Vulnerability Analyst II

Vulnerability Analyst II

Position Title: Vulnerability Analyst II Program: SBA Enterprise Cybersecurity Services (ECS)

The Vulnerability Analyst II provides cybersecurity risk, vulnerability management, and compliance support services in alignment with the SBA Enterprise Cybersecurity Services (ECS) RFQ Task Area 3.5.2. The position supports the SBA Risk Management Framework (RMF), FISMA compliance initiatives, Information System Continuous Monitoring (ISCM), vulnerability management, controls assessment activities, audit support, and continuous monitoring operations across enterprise systems and cloud environments. The analyst performs vulnerability assessments, supports POA&M development, validates security controls, coordinates remediation efforts, and assists Information System Security Officers (ISSOs) and system owners with maintaining compliant and secure systems.

Essential Duties and Responsibilities

• Perform enterprise vulnerability assessments and compliance scans using SBA-approved tools such as Tenable Security Center (SC), Nessus, and Microsoft TVM.
• Review identified vulnerabilities, assess impact and risk, and provide remediation recommendations for operating systems, applications, network devices, and cloud environments.
• Support continuous monitoring and Risk Management Framework (RMF) activities in accordance with NIST SP 800-37, NIST SP 800-53 Rev. 5, and NIST SP 800-53A.
• Assist with the creation, maintenance, and review of cybersecurity documentation including System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), Configuration Management Plans (CMPs), and contingency documentation.
• Support control assessments and validation activities by documenting NIST 800-53A Determine If Statements (DISs) and mapping vulnerabilities to applicable controls.
• Conduct vulnerability scanning activities every 72 hours across workstations, servers, routers, switches, and cloud-based assets in accordance with SBA requirements.
• Monitor CISA Known Exploited Vulnerabilities (KEV) listings and Binding Operational Directives (BODs) to identify and report emerging risks.
• Track zero-day vulnerabilities, coordinate remediation activities, and provide ad hoc reporting to leadership and stakeholders.
• Generate weekly vulnerability reports, dashboards, and briefing materials for ISSOs, system owners, and management.
• Assist with audit preparation and support activities involving IG, GAO, internal auditors, and external assessors.
• Maintain scanning infrastructure including scanner deployment, configuration, plugin updates, scan repositories, and vulnerability management SOPs.
• Support FedRAMP Continuous Monitoring (CONMON) activities by reviewing vulnerability reports and assessing vendor remediation activities.
• Participate in change management, security operations meetings, and enterprise cybersecurity coordination activities.
• Ensure all deliverables are complete, accurate, aligned with agency templates, and delivered within required timeframes.

Minimum Qualifications

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, Information Assurance, or related discipline. Additional years of experience may substitute for degree requirements.
• 3–6 years of experience supporting vulnerability management, cybersecurity compliance, RMF, or information assurance activities in a federal environment.
• Experience performing vulnerability assessments and remediation activities using Tenable SC/Nessus or equivalent tools.
• Knowledge of FISMA, NIST RMF, NIST SP 800-53 Rev. 5, NIST SP 800-53A, NIST SP 800-137, and related federal cybersecurity standards.
• Experience supporting POA&M management, security assessments, continuous monitoring, and audit response activities.
• Working knowledge of Windows, Linux/Unix, network infrastructure, cloud platforms, and enterprise security technologies.
• Strong written and verbal communication skills with the ability to produce technical documentation and executive-level reports.
• Ability to analyze security findings, prioritize risks, and coordinate remediation with technical stakeholders.

Preferred Certifications

• CompTIA Security+
• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• GIAC Security Certifications (GSEC, GPEN, or similar)
• Tenable Certified Professional or equivalent vulnerability management certification