive data, identifies vulnerabilities, and collaborates with various teams to implement and maintain information security measures as a member of the Information Security Team. Analyze and maintain System Security Plans (SSPs) with supporting documentation aligned with NIST 800-171 and CMMC practices; assist with regular information security control assessments, perform gap analyses, and update Plans of Action and Milestones (POA&Ms); coordinate security authorization and compliance activities across IT systems and applications. This position reports directly to the Manager, IS Information Assurance. Additional duties outlined below: Perform ongoing information security technical reviews of applications, infrastructure, and business processes to verify compliance and identify improvements; recommend remediation actions, track remediation efforts, and collaborate closely with IT, DevOps, and business teams; execute comprehensive cybersecurity audits to ensure compliance with CMMC, DFARS 7012, NIST 800-171, and other relevant regulations; analyze and assess various data types, including Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Federal Contract Information (FCI), International Traffic in Arms Regulations (ITAR), and Export Administration Regulation (EAR99); collaborate with system and network administrators to implement audit features that are configured and enabled correctly. Perform third-party/vendor information security reviews as part of the procurement and onboarding process; review supplier security documentation and manage risks associated with external data sharing and service providers. Participate in incident response activities, including documentation, coordination, and lessons learned reviews; help improve incident detection, containment, and prevention through policy, training, and technical improvements. Utilize GRC (Governance, Risk, and Compliance) tools to document and track risk assessments, policy compliance, and mitigation efforts; identify and evaluate risks to information assets; assist in the development of risk treatment and remediation plans; review and analyze policy exceptions to assess impact and risk, track approvals, and monitor mitigation within target remediation timeline. Collaborate with internal stakeholders to ensure alignment of technical and administrative controls with risk management practices; support the development and rollout of security awareness training to ensure users understand responsibilities and best practices; monitor training completion and maintain accurate compliance records; other duties as assigned. Qualifications Required: Minimum 5 years of experience with a BS/BA degree in an IT information security or compliance role in a corporate or government contractor setting. (Minimum 9 years experience without a BA/BS degree.) Strong understanding of NIST SP 800-171, CMMC Level 2, and basic DFARS cybersecurity clauses. Knowledge of multiple federal government network security processes and procedures Technical background with understanding or hands-on experience in Information Technology environments and web technologies. Excellent oral and written communications skills required for correspondence, reports, briefings, and procedures. U.S. Citizenship (required for defense contractor compliance). Must have the ability to obtain and maintain a security clearance. Cybersecurity Risk Management or Information Assurance related certifications. Excellent written and verbal communication skills.Preferred: Professional certifications such as Security+, CISSP, CISA, or CRISC. Familiarity with audit processes, internal controls, and security risk assessments. Knowledge of Microsoft office applications Working knowledge of Confluence and Jira for task management Education With a BS/BA degree, at least 5 years experience in cybersecurity required. Without a BS/BA degree, at least 9 years experience in cybersecurity security required. High School Diploma required. Experience Minimum 5 years of experience with a BS/BA degree in an IT information security or compliance role in a corporate or government contractor setting. (Minimum 9 years experience without a BA/BS degree.) High school diploma or GED is required. BS/BA degree is preferred. Security Clearance Must meet eligibility requirements for access to U.S. government classified information. Location Santa Monica, CA, Washington D.C., or Pittsburgh, PA. This position is mainly onsite at a RAND U.S. location. Positions Open One Salary Range: $102,800 – $156,500 RAND considers a variety of factors when formulating an offer, including but not limited to, the specific role and associated responsibilities; a candidates work experience, education/training, skills, expertise; and internal equity. The salary range includes base pay plus RANDs sabbatic pay (which provides additional compensation above base pay when vacation is taken). In addition, RAND provides strong benefits including health insurance coverage, life and disability insurance, savings plan, paid time-off and more. Equal Opportunity Employer RAND is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RANDs research and analysis address issues that impact people everywhere, including security, health, education, sustainability, growth, and development. RAND has approximately 1,750 people working in offices in the United States, Europe, and Australia, with annual revenues of $470 million. RAND is nonprofit, nonpartisan, and committed to the public interest. Our research is sponsored by government agencies, international organizations, and foundations. We rely on philanthropic support to pursue visionary ideas; address critical problems that are under-researched; and devise innovative approaches for solving acute, complex, or provocative policy challenges. RAND values objectivity and integrity in both its research processes and internal interactions. We emphasize a collegial environment that respects the contributions and dignity of all staff. RAND’s reputation is built on quality and objectivity. RAND provides an exciting intellectual environment and opportunities for career growth with challenging assignments. As collaboration in interdisciplinary teams is an essential operating principle at RAND, we hire highly qualified talent and empower our people to do their best work by fostering a culture in which different views, backgrounds, experiences, and perspectives are valued and respected, and staff have a sense of belonging with their colleagues, fair access to opportunities, and feel comfortable bringing their best selves to work each day. As part of our commitment to Equal Opportunity Employment, we welcome all applicants from a broad range of backgrounds and experiences to apply for this exciting opportunity. RAND is committed to working with and providing reasonable accommodations to individuals with disabilities. If, because of a medical condition or disability, you need reasonable accommodation for any part of the application process, or in order to perform the essential functions of a position, please contact Human Resources at (310) 393-0411 or at jobs@rand.org and let us know the nature of your request and your contact information.