Cyber Security Analyst III (Vulnerability Management)

About The Position

Requirements

• Proficiency with enterprise vulnerability scanning and management platforms (e.g., Tenable.sc, Nessus, Qualys, ACAS, or similar).
• Solid understanding of CVSS scoring, CVE analysis, patch management principles, and risk-based vulnerability prioritization methods.
• Good interpersonal skills: ability to work effectively and cooperatively with all levels of management and staff, affiliated-company employees as well as outside business associates; exhibits a professional manner in dealing with others.
• Superior organizational, follow-up, and detail-oriented skills.
• Strong ability to analyze documents and categorize appropriately.
• Ability to maintain accurate records.
• Work independently, as well as on a team and with minimal supervision.
• Make decisions, solve problems, and exercise excellent judgment.
• Work well under pressure and independently prioritize workload, while working on multiple projects.
• Ability to research, organize and analyze technical information with particular attention to accuracy and detail.
• Excellent written and verbal communication skills; including thorough knowledge of proper grammar, advanced vocabulary, spelling, editing and proofreading skills.
• Proficient using Microsoft Office products, such as Word, Excel and PowerPoint, and industry-standard computer software and databases.
• High degree of sensitivity regarding confidential information.
• Sufficient fine motor skills for the use of computers, calculators with an ability to withstand repetitive keyboarding for extended periods of time.
• Visual and communications ability adequate to perform the essential functions of the job.
• Ability to kneel, bend and twist at the waist on an occasional basis.
• Ability to reach below shoulder height with regular frequency (desk position) and at or above shoulder height on occasion.
• Ability to push, pull, carry and lift objects weighing up to 10 pounds on a regular basis, and greater weights on an occasional basis.
• Ability to travel by vehicle or aircraft, and ability to safely operate a motor vehicle.
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• 5+ years of experience in vulnerability management, system security, or security operations, or equivalent combination of education, experience, and training.
• Ability to pass a background and drug screening.
• Must have identification compliant with the Real ID Act at time of hire.
• Must be able to obtain Department of Energy access badge.
• All applicants must be able to comply with all federal regulations, including those concerning controlled substances, as a condition of employment.

Nice To Haves

• Experience integrating vulnerability scan data with GRC or POA&M tracking systems (e.g., eMASS, RegScale, ServiceNow GRC, or similar).
• Familiarity with CISA directives, STIGs, and federal vulnerability reporting requirements.
• Knowledge of cloud vulnerability management, including AWS, Azure, or hybrid environments.
• Exposure to threat intelligence correlation or risk-based vulnerability prioritization methods.
• Relevant certifications such as Security+, CySA+, CEH, CGRC (CAP), or Tenable Certified Practitioner.

Responsibilities

• Perform vulnerability scanning across servers, endpoints, network devices, and cloud environments using approved tools (e.g., Tenable, Nessus); refine scanning configurations, schedules, and coverage to improve program effectiveness.
• Analyze and interpret scan results to validate findings, identify false positives, and prioritize vulnerabilities based on risk severity, exploitability, and asset criticality; provide well-supported risk-based recommendations to system owners and program leadership.
• Coordinate with system owners, administrators, and stakeholders to support timely remediation or mitigation of vulnerabilities, including appropriate escalation of high-risk findings.
• Document and track remediation progress through POA&Ms, ticketing systems, or enterprise GRC platforms.
• Contribute to and conduct risk assessments by evaluating the potential impact of unmitigated vulnerabilities, recommending compensating controls, and clearly documenting findings for review by stakeholders and leadership.
• Support and contribute to continuous monitoring reporting by maintaining vulnerability metrics, trend analyses, and risk summaries for leadership review; identify gaps and recommend process improvements.
• Conduct and participate in assurance activities, validating vulnerability scan coverage, tool configuration, and data quality; support audit and assessment activities to ensure program outputs meet federal reporting standards.
• Evaluate patch management effectiveness and identify gaps in remediation processes; develop recommendations and supporting metrics for process improvement.
• Collaborate with the Security Operations Center (SOC) and Incident Response (IR) teams, providing vulnerability context to help correlate known weaknesses with active threats, events, and exploitation indicators.
• Support RMF implementation activities related to vulnerability management, ensuring vulnerability data informs security assessments, risk posture updates, and authorization maintenance; assist ISSOs and ISSMs with vulnerability-related POA&M documentation and risk responses.
• Monitor CISA Binding Operational Directives (BODs), Common Vulnerabilities and Exposures (CVE) trends, and emerging threat advisories; summarize implications for agency systems and communicate relevant findings to the team and stakeholders.
• Provide guidance and informal mentoring to junior analysts on vulnerability management tasks, tool usage, and documentation standards; assist with onboarding of new team members as needed.
• Contribute to vulnerability management process improvement efforts, including participation in tool evaluations and development of standard operating procedures, playbooks, and technical documentation.
• Monitor the Configuration Management Database (CMDB) (e.g., ServiceNow CMDB) to maintain accurate asset inventory, validate scan coverage against the known asset population, and identify discrepancies between CMDB records and discovered assets.
• Review and respond to configuration change alerts generated by the CMDB or related change management workflows; assess the vulnerability implications of configuration changes, coordinate with system owners as appropriate, and document findings in support of continuous monitoring requirements.
• Perform other duties as appropriate and as assigned.

Benefits

• paid holidays
• paid time off
• 401k with employer match
• dental
• vision
• health insurance plans through the Federal Employee Health Benefits (FEHB) program
• life and disability benefits