Vulnerability Management Analyst

About The Position

Requirements

• 3+ years of hands-on vulnerability management experience within a federal agency environment.
• Demonstrated program ownership: VDP, attack surface management, or equivalent independently managed programs.
• Proficiency with Tenable.sc and/or Tenable.io (scan configuration, report generation, false positive management).
• Experience with CISA programs (VDP, FAST, BOD compliance) or equivalent federal cybersecurity initiatives.
• Working knowledge of ServiceNow or equivalent ITSM platforms for ticket management.
• Ability to produce clean, accurate SOPs, POA&Ms, and stakeholder-facing documentation.
• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or equivalent practical experience.
• Active security clearance or eligibility to obtain one preferred.

Nice To Haves

• Experience operating WebInspect, OpenText ScanCentral, or equivalent DAST/web application scanning tools.
• Familiarity with Bugcrowd or other managed bug bounty platforms.
• Experience with HSTS/HTTPS compliance monitoring aligned to BOD 18-01.
• Active certifications: Security+, CEH, CISSP, CISM, or Certified Vulnerability Assessor (CVA).
• Experience leading or co-leading standing meetings with federal stakeholders.

Responsibilities

• Lead and manage end-to-end vulnerability disclosure programs (VDP), including coordination with ethical hackers, system owners, and agency stakeholders.
• Own attack surface management programs (e.g., CISA FAST), including scheduling, scope management, findings coordination, and POA&M documentation.
• Manage and update Standard Operating Procedures (SOPs), SharePoint repositories, and program tracking documentation.
• Lead recurring stakeholder syncs (weekly vulnerability management meetings, DMZ syncs, Security Report presentations).
• Operate and maintain enterprise vulnerability scanning platforms including Tenable.sc, Tenable.io, and web application scanning tools (OpenText ScanCentral or equivalent).
• Scope, schedule, execute, and report on vulnerability scans across large, complex federal environments.
• Analyze scan results to identify critical and high-severity findings; triage false positives; prioritize remediation activities.
• Manage hardware/software certification pipelines; process ServiceNow tickets within defined SLAs.
• Support transition from legacy tools to modernized scanning platforms with minimal operational disruption.
• Track and drive remediation of critical, high, and all severity-tiered vulnerabilities to closure within program SLAs.
• Maintain accurate POA&M records for all open findings across program scope.
• Produce and present vulnerability dashboards, compliance reports, and executive-level status briefings.
• Validate remediation effectiveness through post-remediation scanning and analysis.
• Monitor HTTPS/HSTS compliance and other BOD requirements (BOD 18-01, BOD 20-01, and others as applicable).
• Build and maintain working relationships with CISA contacts, agency system owners, SOC personnel, and contractor teams.
• Communicate vulnerability risks and remediation recommendations clearly to both technical and non-technical audiences.
• Serve as subject matter expert and primary point of contact for assigned programs.
• Provide backfill coverage across vulnerability management workstreams as needed.

Benefits

• Health, Dental, and Vision Insurance
• PTO
• 401(k)
• Remote work flexibility
• Exposure to high-impact federal cybersecurity programs
• Direct access to firm leadership and career development opportunities