Key skills
AWSAzureCloudGoogle Cloud PlatformKubernetesPythonBashPowerShellGCPGoogle CloudPrismaCI/CDChange ManagementCommunication
About this role
Role Overview
- Manage Plan of Action & Milestones (POA&Ms) lifecycle including creation, tracking, risk adjustment justification, and deviation requests in coordination with 3PAO assessors and federal stakeholders
- Collect, organize, and maintain security control evidence and artifacts for monthly continuous monitoring deliverables and assessment/authorization activities, ensuring alignment with FedRAMP, HITRUST, PCI, and similar frameworks
- Maintain accurate system inventory and authorization boundary documentation to ensure scanning scope aligns with approved system boundaries
- Analyze scan results for false positives, document justifications, and prepare deviation requests with supporting risk assessments
- Translate technical vulnerability findings into risk-based language for federal clients and authorization officials, presenting monthly status briefings as needed
- Collaborate with development, SRE, and infrastructure teams to integrate vulnerability management into CI/CD pipelines, cloud environments (AWS, Azure, GCP), and container/Kubernetes platforms
- Participate in change management processes to ensure continuous monitoring activities align with system changes and maintain compliance posture
- Support and maintain enterprise vulnerability management tools (such as Tenable, Nessus, Burp, Qualys, Rapid7, Wiz, Prisma, Microsoft Defender), ensuring timely updates and patches
- Run regular and on-demand scans across operating systems, databases, web applications, and containers, then work with technical teams to create tickets for remediation
- Track and document vendor dependencies, operational requirements, and open vulnerabilities, producing clear monthly reports and updates for clients
- Contribute to improving internal standards and processes, including maintaining documentation, training materials, and standard operating procedures
Requirements
- 3–5 years of professional experience in vulnerability management, compliance monitoring, or related security operations roles
- Hands-on expertise with operating system, database, network, container, web application, and API vulnerability management
- Direct experience supporting vulnerability management in at least two of the following cloud providers: AWS, Azure, GCP
- Background working within at least one compliance framework (for example, FedRAMP, HITRUST, PCI), including risk assessment and reporting
- Experience delivering monthly or periodic vulnerability status reports and tracking remediation efforts with internal and external teams
- Administrator-level certification in AWS, Azure, or GCP
- Working knowledge of cloud architecture and security controls in AWS, Azure, or GCP, including ability to assess attack surfaces and recommend cloud-native remediation approaches
- Strong knowledge of vulnerability scanning technologies and methods, including scoring systems (CVSS, CMSS) and risk prioritization frameworks
- Understanding of NIST 800-53 security controls, particularly RA-5, SI-2, CM-6, and how continuous monitoring supports control implementation
- Experience with STIG benchmarks and automated compliance scanning tools (SCAP, SCC)
- Familiarity with baseline configuration standards (CIS Benchmarks, vendor hardening guides) and compliance posture reporting
- Ability to distinguish false positives from true vulnerabilities and articulate risk-based justifications for deviation requests
- Proficiency in scripting languages (Python, PowerShell, Bash) for task automation, report generation, and remediation workflows
- Strong client-facing communication and documentation skills, with ability to present technical findings to federal stakeholders and produce timely compliance reports
- Ability to work efficiently with cross-functional technical teams to investigate, prioritize, and coordinate vulnerability remediation efforts
- Bachelor’s degree or equivalent work experience.
Tech Stack
- AWS
- Azure
- Cloud
- Google Cloud Platform
- Kubernetes
- Python
Benefits
- paid parental leave
- flexible time off
- certification and training reimbursement
- digital mental health and wellbeing support membership
- comprehensive insurance options