Cyber Risk Analyst SME

Technomics is a growing employee-owned, decision analytics company that specializes in cost and economic analysis to facilitate better decisions faster. We enable a wide range of clients across the Federal government, from senior level policy makers to program managers, to choose smartly, buy effectively and operate efficiently. We deliver practical, credible and defensible results offering actionable insights by applying data-driven and analytics-based approaches in combination with multidisciplinary talent, subject matter experts, and tangible and repeatable assets in the form of databases, models, approaches and techniques.

Senior Analysts have the knowledge, skills, abilities and initiative to deliver timely, practical and innovative solutions to our clients as part of high-performing project teams typically composed of a mix of junior and mid-level analysts who will look to you for technical acumen and mentoring.

Our employee-owners pride themselves on their ability to apply deep analytical rigor and innovative thought that assist clients in understanding and solving a myriad of challenging resource planning and management problems.

This position is located in Arlington, VA.

Description

We are seeking a Cyber Risk Analyst (SME-level). This role involves conducting on-site and remote cyber risk assessments, developing mitigation strategies, and enabling proactive enterprise risk identification.

The ideal candidate has deep experience with NIST SP 800-30, MITRE ATT&CK, and threat modeling approaches, and can translate technical risks into mission/business impacts. You will work alongside cybersecurity, OT, and systems engineering SMEs, creating task plans, presenting findings, and traveling to client sites for mission assessments.

We are looking for someone who is agile, creative, and collaborative — able to apply lessons learned, enable data tagging and structured knowledge capture, and help shift the organization from reactive responses toward proactive risk management.

Clearance Required: Active DOE Q or higher (or ability to obtain)

Key Responsibilities

• Serve as a Subject Matter Expert (SME) in cyber risk assessment, analysis, and mitigation strategies for critical missions.
• Conduct on-site and remote cyber risk assessments of enterprise systems, applications, and mission-critical infrastructures.
• Apply NIST SP 800-30 risk assessment methodology, threat modeling techniques, and frameworks such as MITRE ATT&CK to evaluate vulnerabilities, threats, and risks.
• Develop and present risk characterization reports, mitigation considerations, and recommendations to client leadership and system owners.
• Create and manage task plans, assessment schedules, and execution strategies to ensure effective delivery of assessment activities.
• Collaborate with multi-disciplinary teams of SMEs (cybersecurity, systems engineering, OT, supply chain, and mission assurance) to address enterprise risks.
• Support the identification, analysis, and validation of complex security risks and associated vulnerabilities, including both technical and operational impacts.
• Assist in the development of threat-informed mitigation strategies aligned with client enterprise assurance goals.
• Implement data tagging and structured knowledge capture to enable proactive risk identification, trend analysis, and lessons-learned reuse.
• Build analytic processes that leverage historical assessment data, external threat databases, and adversary TTPs to anticipate potential risks rather than solely reacting to identified vulnerabilities.
• Provide expert consultation on risk acceptance, mitigation prioritization, and remediation planning to stakeholders.
• Maintain awareness of emerging threats, vulnerabilities, adversary tactics, and best practices for defense in depth across the nuclear enterprise.
  
  

Required Qualifications

• 10 years of experience in cybersecurity risk assessment, vulnerability analysis, or cyber mission assurance.
• Deep knowledge of NIST SP 800-30, NIST Risk Management Framework (RMF), and related federal standards.
• Hands-on experience with threat modeling approaches and application of MITRE ATT&CK for risk evaluation.
• Demonstrated ability to conduct complex cyber risk assessments and present findings to executive and technical audiences.
• Proven ability to develop task plans, manage assessment milestones, and work independently or as part of a team.
• Strong writing and briefing skills to produce risk reports, mitigation strategies, and decision support artifacts.
  
  

Preferred Qualifications

• Experience supporting national security organizations.
• Familiarity with supply chain risk management (SCRM), insider threat analysis, or mission-critical system assurance.
• Operational Technology (OT) and Systems Engineering (SE) experience in complex enterprise environments.
• Knowledge of nuclear enterprise operations and mission dependencies.
• Technical certifications such as Security , CISSP, CISM, C-RMA, CAP, CEH, or OSCP.
• Prior experience briefing and advising SES-level leadership or program executives.
• Familiarity with tools supporting risk assessments and vulnerability analysis (e.g., Threat Modeling tools).
  
  

Work Environment

• Hybrid environment with headquarters-based work in D.C. and regular travel to client sites for on-site risk assessments.
• Fast-paced, collaborative environment with cross-disciplinary SMEs (cybersecurity, engineering, OT, program management, and intelligence).
• Requires agility, creativity, and strong interpersonal skills to interact effectively with diverse stakeholders across government, contractors, and mission partners.
• Role demands adaptability to dynamic mission needs, shifting priorities, and classified environments.
• Emphasis on teamwork, analytical rigor, and the ability to translate technical risks into mission/business impacts.
  
  

We are an Equal Opportunity Employer. As an Equal Opportunity Employer, we do not discriminate on the basis of race, color, religion, national origin, sex, age, marital status, disability or veteran status.