HHS - Vulnerability Analyst

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, or related field.
• Minimum 5–7 years of experience in vulnerability management or security operations.
• Strong understanding of NIST SP 800-53, NIST SP 800-30, NIST SP 800-137, and HHS vulnerability management requirements.
• Experience performing vulnerability scanning, analysis, and remediation tracking in federal environments.
• Experience with secure configuration standards (DISA STIGs, CIS Benchmarks).
• Strong analytical, documentation, and communication skills.
• CEH, Security+, CISSP, GIAC (GSEC, GPEN), or equivalent cybersecurity certifications

Responsibilities

• Perform authenticated and unauthenticated vulnerability scans on a daily and ad hoc basis across servers, workstations, network devices, databases, web applications, APIs, containers, serverless functions, CI/CD pipelines, and Infrastructure as Code (IaC).
• Analyze vulnerability scan results to determine applicability, severity, exploitability, and risk using CVSS scoring, threat intelligence, and Known Exploited Vulnerabilities (KEV) catalogs.
• Provide daily remediation guidance and mitigation strategies to system owners, administrators, developers, and other stakeholders.
• Maintain and ensure operational health of vulnerability scanning tools, including agents, sensors, integrations, and supporting infrastructure.
• Coordinate with tool vendors, hosting teams, and network operations to troubleshoot and resolve tool-related issues.
• Develop and maintain HRSA security configuration baselines using DISA STIGs and Center for Internet Security (CIS) benchmarks.
• Perform compliance and configuration scans against approved baselines on a weekly, quarterly, and ad hoc basis.
• Validate remediation through follow-up scans and evidence review and confirm closure of vulnerabilities.
• Support penetration testing activities, including test planning, execution, exploitation, reporting, and coordination with stakeholders.
• Conduct application security testing including SAST, DAST, software composition analysis, SBOM review, dependency scanning, and secure code analysis.
• Support secure DevSecOps practices by integrating automated vulnerability testing into CI/CD pipelines and code repositories.
• Develop vulnerability dashboards and reports for ISSOs, system owners, engineers, and DCSP leadership.
• Maintain authoritative asset inventories and correlate data across vulnerability tools, CMDB, eGRC, and cloud inventories to ensure full scanning coverage.
• Support Incident Response activities by providing vulnerability data, exploit analysis, and remediation recommendations.
• Develop and maintain vulnerability management SOPs, workflows, and technical documentation.
• Maintain SLAs for vulnerability scanning requests and remediation tracking