Cyber Security Analyst III (Vulnerability Management)

Position Overview The primary duty of the Cyber Security Analyst III is the skilled application of systems analysis and technical evaluation methods to identify, test, and document security vulnerabilities across enterprise environments. This includes analyzing scan data, interpreting results with increasing independence, and supporting the design and implementation of software or system modifications that mitigate identified weaknesses. The role requires applying sound professional judgment to configure and validate vulnerability management tools, integrate results into enterprise systems, and ensure that solutions align with technical specifications and cybersecurity standards for unclassified federal information systems. The Analyst III operates with greater autonomy than junior levels, provides guidance to less experienced staff, and contributes to continuous improvement of vulnerability management processes. Major Activities (Typical Duties/Responsibilities) Perform vulnerability scanning across servers, endpoints, network devices, and cloud environments using approved tools (e.g., Tenable, Nessus); refine scanning configurations, schedules, and coverage to improve program effectiveness. Analyze and interpret scan results to validate findings, identify false positives, and prioritize vulnerabilities based on risk severity, exploitability, and asset criticality; provide well-supported risk-based recommendations to system owners and program leadership. Coordinate with system owners, administrators, and stakeholders to support timely remediation or mitigation of vulnerabilities, including appropriate escalation of high-risk findings. Document and track remediation progress through POA&Ms, ticketing systems, or enterprise GRC platforms. Contribute to and conduct risk assessments by evaluating the potential impact of unmitigated vulnerabilities, recommending compensating controls, and clearly documenting findings for review by stakeholders and leadership. Support and contribute to continuous monitoring reporting by maintaining vulnerability metrics, trend analyses, and risk summaries for leadership review; identify gaps and recommend process improvements. Conduct and participate in assurance activities, validating vulnerability scan coverage, tool configuration, and data quality; support audit and assessment activities to ensure program outputs meet federal reporting standards. Evaluate patch management effectiveness and identify gaps in remediation processes; develop recommendations and supporting metrics for process improvement. Collaborate with the Security Operations Center (SOC) and Incident Response (IR) teams, providing vulnerability context to help correlate known weaknesses with active threats, events, and exploitation indicators. Support RMF implementation activities related to vulnerability management, ensuring vulnerability data informs security assessments, risk posture updates, and authorization maintenance; assist ISSOs and ISSMs with vulnerability-related POA&M documentation and risk responses. Monitor CISA Binding Operational Directives (BODs), Common Vulnerabilities and Exposures (CVE) trends, and emerging threat advisories; summarize implications for agency systems and communicate relevant findings to the team and stakeholders. Provide guidance and informal mentoring to junior analysts on vulnerability management tasks, tool usage, and documentation standards; assist with onboarding of new team members as needed. Contribute to vulnerability management process improvement efforts, including participation in tool evaluations and development of standard operating procedures, playbooks, and technical documentation. Monitor the Configuration Management Database (CMDB) (e.g., ServiceNow CMDB) to maintain accurate asset inventory, validate scan coverage against the known asset population, and identify discrepancies between CMDB records and discovered assets. Review and respond to configuration change alerts generated by the CMDB or related change management workflows; assess the vulnerability implications of configuration changes, coordinate with system owners as appropriate, and document findings in support of continuous monitoring requirements. Perform other duties as appropriate and as assigned. Knowledge/Skills/Abilities Proficiency with enterprise vulnerability scanning and management platforms (e.g., Tenable.sc, Nessus, Qualys, ACAS, or similar). Solid understanding of CVSS scoring, CVE analysis, patch management principles, and risk-based vulnerability prioritization methods. Good interpersonal skills: ability to work effectively and cooperatively with all levels of management and staff, affiliated-company employees as well as outside business associates; exhibits a professional manner in dealing with others. Superior organizational, follow-up, and detail-oriented skills. Strong ability to analyze documents and categorize appropriately. Ability to maintain accurate records. Work independently, as well as on a team and with minimal supervision. Make decisions, solve problems, and exercise excellent judgment. Work well under pressure and independently prioritize workload, while working on multiple projects. Ability to research, organize and analyze technical information with particular attention to accuracy and detail. Excellent written and verbal communication skills; including thorough knowledge of proper grammar, advanced vocabulary, spelling, editing and proofreading skills. Proficient using Microsoft Office products, such as Word, Excel and PowerPoint, and industry-standard computer software and databases. High degree of sensitivity regarding confidential information. Physical Abilities Sufficient fine motor skills for the use of computers, calculators with an ability to withstand repetitive keyboarding for extended periods of time. Visual and communications ability adequate to perform the essential functions of the job. Ability to kneel, bend and twist at the waist on an occasional basis. Ability to reach below shoulder height with regular frequency (desk position) and at or above shoulder height on occasion. Ability to push, pull, carry and lift objects weighing up to 10 pounds on a regular basis, and greater weights on an occasional basis. Ability to travel by vehicle or aircraft, and ability to safely operate a motor vehicle Minimum Requirements Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field. 5+ years of experience in vulnerability management, system security, or security operations, or equivalent combination of education, experience, and training. Ability to pass a background and drug screening. Must have identification compliant with the Real ID Act at time of hire. Must be able to obtain Department of Energy access badge.

Preferred Qualifications

Experience integrating vulnerability scan data with GRC or POA&M tracking systems (e.g., eMASS, RegScale, ServiceNow GRC, or similar). Familiarity with CISA directives, STIGs, and federal vulnerability reporting requirements. Knowledge of cloud vulnerability management, including AWS, Azure, or hybrid environments. Exposure to threat intelligence correlation or risk-based vulnerability prioritization methods. Relevant certifications such as Security+, CySA+, CEH, CGRC (CAP), or Tenable Certified Practitioner. Pay Range: $89,596-$158,000 Benefits: OSC Technical Solutions offers excellent benefits for eligible employees. Benefits include paid holidays, paid time off, 401k with employer match, dental, vision, health insurance plans through the Federal Employee Health Benefits (FEHB) program, as well as life and disability benefits. OSC Technical Solutions does not discriminate, and the company provides equal employment opportunity for all employees and applicants without regard to race, religion, color, sex, gender, sexual orientation, national origin, citizenship status, age, marital status, pregnancy or parenthood, handicap or disability, genetics, veteran status or any other legally protected characteristic. OSC Technical Solutions adheres to all federal, state and local laws regarding equal employment opportunity and will not discriminate against you in violation of these laws. OSC Technical Solutions reserves the right to apply CIRI Shareholder preference to qualified Shareholders in employment and advancement opportunities. OSC Technical Solutions participates in E-Verify. We will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS), with information from each new employee's Form I-9 to confirm work authorization. Reasonable Accommodation: OSC Technical Solutions will provide reasonable accommodations, according to applicable state and federal laws, to all qualified individuals with physical or mental disabilities. In compliance with the ADA Amendments Act (ADAAA), if you have a disability and would like to request an accommodation in order to apply for a position with OSC Global, LLC or any of its subsidiaries, please email [email protected]. Important Employment Notice: Federal Contract & RCW 49.44.240: Due to our status as a federal contractor operating within the State of Washington, all applicants and employees must adhere to federal law, which classifies cannabis as a Schedule I controlled substance. While Washington State’s RCW 49.44.240 (which generally prohibits employers from discriminating against an applicant based on their lawful use of cannabis off-site and during working hours) is state law, it does not supersede federal requirements. Zero-Tolerance Policy and Disqualification Prohibition: The use, possession, or distribution of cannabis is strictly prohibited for all employees, regardless of state law. Testing: Applicants will be subject to pre-employment drug screening that includes testing for cannabis. Disqualification: A positive test result for cannabis will result in immediate disqualification from consideration for employment, as mandated by our federal contract obligations. All applicants must be able to comply with all federal regulations, including those concerning controlled substances, as a condition of employment. In compliance with Homeland Security Presidential Directive 12 (HSPD-12) and Department of Energy (DOE) Hanford Field Office (HFO) direction, employees issued initial badges on or after September 1st, 2025, are required to obtain and maintain a HSPD-12 Personal Identity Verification (PIV) Credential. To obtain this credential, new employees must successfully complete and pass a federal background check investigation. This investigation encompasses multiple areas of eligibility and includes a declaration of illegal drug activities, including use, supply, possession, or manufacture within the last year. This includes marijuana and cannabis derivatives, which are still considered illegal under federal law, regardless of state laws. Apply To This Job