Vulnerability Management Consultant

Job Title: Vulnerability Management Consultant Job Location: McLean VA 22102 Onsite Requirements: managing vulnerabilities remediating findings managing patches. Job Description: Requirements: The candidate shall possess the knowledge and skills set forth in the Specialized Cybersecurity and Privacy Support Services BOA, Section H.3.f. for Labor Category 7, Senior Vulnerability Management, with the following set of specific knowledge and experience:Experience with security technologies, including vulnerability scanners and SIEM solutions. Specific systems include Tenable, Nessus, Invicti, Splunk, and other vulnerability management solutions (e.g., enterprise patch management). Experience managing vulnerabilities in both on-premises systems and in cloud environments, (e.g. Amazon Web Services, Microsoft Azure, Google Cloud, and Data Centers). Familiarity with relevant industry standards and regulations. This should include specific requirements of federal government institutions and general best practices for a quality VM program. Experience identifying and developing mitigation strategies. This includes designing mitigations that specifically address vulnerabilities, working with system owners to patch systems, and identifying adequate solutions to remediate vulnerabilities where patching is not possible. Experience analyzing data and identifying vulnerabilities. This extends beyond running a scan and identifying vulnerabilities found by the system. This includes analyzing systems, network configurations, web applications, and architectural diagrams, as well as identifying top vulnerabilities such as those listed in the OWASP "Top Ten" and understanding how those vulnerabilities work at the programmatic level. Experience with workflows, forms, and other enabling technologies that may be needed to operationalize the VM program. Software needs might include ServiceNow, SharePoint, Adobe Forms, automated email messaging, PowerApps, Tableau for visualization, and Splunk. NOTE: Along with a resume, the candidate must submit at least 2 writing samples that show experience with managing vulnerabilities, remediating findings, and/or managing patches. Responsibilities: The following duties and responsibilities include performing hands-on vulnerability scanning and management, patching systems, designing mitigation strategies, and authoring vulnerability-related products (including program doctrine, analysis reports, and other documents required as part of a formal VM program). Specific responsibilities shall include, but are not limited to, the following:Author / amend the Board's VM Program document to serve as the primary tool for designing the ideal VM program for the Information Security Branch. Support the implementation of a formal VM program with a variety of product types (e.g., program documents, policy documents, mitigation strategies, analysis reports, standard operating procedures). Support the expansion of the VM program to include endpoints, mobile devices, cloud infrastructure, and more. Research new vulnerability capabilities and recommend solutions that can be employed within the Board's infrastructure. Support the deployment of new capabilities. Adapt the Board's VM program as needed to support the implementation of a Zero Trust architecture. Build dashboards, metrics, and reports that convey the health and stability of the VM program. Generate reports to measure the Board's progress in meeting vulnerability remediation targets. Apply innovative techniques, such as Artificial Intelligence and/or Machine Learning (AI/ML), to the VM program to maximize efficiencies and reduce risk to the Board. Develop workflows, forms, and other procedures to enable any aspect of the VM process necessary to realize a fully operational program (e.g., workflows in ServiceNow, forms, automated email messaging, and user interfaces via PowerApps). Develop and give presentations and create other communications needed to support the VM program. Monitor the Board's compliance with BOD 22-01, to include tracking Board vulnerabilities against the Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities. Attend meetings as required, take meeting notes / minutes, capture action items on behalf of the Cybersecurity Operations Unit, and provide that information back to the team. 3rd party and subcontract staffing agencies are not eligible for partnership on this position. 3rd party subcontractors need not apply. This position requires candidates to be eligible to work in the United States, directly for an employer, without sponsorship now or anytime in the future. This client is a US Federal Government contractor and is legally required to hire US Citizens. US Citizens will only be considered for this role.