Test & Evaluation SME-Cybersecurity Risk Management Construct (CSRMC)

Title: Test & Evaluation SME-Cybersecurity Risk Management Construct (CSRMC)

Location: Washington D.C. (Hybrid)

Clearance: Top Secret with SCI Eligibility

Foxhole Technology provides robust cybersecurity and IT support capabilities for federal civilian and defense agencies. A recognized leader in navigating technology and security challenges, Foxhole delivers mission-focused innovations to answer evolving and complex needs. Our talented employee-owners provide agile, scalable services and solutions that solve operational gaps, operate critical systems, and protect and secure the enterprise - across the organization and around the world.

We are seeking a talented Test & Evaluation SME with hands-on experience focusing on Cybersecurity Risk Management Construct (CSRMC) within federal government environments.

The Test & Evaluation SME plays a critical role in enabling the Department of War's CSRMC initiative by providing deep expertise in testing, evaluating, and validating cybersecurity controls and risk-management processes associated with systems authorized under the legacy RiskManagementFramework (RMF) and transitioning into the CSRMC lifecycle. This individual will lead or advise on test planning, execution, independent verification, and validation of security, resiliency, survivability, and continuous monitoring activities. They will partner with system owners, developers, cybersecurity engineers, authorizing officials (AOs), and program test teams to ensure systems meet evolving risk posture, mission assurance and cybersecurity requirements consistent with the CSRMC's five-phase lifecycle (Design Build Test Onboard Operations) and ten foundational tenets (Automation, Critical Controls, Continuous Monitoring, DevSecOps, Cyber Survivability, Training, Enterprise Services & Inheritance, Operationalization, Reciprocity, Cybersecurity Assessments).

Serve as the SME for cybersecurity test & evaluation (T&E) activities associated with RMF/CSRMC-governed systems - including defining test strategies, planning assessment events, coordinating independent verification and validation (IV&V), and integrating security testing into system lifecycle.
• Develop and/or review test artifacts (e.g., Test & Evaluation Master Plan (TEMP) segments, T&E event plans, cybersecurity test plans, threat-informed test scenarios, penetration test/Red Team inputs, vulnerability assessment results, system stress/failover/resiliency tests) tailored to CSRMC requirements.
• Ensure testing covers critical controls, cyber-survivability metrics, and continuous monitoring capabilities - validating that controls are implemented correctly, operating as intended, and achieving desired mission outcomes (akin to RMF "Assess" step) but aligned with CSRMC's dynamic operational posture.
• Lead or interface with assessment teams (including system owner, developer, cybersecurity engineering, test-eval, ISSM/ISSO) to execute security control assessments, Red/Blue Team exercises, resilience testing in contested environments, and continuous monitoring verification.
• Analyze test results and findings, produce Test Reports, provide recommendations for corrective actions (Plans of Action & Milestones (POA&Ms) where applicable), track remediation status, and provide visibility to Authorizing Officials (AOs) and cybersecurity leadership.
• Support authority-to-operate (ATO/ATO-equivalent) decisions by providing test evidence, risk-based assessments of control implementation, system vulnerabilities, and threat-informed scenario outcomes.
• Facilitate integration of T&E activities into DevSecOps pipelines, system development, and deployment workflows to meet CSRMC's emphasis on automation, continuous verification, and operational readiness.
• Provide subject-matter advice on T&E methodologies, toolsets, and techniques (including automated scanning, STIG/SCAP compliance tools, threat-informed testing, and mission-based T&E) to enhance cybersecurity posture and support program test communities.
• Mentor, coach, or assist less-experienced cybersecurity/test staff, and contribute to refining organizational test processes, templates, and best practices for RMF/CSRMC alignment.
• Stay abreast of evolving DoW cybersecurity policy, guidance, and test & evaluation standards (e.g., DoDI8510.01, NISTSP80037, T&E Guidebooks) and ensure test activities reflect current requirements.

Performance Metrics:

• Timely completion of cybersecurity test plans, test execution events, and deliverables in alignment with system milestones.
• Quality and relevance of test findings: percentage of critical/major deficiencies identified and remediated, effectiveness of corrective actions.
• Ability to support systems achieving ATO or equivalent authorization in alignment with CSRMC timelines.
• Integration of test results into continuous monitoring and operational dashboards, supporting the "real-time" posture envisioned in CSRMC.
• Stakeholder satisfaction: responsiveness, clarity of communications, guidance provided to test and program teams, support of warfighter needs.
• Contribution to process improvement: development of reusable test templates, automation of test workflows, and embedding T&E into DevSecOps pipelines.

• Bachelor's degree in Cybersecurity, Computer Science, Information Systems, Engineering, or related discipline (or equivalent relevant experience).
• Minimum of 15 years of cybersecurity and/or test & evaluation experience within the DoW, defense industry, or equivalent mission-critical environment.
• Must hold (or be eligible to obtain) a DoW Top Secret or higher security clearance
• At least 5 years of direct experience in test & evaluation of cybersecurity controls, system authorizations, or RMF/A&A activities in a DoW or Government context.
• Demonstrated experience planning and executing cybersecurity test events (control assessments, penetration testing, resiliency tests, vulnerability scanning, threat-informed scenario testing) for complex systems, with documented results and remediation tracking.
• Strong familiarity with the RMF process (Steps: Categorize, Select, Implement, Assess, Authorize, Monitor) and associated artifacts (SSP, SAR, POA&Ms) for DoW systems.
• Knowledge/experience of the CSRMC initiative or ability to rapidly adapt to it - including understanding of continuous monitoring, automation, cyber-survivability, DevSecOps integration, and the five-phase lifecycle.
• Strong analytical, problem-solving, and risk-based thinking skills - capable of assessing security posture, communicating test findings, supporting risk decisions, and advising senior leadership.
• Excellent communication (verbal and written), coordination, and stakeholder engagement skills - able to work across program management, system engineering, cybersecurity, test & evaluation, operations, and authorizing officials.

• Professional cybersecurity certifications such as CISSP, CISM, CAP, CEH, or equivalent; and/or test & evaluation credentials are strongly preferred.
• Advanced degree in cybersecurity, engineering, or related discipline.
• Experience working in contested, mission-critical, or warfighter-embedded environments (air, land, sea, space, cyberspace).
• Familiarity with test & evaluation infrastructure/tools and frameworks (e.g., automated scanning tools [ACAS, Nessus], STIG/SCAP compliance, threat-informed test frameworks, resilience/failover testing).
• Experience working with DevSecOps pipelines, continuous integration/continuous deployment (CI/CD) tools, and embedding security testing into agile development workflows.
• Prior experience working with DoD programs migrating from RMF to CSRMC or similar risk models (or large-scale cybersecurity transformation initiatives).

At Foxhole Technology, we are committed to pay transparency as required by law, for our applicants and employee-owners. The salary range for this position is $195,000-220,000. Actual compensation will be determined based on a number of factors as permitted by law.

Foxhole Technology offers a competitive benefits package for our employees and their dependents, including health, dental, and vision care, paid leave, retirement plans (401K, Roth, and ESOP), life and disability insurance, flexible spending accounts, and education and training assistance.

Requirements of position: Think analytically, effective verbal and written communication skills, make decisions, observe/remember details, interpret data, concentrate on tasks, adjust to change, handle stress/emotions. Regular attendance, maintain work schedule, attend meetings, meet deadlines, keyboard/type, handle confidential information, use math/calculations, stay organized, operate office equipment, may direct others. May be exposed to dust/dirt, humidity, and noise.

Foxhole Technology is an Equal Opportunity Employer and makes hiring decisions without regard to race, color, religion, sex (including pregnancy, childbirth and sexual orientation), national origin, age, disability, genetic information, military/veteran status, or any other protected class.