Vulnerability Assessment Analyst

Do you love being part of a team of highly skilled, motivated, and dedicated professionals responsible for protecting sensitive data while administering enterprise Information Systems (IS) that support the Johns Hopkins University Applied Physics Laboratory (JHUAPL) mission?

Do you want to integrate vulnerability management, cybersecurity, and compliance within our enterprise, sector, and department networks?

Do you have a deep-seated passion for protecting our Nation's sensitive information?

If so, we're looking for someone like you to join our team at APL.

We are seeking a dedicated Vulnerability Assessment Analyst to help protect APL's unclassified, enterprise information technology infrastructure, including unclassified systems and components. In this role, you will be responsible for identifying, assessing, and remediating vulnerabilities as they pertain to risk in our information systems while ensuring compliance with relevant regulations and standards. You'll actively work with our defensive cybersecurity teams to evaluate, assess, and remediate vulnerabilities in accordance with risk management in our information systems. As a member of our team, you'll contribute to Cybersecurity, Compliance Management and Oversight of our unclassified information systems in support of Sponsor/Program needs.

As a Vulnerability Assessment Analyst, you will...

• Conduct vulnerability scans and analyze data to prioritize remediation for an enterprise environment.
• Assess and identify systemic security issues based on the analysis of vulnerability and configuration data.
• Configure and maintain Tenable Products to ensure compliance and the latest updates.
• Analyze organization's cybersecurity policies and configurations and evaluate compliance with regulations and organizational directives.
• Prepare audit reports that identify technical and procedural findings and provide recommended remediation strategies and solutions.
• Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas, including local computing environments, networks and infrastructure, control systems and operational environments, enclave boundaries, supporting infrastructure, and applications.
• Conduct risk assessments and provide recommendations on the selection of cost-effective security controls to mitigate risks, including the protection of information, systems, and processes.
• Research Vulnerability Management products, vulnerabilities, solutions, and root causes.
• Stay current with the latest industry best practices, technology trends, and security vulnerabilities as they pertain to the Lab's technologies, and attend DoD ACAS/Tenable Product Meetings.
• Work with other compliance analysts to maintain System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), supporting artifacts, and other compliance-related documentation.
• Collaborate with cross-functional teams, including IT, contracts, and legal, to ensure security requirements are integrated into system development and operations.
• Support the Risk Management Framework (RMF) lifecycle activities, including asset categorization, CMMC practice application, and continuous assessment & monitoring.
• Help support both internal and external audits and assessments related to CMMC, NIST SP800-171, Privacy & Health Controls, and other cybersecurity and compliance-related activities.
• Assist with developing and implementing a corrective action plan to address any identified compliance gaps, risks, and monitoring changes to the DFARS, CMMC, NIST SP800-171, FedRAMP, and other RMF and cybersecurity-related standards and regulations, and update internal processes accordingly.

You meet our minimum qualifications for the job if you...

• Possess a B.S. Degree in Information Technology, Cybersecurity, Computer Science, Information Systems, Data Science, or other related field, or equivalent years of professional work experience.
• 4+ years' experience developing, managing, or having direct implementation responsibility for vulnerability management tools, processes, policies, and plans for enterprise information technology systems.
• Have experience working with Vulnerability Management products (e.g., Tenable)
• Possess strong analytical, technical, and research skills, with a passion for data quality and process rigor.
• Possess a good understanding of system-level software and operating systems, to include Windows, macOS, Linux, virtualization, and containerization, as well as a working knowledge of computing hardware, desktop applications, computer networking, and cloud technologies.
• Experienced in contextualizing vulnerability and threat risk by assessing actual impact to organizational systems rather than relying solely on vendor or government-provided ratings.
• Have experience with system monitoring, audit logging, aggregation, and correlation tools (e.g., Splunk).
• Hands-on experience building analytical reports, dashboards, and interactive visualizations across platforms such as Splunk and Power BI.
• Aggregate and correlate vulnerability data from various sources to improve product interoperability, identify blind spots, and design custom detection and remediation workflows.
• Have a strong working knowledge of NIST SP 800-171, 800-53 and 800-37, and particularly the DoD Cybersecurity Maturity Model Certification (CMMC) Program, and the ability to support risk-based decisions and ensure compliance across the enterprise.
• Be able to obtain the CMMC Certified Professional (CCP) credential within the first six (6) months of hire.
• Possess a comprehensive understanding of government cybersecurity compliance standards, regulations, and policies, with the ability to communicate requirements to all stakeholders necessary to support the enterprise system, including configuration changes, application patching, incident response, vulnerability mitigation, and risk management.
• Are able to obtain a Secret security clearance. If selected, you will be subject to a government security clearance investigation and must meet the requirements for access to classified information. Eligibility requirements include U.S. citizenship.

You'll go above and beyond our minimum requirements if you...

• Meet and demonstrate intermediate DoD 8140.03 Cyberspace Workforce Qualification and Management Program requirements through training and/or certifications (e.g., Security+, equivalent, or higher security certification).
• Possess a Master's degree in Information Technology, Cybersecurity, Computer Science, Information Systems, Data Science, or other related field, or equivalent years of professional work experience.
• Meet and demonstrate advanced DoD 8140.03 Cyberspace Workforce Qualification and Management Program requirements through training and/or certifications (e.g., CISSP, equivalent, or higher security certification).
• Have additional experience in cybersecurity supporting domains such as intelligence analysis, Security Operations Center (SOC) support, governance, and/or risk management, Development, Security, Operations (DevSecOps), computer forensics, policy creation, technical writing, incident response, disaster recovery, etc.

Why Work at APL?

The Johns Hopkins University Applied Physics Laboratory (APL) brings world-class expertise to our nation's most critical defense, security, space and science challenges. While we are dedicated to solving complex challenges and pioneering new technologies, what makes us truly outstanding is our culture. We offer a vibrant, welcoming atmosphere where you can bring your authentic self to work, continue to grow, and build strong connections with inspiring teammates.

At APL, we celebrate our differences of perspectives and encourage creativity and bold, new ideas. Our employees enjoy generous benefits, including a robust education assistance program, unparalleled retirement contributions, and a healthy work/life balance. APL's campus is located in the Baltimore-Washington metro area. Learn more about our career opportunities at http://www.jhuapl.edu/careers.

All qualified applicants will receive consideration for employment without regard to race, creed, color, religion, sex, gender identity or expression, sexual orientation, national origin, age, physical or mental disability, genetic information, veteran status, occupation, marital or familial status, political opinion, personal appearance, or any other characteristic protected by applicable law. APL is committed to providing reasonable accommodation to individuals of all abilities, including those with disabilities. If you require a reasonable accommodation to participate in any part of the hiring process, please contact Accommodations@jhuapl.edu.

The referenced pay range is based on JHU APL's good faith belief at the time of posting. Actual compensation may vary based on factors such as geographic location, work experience, market conditions, education/training and skill level with consideration for internal parity. For salaried employees scheduled to work less than 40 hours per week, annual salary will be prorated based on the number of hours worked. APL may offer bonuses or other forms of compensation per internal policy and/or contractual designation. Additional compensation may be provided in the form of a sign-on bonus, relocation benefits, locality allowance or discretionary payments for exceptional performance. APL provides eligible staff with a comprehensive benefits package including retirement plans, paid time off, medical, dental, vision, life insurance, short-term disability, long-term disability, flexible spending accounts, education assistance, and training and development. Applications are accepted on a rolling basis.