HHS Vulnerability Analyst

Rockville, MD - USA

Monthly Salary: Not Disclosed

Posted on: Yesterday

Vacancies: 1 Vacancy

Job Summary

cFocus Software seeks a Vulnerability Analyst to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance.
Qualifications:

Bachelors degree in Cybersecurity Information Technology or related field.
Minimum 57 years of experience in vulnerability management or security operations.
Strong understanding of NIST SP 800-53 NIST SP 800-30 NIST SP 800-137 and HHS vulnerability management requirements.
Experience performing vulnerability scanning analysis and remediation tracking in federal environments.
Experience with secure configuration standards (DISA STIGs CIS Benchmarks).
Strong analytical documentation and communication skills.
CEH Security CISSP GIAC (GSEC GPEN) or equivalent cybersecurity certifications

Duties:

Perform authenticated and unauthenticated vulnerability scans on a daily and ad hoc basis across servers workstations network devices databases web applications APIs containers serverless functions CI/CD pipelines and Infrastructure as Code (IaC).
Analyze vulnerability scan results to determine applicability severity exploitability and risk using CVSS scoring threat intelligence and Known Exploited Vulnerabilities (KEV) catalogs.
Provide daily remediation guidance and mitigation strategies to system owners administrators developers and other stakeholders.
Maintain and ensure operational health of vulnerability scanning tools including agents sensors integrations and supporting infrastructure.
Coordinate with tool vendors hosting teams and network operations to troubleshoot and resolve tool-related issues.
Develop and maintain HRSA security configuration baselines using DISA STIGs and Center for Internet Security (CIS) benchmarks.
Perform compliance and configuration scans against approved baselines on a weekly quarterly and ad hoc basis.
Validate remediation through follow-up scans and evidence review and confirm closure of vulnerabilities.
Support penetration testing activities including test planning execution exploitation reporting and coordination with stakeholders.
Conduct application security testing including SAST DAST software composition analysis SBOM review dependency scanning and secure code analysis.
Support secure DevSecOps practices by integrating automated vulnerability testing into CI/CD pipelines and code repositories.
Develop vulnerability dashboards and reports for ISSOs system owners engineers and DCSP leadership.
Maintain authoritative asset inventories and correlate data across vulnerability tools CMDB eGRC and cloud inventories to ensure full scanning coverage.
Support Incident Response activities by providing vulnerability data exploit analysis and remediation recommendations.
Develop and maintain vulnerability management SOPs workflows and technical documentation.
Maintain SLAs for vulnerability scanning requests and remediation tracking

Required Experience:

Senior IC

Bachelors degree in Cybersecurity Information Technology or related field.
Minimum 57 years of experience in vulnerability management or security operations.
Strong understanding of NIST SP 800-53 NIST SP 800-30 NIST SP 800-137 and HHS vulnerability management requirements.
Experience performing vulnerability scanning analysis and remediation tracking in federal environments.
Experience with secure configuration standards (DISA STIGs CIS Benchmarks).
Strong analytical documentation and communication skills.
CEH Security CISSP GIAC (GSEC GPEN) or equivalent cybersecurity certifications

Duties:

Perform authenticated and unauthenticated vulnerability scans on a daily and ad hoc basis across servers workstations network devices databases web applications APIs containers serverless functions CI/CD pipelines and Infrastructure as Code (IaC).
Analyze vulnerability scan results to determine applicability severity exploitability and risk using CVSS scoring threat intelligence and Known Exploited Vulnerabilities (KEV) catalogs.
Provide daily remediation guidance and mitigation strategies to system owners administrators developers and other stakeholders.
Maintain and ensure operational health of vulnerability scanning tools including agents sensors integrations and supporting infrastructure.
Coordinate with tool vendors hosting teams and network operations to troubleshoot and resolve tool-related issues.
Develop and maintain HRSA security configuration baselines using DISA STIGs and Center for Internet Security (CIS) benchmarks.
Perform compliance and configuration scans against approved baselines on a weekly quarterly and ad hoc basis.
Validate remediation through follow-up scans and evidence review and confirm closure of vulnerabilities.
Support penetration testing activities including test planning execution exploitation reporting and coordination with stakeholders.
Conduct application security testing including SAST DAST software composition analysis SBOM review dependency scanning and secure code analysis.
Support secure DevSecOps practices by integrating automated vulnerability testing into CI/CD pipelines and code repositories.
Develop vulnerability dashboards and reports for ISSOs system owners engineers and DCSP leadership.
Maintain authoritative asset inventories and correlate data across vulnerability tools CMDB eGRC and cloud inventories to ensure full scanning coverage.
Support Incident Response activities by providing vulnerability data exploit analysis and remediation recommendations.
Develop and maintain vulnerability management SOPs workflows and technical documentation.
Maintain SLAs for vulnerability scanning requests and remediation tracking