Cybersecurity Analyst (Vulnerability Management & Continuous Monitoring)

About The Position

Requirements

• High school diploma or GED equivalent
• 5+ years of experience in DoD cybersecurity or RMF-based environments
• Hands-on experience with: ACAS (Nessus / Tenable.sc), STIG implementation and validation, IAVA/IAVM processes
• Experience with vulnerability assessment, risk analysis, and remediation tracking.
• DoD 8570/8140 Compliance: Must meet IAT Level II requirements (e.g., Security+)
• Active DoD Top Secret clearance with SCI eligibility.
• Strong understanding of: DoD RMF (DoDI 8510.01), NIST SP 800-53 security controls
• Ability to manage multiple systems and priorities in a regulated environment
• Strong analytical and problem-solving skills
• Attention to detail and compliance rigor
• Ability to translate technical risk into mission impact
• Effective communication with technical and non-technical stakeholders

Nice To Haves

• Relevant certifications: Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) or equivalent, DISA ACAS Training Certificate
• Experience with: ACAS, SCAP Compliance Checker (SCC) / Evaluate-STIG, STIG Viewer, eMASS, Xacta, Trellix, MDE, Splunk, Elastic
• Familiarity with scripting (e.g., PowerShell, Python) for automation.
• Experience in enterprise-level ConMon programs or NOSC/SOC environments.

Responsibilities

• Perform vulnerability scanning using Assured Compliance Assessment Solution (ACAS) (e.g., Tenable.sc / Nessus).
• Enforcing the ACAS best practice guide requirements when performing vulnerability scans in ACAS
• Analyze scan results to identify vulnerabilities, misconfigurations, and compliance gaps.
• Validate findings against the latest released DISA STIGs and applicable security baselines.
• Review of provided checklists and working with system admins in identifying gaps for POA&M creation.
• Assess and track vulnerabilities in accordance with DoD timelines and risk severity.
• Correlate vulnerabilities with IAVA/IAVM notices and ensure timely remediation or mitigation.
• Develop and maintain Plan of Action and Milestones (POA&M) documentation.
• Maintenance of Risk Acceptance (RA) POA&M items within SOR (System of Record) and coordinating with System administrators to validate that RA is required instead of a POA&M.
• Apply and validate Security Technical Implementation Guides (STIGs) across operating systems, applications, and network devices.
• Conduct manual and automated STIG compliance checks using tools such as ACAS Audit checks, STIG Viewer, SCAP Compliance Checker (SCC), and Evaluate-STIG.
• Document compliance status and provide remediation guidance to system administrators.
• Support system hardening efforts aligned with DoD baseline configurations.
• Ensure that golden images are maintained for Servers (RHEL and Windows) and Workstations following STIG guidance.
• Monitor and assess Information Assurance Vulnerability Alerts (IAVAs) and Bulletins (IAVBs).
• Determine system applicability and operational impact.
• Coordinate remediation actions and track compliance deadlines.
• Maintain IAVA compliance reporting and documentation for audits.
• Execute Continuous Monitoring activities in accordance with RMF Step 6.
• Monitor security controls for effectiveness and ongoing compliance.
• Conduct control assessments and assist with periodic security reviews.
• Support automated and manual data collection for ConMon dashboards and reporting.
• Identify trends, recurring issues, and systemic risks across systems.
• Support RMF activities across all six steps, with emphasis on: Control implementation validation, Security control assessment support, Ongoing authorization (ATO sustainment)
• Update and maintain RMF artifacts, including: System Security Plan (SSP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), Security Assessment Plan (SAP)
• Map vulnerabilities and findings to NIST SP 800-53 controls.
• Generate vulnerability and compliance reports for leadership and Authorizing Officials (AOs).
• Provide risk-based recommendations and remediation strategies.
• Maintain audit-ready documentation in accordance with DoD and agency requirements
• Other duties as assigned

Benefits

• professional development plan
• on-the-job learning experiences
• formal development programs