Sr Security Governance Analyst

About the position EBSCO Information Services (EBSCO) delivers a fully optimized research experience, seamlessly integrated with a powerful discovery platform to support the information needs and maximize the research experience of our end-users. Headquartered in Ipswich, MA, EBSCO employs more than 2,700 people worldwide, with most embracing hybrid or remote work models. As an AI-enabled service leader, we thrive on innovation, forward-thinking strategies, and the dedication of our exceptional team. At EBSCO, we’re driven to inspire, empower and support research. Our mission is to transform lives by providing reliable and relevant information — when, where and how people need it. We’re seeking dynamic, creative individuals whose diverse perspectives will help us achieve this global, inclusive mission. Join us to help make an impact. Your Opportunity The Senior Security Governance Analyst is responsible for developing and maintaining the organization’s information security governance framework with an emphasis on NIST 800-53–aligned control architecture and support for federal and regulated cybersecurity requirements. This role focuses on the structure of the security program — policies, standards, control objectives, ownership models, and governance processes — ensuring the organization can consistently manage risk and demonstrate alignment with federal security expectations, including NIST, FedRAMP/GovRAMP-style control rigor, and public-sector customer requirements. This role oversees the full lifecycle of system certification and authorization (C&A), maintains System Security Plans (SSPs), drives remediation of control gaps, and ensures continuous alignment with NIST SP 800-53, FedRAMP/GovRAMP, and other applicable frameworks. The analyst will serve as the primary liaison between internal teams and federal/state stakeholders -ensuring contractual obligations and that regulatory expectations are met with precision and professionalism. This is a program design and governance role, not a control testing or audit execution position. It is ideal for a seasoned GRC professional with deep expertise in federal / state cybersecurity compliance, strong program management skills, and hands-on experience with security tooling and documentation workflows.

Responsibilities

• Lead the end-to-end Certification & Authorization (C&A) process for information systems, including initial assessment, remediation, documentation, and ongoing monitoring.
• Maintain and update System Security Plans (SSPs), POA&Ms, and other FedRAMP/GovRAMP/NIST documentation artifacts.
• Oversee control gap analysis and drive remediation efforts across technical and administrative domains.
• Initiate and manage change requests based on compliance metrics, vulnerability findings, or evolving regulatory requirements.
• Coordinate with internal stakeholders (IT, DevOps, Legal, Procurement) and external entities (3PAOs, FedRAMP/GovRAMP PMO) to ensure alignment and transparency.
• Monitor and report on continuous monitoring (ConMon) activities, including vulnerability scans, patching, and control effectiveness.
• Provide program management for all FedRAMP/GovRAMP/NIST-related initiatives, including timelines, deliverables, and audit readiness.
• Advise leadership on risk posture, compliance gaps, and strategic improvements to the security governance program.
• Support contractual compliance with federal / state institutions, ensuring flow-down clauses, data handling requirements, and reporting obligations are met.
• Stay current on updates to NIST SP 800-53, FedRAMP Rev 5, GovRAMP Control Framework, CMMC, and other federal cybersecurity frameworks.

Requirements

• Deep understanding of NIST SP 800-53 Rev 5, FedRAMP/ GovRAMP Moderate/High baselines, and CSF 2.0, and RMF 2.0 (Risk Management Framework).
• Experience with System Security Plans (SSPs), and POA&M management.
• Familiarity with cloud security architectures and FedRAMP-authorized cloud service providers (AWS, Azure).
• Knowledge of vulnerability management, configuration management, and incident response processes.
• Ability to interpret and apply FISMA, CMMC, and DFARS/FAR requirements to operational environments.
• Hands-on experience with tools such as: o Tenable/Nessus, (vulnerability scanning) (XSIAM/Cortex, Sentinel 1, or other SIEM platforms, STIG Viewer, SCAP tools, and FedRAMP templates, ServiceNow or similar ticketing/change management systems)
• Minimum 5–7 years of experience in cybersecurity governance, risk, and compliance roles.
• Proven track record managing FedRAMP or NIST-based compliance programs.
• Strong project management and organizational skills; able to manage multiple concurrent initiatives.
• Excellent written and verbal communication skills, especially in drafting formal documentation and interfacing with federal stakeholders.
• Ability to translate technical findings into business risk language for executive audiences.
• High attention to detail, commitment to documentation accuracy, and audit readiness.
• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or related field.

Nice-to-haves

• Certified Information Systems Security Professional (CISSP)
• Certified Governance Risk and Compliance (CGRC) (formerly CAP)
• Certified Information Systems Auditor (CISA)
• Certified in the Governance of Enterprise IT (CGEIT)
• Certified in Risk and Information System Control (CRISC)
• FedRAMP PMO Training Completion (or equivalent experience)

Apply tot his job Apply To this Job