Vulnerability Management Lead

About The Position

Requirements

• 7+ years of experience supporting DoD or IC customer cybersecurity programs
• Experience with ACAS, including Tenable.sc or Nessus, in enterprise environments
• Experience designing enterprise STIG compliance solutions
• Knowledge of RMF, NIST 800-53, POA&M management, and continuous monitoring
• Ability to mentor junior staff, contribute to internal IP, playbooks, and reusable artifacts, and support contract deliverables, metrics, and reporting requirements
• Ability to interface directly with government stakeholders, providing clear and concise risk-based recommendations
• Active TS/SCI clearance; willingness to take a polygraph exam
• Associate’s degree and 5+ years of experience supporting IT projects and activities, Bachelor’s degree and 3+ years of experience supporting IT projects and activities, or Master’s degree and 1+ years of experience supporting IT projects and activities
• DoD 8570.01-M Information Assurance Technician (IAT) Level II Certification such as Security+ CE, CCNA-Security, GSEC, SSCP, CySA+, GICSP, or CND Certification
• Ability to obtain a DoD 8570.01-M Cybersecurity Service Provider - Infrastructure Support Certification such as CEH, CySA+, GICSP, SSCP, CHFI, CFR, Cloud+, or CND Certification, within 30 days of start date

Nice To Haves

• Experience supporting large multi-program or enterprise-level DoD contracts
• Experience with ServiceNow, Xacta, eMASS, or similar GRC or ATO tooling
• Experience with scripting or automation using tools such as Python and PowerShell
• Experience in cloud or hybrid DoD environments such as AWS GovCloud and Azure Government

Responsibilities

• Lead ACAS modernization efforts, transitioning Tenable deployments from basic scanning to enterprise vulnerability management services.
• Modernize ACAS implementation by standardizing scan policies, credentialed coverage, asset tagging, and data hygiene.
• Design contractor-operated workflows for vulnerability intake, prioritization, remediation tracking, and risk acceptance.
• Integrate ACAS outputs into customer POA&M processes, ATO sustainment activities, and reporting requirements.
• Advise government stakeholders on vulnerability prioritization, risk tradeoffs, and RMF integration.
• Partner with cyber engineering, architecture, and RMF teams to align vulnerability management with Zero Trust modernization initiatives.
• Produce executive-level briefings on cyber risk posture, trends, and remediation effectiveness.
• Develop enterprise STIG compliance frameworks that enable control inheritance, reuse, and automation across systems.
• Standardize STIG baselines, tailoring decisions, and documentation to reduce per-system compliance burden.
• Implement and maintain SCAP or STIG tooling such as SCC, OpenSCAP, and vendor solutions, across server, endpoint, and platform technologies.
• Produce defensible STIG artifacts and evidence packages to support ATOs and continuous monitoring.
• Advise system owners and ISSMs on remediation strategies and risk-based deviations.
• Automate repeatable tasks using scripting and workflow tooling, where feasible.
• Integrate ACAS and STIG outputs with customer ticketing, GRC, or reporting systems.

Benefits

• health
• life
• disability
• financial
• retirement benefits
• paid leave
• professional development
• tuition assistance
• work-life programs
• dependent care
• recognition awards program