SBA - Vulnerability Analyst II

Vulnerability Analyst II – Job Description

Position Summary

Essential Duties and Responsibilities

• Perform enterprise vulnerability assessments and compliance scans using SBA-approved tools such as Tenable Security Center (SC), Nessus, and Microsoft TVM.
• Review identified vulnerabilities, assess impact and risk, and provide remediation recommendations for operating systems, applications, network devices, and cloud environments.
• Support continuous monitoring and Risk Management Framework (RMF) activities in accordance with NIST SP 800-37, NIST SP 800-53 Rev. 5, and NIST SP 800-53A.
• Assist with the creation, maintenance, and review of cybersecurity documentation including System Security Plans (SSPs), Security Assessment Reports (SARs), Plans of Action and Milestones (POA&Ms), Configuration Management Plans (CMPs), and contingency documentation.
• Support control assessments and validation activities by documenting NIST 800-53A Determine If Statements (DISs) and mapping vulnerabilities to applicable controls.
• Conduct vulnerability scanning activities every 72 hours across workstations, servers, routers, switches, and cloud-based assets in accordance with SBA requirements.
• Monitor CISA Known Exploited Vulnerabilities (KEV) listings and Binding Operational Directives (BODs) to identify and report emerging risks.
• Track zero-day vulnerabilities, coordinate remediation activities, and provide ad hoc reporting to leadership and stakeholders.
• Generate weekly vulnerability reports, dashboards, and briefing materials for ISSOs, system owners, and management.
• Assist with audit preparation and support activities involving IG, GAO, internal auditors, and external assessors.
• Maintain scanning infrastructure including scanner deployment, configuration, plugin updates, scan repositories, and vulnerability management SOPs.
• Support FedRAMP Continuous Monitoring (CONMON) activities by reviewing vulnerability reports and assessing vendor remediation activities.
• Participate in change management, security operations meetings, and enterprise cybersecurity coordination activities.
• Ensure all deliverables are complete, accurate, aligned with agency templates, and delivered within required timeframes.

Minimum Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Information Assurance, or related discipline. Additional years of experience may substitute for degree requirements.
• 3–6 years of experience supporting vulnerability management, cybersecurity compliance, RMF, or information assurance activities in a federal environment.
• Experience performing vulnerability assessments and remediation activities using Tenable SC/Nessus or equivalent tools.
• Knowledge of FISMA, NIST RMF, NIST SP 800-53 Rev. 5, NIST SP 800-53A, NIST SP 800-137, and related federal cybersecurity standards.
• Experience supporting POA&M management, security assessments, continuous monitoring, and audit response activities.
• Working knowledge of Windows, Linux/Unix, network infrastructure, cloud platforms, and enterprise security technologies.
• Strong written and verbal communication skills with the ability to produce technical documentation and executive-level reports.
• Ability to analyze security findings, prioritize risks, and coordinate remediation with technical stakeholders.

Preferred Certifications

• CompTIA Security+
• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• GIAC Security Certifications (GSEC, GPEN, or similar)
• Tenable Certified Professional or equivalent vulnerability management certification