What are the responsibilities and job description for the HHS - Vulnerability Analyst position at cFocus Software Incorporated?
cFocus Software seeks a Vulnerability Analyst to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance.
Qualifications:
Qualifications:
- Bachelor’s degree in Cybersecurity, Information Technology, or related field.
- Minimum 5–7 years of experience in vulnerability management or security operations.
- Strong understanding of NIST SP 800-53, NIST SP 800-30, NIST SP 800-137, and HHS vulnerability management requirements.
- Experience performing vulnerability scanning, analysis, and remediation tracking in federal environments.
- Experience with secure configuration standards (DISA STIGs, CIS Benchmarks).
- Strong analytical, documentation, and communication skills.
- CEH, Security , CISSP, GIAC (GSEC, GPEN), or equivalent cybersecurity certifications
- Perform authenticated and unauthenticated vulnerability scans on a daily and ad hoc basis across servers, workstations, network devices, databases, web applications, APIs, containers, serverless functions, CI/CD pipelines, and Infrastructure as Code (IaC).
- Analyze vulnerability scan results to determine applicability, severity, exploitability, and risk using CVSS scoring, threat intelligence, and Known Exploited Vulnerabilities (KEV) catalogs.
- Provide daily remediation guidance and mitigation strategies to system owners, administrators, developers, and other stakeholders.
- Maintain and ensure operational health of vulnerability scanning tools, including agents, sensors, integrations, and supporting infrastructure.
- Coordinate with tool vendors, hosting teams, and network operations to troubleshoot and resolve tool-related issues.
- Develop and maintain HRSA security configuration baselines using DISA STIGs and Center for Internet Security (CIS) benchmarks.
- Perform compliance and configuration scans against approved baselines on a weekly, quarterly, and ad hoc basis.
- Validate remediation through follow-up scans and evidence review and confirm closure of vulnerabilities.
- Support penetration testing activities, including test planning, execution, exploitation, reporting, and coordination with stakeholders.
- Conduct application security testing including SAST, DAST, software composition analysis, SBOM review, dependency scanning, and secure code analysis.
- Support secure DevSecOps practices by integrating automated vulnerability testing into CI/CD pipelines and code repositories.
- Develop vulnerability dashboards and reports for ISSOs, system owners, engineers, and DCSP leadership.
- Maintain authoritative asset inventories and correlate data across vulnerability tools, CMDB, eGRC, and cloud inventories to ensure full scanning coverage.
- Support Incident Response activities by providing vulnerability data, exploit analysis, and remediation recommendations.
- Develop and maintain vulnerability management SOPs, workflows, and technical documentation.
- Maintain SLAs for vulnerability scanning requests and remediation tracking