HHS - Vulnerability Analyst

cFocus Software seeks a Vulnerability Analyst to join our program supporting the Department of Health and Human Services (HHS) This position is remote. This position requires the ability a Public Trust clearance. Qualifications: • Bachelor’s degree in Cybersecurity, Information Technology, or related field. • Minimum 5–7 years of experience in vulnerability management or security operations. • Strong understanding of NIST SP 800-53, NIST SP 800-30, NIST SP 800-137, and HHS vulnerability management requirements. • Experience performing vulnerability scanning, analysis, and remediation tracking in federal environments. • Experience with secure configuration standards (DISA STIGs, CIS Benchmarks). • Strong analytical, documentation, and communication skills. • CEH, Security+, CISSP, GIAC (GSEC, GPEN), or equivalent cybersecurity certifications Duties: • Perform authenticated and unauthenticated vulnerability scans on a daily and ad hoc basis across servers, workstations, network devices, databases, web applications, APIs, containers, serverless functions, CI/CD pipelines, and Infrastructure as Code (IaC). • Analyze vulnerability scan results to determine applicability, severity, exploitability, and risk using CVSS scoring, threat intelligence, and Known Exploited Vulnerabilities (KEV) catalogs. • Provide daily remediation guidance and mitigation strategies to system owners, administrators, developers, and other stakeholders. • Maintain and ensure operational health of vulnerability scanning tools, including agents, sensors, integrations, and supporting infrastructure. • Coordinate with tool vendors, hosting teams, and network operations to troubleshoot and resolve tool-related issues. • Develop and maintain HRSA security configuration baselines using DISA STIGs and Center for Internet Security (CIS) benchmarks. • Perform compliance and configuration scans against approved baselines on a weekly, quarterly, and ad hoc basis. • Validate remediation through follow-up scans and evidence review and confirm closure of vulnerabilities. • Support penetration testing activities, including test planning, execution, exploitation, reporting, and coordination with stakeholders. • Conduct application security testing including SAST, DAST, software composition analysis, SBOM review, dependency scanning, and secure code analysis. • Support secure DevSecOps practices by integrating automated vulnerability testing into CI/CD pipelines and code repositories. • Develop vulnerability dashboards and reports for ISSOs, system owners, engineers, and DCSP leadership. • Maintain authoritative asset inventories and correlate data across vulnerability tools, CMDB, eGRC, and cloud inventories to ensure full scanning coverage. • Support Incident Response activities by providing vulnerability data, exploit analysis, and remediation recommendations. • Develop and maintain vulnerability management SOPs, workflows, and technical documentation. • Maintain SLAs for vulnerability scanning requests and remediation tracking Apply tot his job