Vulnerability Management Program Engineer
What you'd do
The Office of Information Technology (OIT) is seeking an IT Specialist (INFOSEC) (Vulnerability Management Program Engineer). As a Vulnerability Management Program Engineer, you will lead enterprise vulnerability lifecycle operations across hybrid, cloud, and modern DevSecOps environments. You will architect, optimize, and operate vulnerability scanning platforms; integrate security tooling into CI/CD pipelines; and drive measurable risk reduction across the enterprise.
Major duties
In this role as a Vulnerability Management Program Engineer, you will be responsible for: Leading enterprise vulnerability management operations from discovery and triage through remediation and validation Engineering and integrating vulnerability management solutions including developing and enforcing automated security gates and policies Analyzing, prioritizing, and driving risk reduction by performing expert analysis of vulnerability data and converting results into actionable remediation guidance Building and maintaining dashboards to measure remediation progress, program maturity, and risk trends Supporting cloud and hybrid network architectures, including troubleshooting complex hybrid issues (TLS/SSL, reverse proxies, segmentation, and distributed scanning nodes) Aligning all vulnerability management operations to internal policies and federal laws, regulations, and requirements, including NIST SP 800-53, SP 800-137, CIS Benchmarks, DISA STIGs, and FedRAMP requirements
What you need to qualify
Applicants are responsible for confirming all required materials are submitted by the closing date of the announcement. Please check the How You Will Be Evaluated and Required Documents sections carefully, as missing documents will render the application incomplete and ineligible for review. Qualifying experience may be obtained in the private or public sector. Experience refers to paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional, philanthropic, religious, spiritual, community, student, social). Volunteer work helps build critical competencies, knowledge, and skills and can provide valuable training and experience that translates directly to paid employment. You will receive credit for all qualifying experience, including volunteer experience. All qualification requirements must be met by the closing date of this announcement. BASIC REQUIREMENT: For all positions individuals must have IT-related experience demonstrating each of the four competencies listed below: Attention to Detail - Is thorough when performing work and conscientious about attending to detail. Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services. Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately. Problem Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations. MINIMUM QUALIFICATION REQUIREMENT: In addition to meeting the basic requirement, applicants must also meet the minimum qualification requirement below. SK-14: Applicant must have at least one year of specialized experience equivalent to the GS/SK-13 level: Executing and managing enterprise vulnerability scanning across on-prem, cloud, and hybrid environments; Engineering, configuring, or optimizing vulnerability management platforms (Qualys, Tenable, Nessus, or equivalent); Performing vulnerability triage and risk scoring to develop remediation recommendations for system owners; and Applying NIST, CIS Benchmarks, DISA STIG, or FedRAMP standards in vulnerability management or compliance operations. ACCOMPLISHMENT RECORD COMPETENCIES: Your Accomplishment Record narratives should address the following competencies. See the How You Will Be Evaluated section below for more information: Information Systems/Network Security - Implements and uses methods, tools, and procedures, including the development of information security plans and standards, to prevent information systems vulnerabilities and provide or restore privacy and security of applications, information systems, and/or network services. Technology Expertise - Knowledge of the principles and methods of specialized technologies, tools, and delivery systems, including security, risk management, governance, functionality, and user interface in area of expertise (e.g., programming languages, server, web, applications, network). Risk Management and Disaster Recovery - Uses methods and tools for risk assessment and mitigation of risk, including the identification, assessment, and prioritization of risks to minimize, monitor, and control the probability and/or impact of events. Problem Solving and Decision Making - Ability to identify and solve important problems relevant to program areas through sound and timely decision making, even in less than ideal situations, with little or no guidance.
Before you apply
Federal applications are different: your resume should be 3–5 pages and mirror the language of this announcement. Read our federal resume guide first — it's the #1 reason qualified people get screened out.
Don't miss the next one.
Get an email the moment a similar federal job opens — postings can close in as little as 5 days.