Cybersecurity Governance Analyst

About the Role

Cybersecurity governance — the policies, controls, documentation, and evidence systems that demonstrate security posture to regulators, auditors, and institutional counterparties — is a core ELDR Advisory discipline. The Cybersecurity Governance Analyst develops and implements cybersecurity governance programmes for ELDR's clients, with particular depth in federal and financial sector environments where NIST, FedRAMP, and FISMA compliance is operationally critical. Based in the Washington area, this role engages directly with the U.S. federal institutional ecosystem and its intersection with regulated private sector clients.

Responsibilities

• Develop cybersecurity governance frameworks, policies, and control documentation aligned with NIST SP 800-53, NIST CSF, FedRAMP, FISMA, CIS Controls, and applicable sector frameworks
• Produce System Security Plans (SSPs), Security Assessment Reports (SARs), Plan of Action and Milestones (POA&Ms), and Authority to Operate (ATO) documentation for federal and regulated clients
• Design ISMS implementation programmes aligned with ISO 27001 and SOC 2 requirements
• Conduct cybersecurity risk assessments, threat modelling exercises, and control gap analyses
• Develop security architecture documentation for cloud environments (AWS, Azure, GCP) including Zero Trust architecture narratives
• Support clients through FedRAMP authorisation processes, FISMA assessments, and third-party audits
• Brief security leadership and boards on cybersecurity risk posture and regulatory compliance status

Requirements

• 5–10 years of experience in cybersecurity governance, information security, federal IT security, or security consulting
• Deep expertise in NIST 800-53, NIST CSF, FedRAMP, FISMA, and/or CIS Controls
• Demonstrated ability to produce SSPs, SARs, POA&Ms, and governance documentation to federal standards
• Working knowledge of cloud security architecture — at least one of AWS, Azure, or GCP
• Strong written communication skills with the ability to produce regulatory-grade documentation
• Undergraduate degree required; graduate qualification in cybersecurity, information systems, or law preferred

Preferred Qualifications

• Certifications: CISSP, CISM, Security+, CAP, CGRC, or equivalent
• Prior experience in federal government, DoD, or federally regulated environments
• Familiarity with Zero Trust architecture implementation frameworks (CISA ZTA, NIST SP 800-207)
• Experience with IAM governance — SailPoint, Active Directory, or Okta in regulated environments

What We Offer

• High-impact work at the intersection of federal cybersecurity governance and private sector compliance
• Washington-area hub with access to federal institutional networks
• Integration with ELDR Intelligence on cybersecurity regulatory research
• Competitive compensation aligned with federal contractor market benchmarks