TestPros

Cyber Vulnerability Assessment Analyst SME with TS/SCI

Remote (with travel), VA - Full Time

Company Overview

TestPros is a successful and growing business, established in 1988 to provide Information Technology (IT) technical support services to a wide range of Commercial and U.S. Federal, State, and Local Government customers. Our capabilities include Program Management, Program Oversight, Process Audit, Intelligence Analysis, Cyber Security, NIST SP 800-171 Assessment and Compliance, Computer Forensics, Software Assurance, Software Testing, Test Automation, Section 508 and WCAG Accessibility Assessment, Localization Testing, Independent Verification and Validation (IV&V), Quality Assurance (QA), Compliance, and Research and Development (R&D) services. TestPros is an Equal Opportunity Employer.

TestPros delivers innovative independent IT assessment solutions to critical challenges facing the nation and the world.  We support the U.S. Federal Government and Commercial clients within the continental USA. TestPros is dedicated to making lives better, safer and more secure.

Job Summary

TestPros is seeking a Cyber Vulnerability Assessment Analyst SME to support a Federal cyber security program.

Position: Full-time

Citizenship: U.S. Citizenship

Job Title: 

Location: Remote with travel; Potential on-site meetings in Arlington, VA or Pensacola, FL

Security Clearance: Top Secret SCI (or secret clearable to TS/SCI)

Project overview: 

POA&M Management
The POA&M tracker lists mitigation and milestones with completion dates and serves to track
the resolution of vulnerabilities and non-compliance with security controls identified during
assessments and at any point during the system's life cycle. The Contractor shall provide a
mechanism for vulnerability and POA&M management. The status must be updated on a weekly
basis. Recommendation for closure is based on changes made to the system to remediate issues
or to mitigate the risks with the necessaiy suppo1ting evidence presented for resolution. The
Contractor shall prepare a detailed weekly status of all activities, including status of open/closed
action items, POA&M status/milestones, and any other pertinent data points as requested by the
Government.

Vulnerability lManagement
The Contractor shall perform management of technical and policy related findings as a result of
compliance, vulnerability, and penetration testing and internal reviews. The Contractor must
meet with product and service teams as required to track progress and serve as a security subject
matter expe1t on issues requiring clarification and resolution. The Contractor shall provide
guidance to ensure vulnerabilities are prioritized, fixed, mitigated, or risk accepted. The
Contractor shall deliver remediation tracking for all outstanding issues using an automated
process to manage results, trending, and report. Risk mitigation strategies, recommendations, and
applicable security controls must be documented and must include cost effective solutions that
suppot mission goals.

Security Review of System Changes
The Contractor shall review change requests to ensure the proposed changes are in accordance
with all security requirements in effect at the time of the change request. The contractor must
provide a recommendation to the Government as to whether the change request should be
approved, approved with certain conditions, or disapproved citing the reason for disapproval.
The Contractor shall maintain a reposito1y where eve1y change request is stored along with the
analysis performed by the contract for each change request. The Contractor shall also caphll"e
and store pe1tinent a1tifacts for each change request in a location commensurate with the
classification level of the artifacts. The Contractor shall prepare a detailed weekly status of all
activities, including status of change requests, open/closed action items, and any other pe1tinent
data points as request by the Government.

Comprehensive Security Technical Documentation
Activities related to managing organizational and program risk are paramount to an effective
information security program especially for complex information systems. The Contractor shall
work with the product and service teams throughout the RMF process. The Contractor shall
perform reviews of the policies, procedures, and related documentation currently maintained by
program staff to identify missing or outdated documentation. Subsequent reviews should be
performed on an annual basis at a minimum or as directed by the Government. In suppo1t of this
activity, the Contractor shall develop and maintain documentation as required by security
controls outlined in NIST 800-53a which include the following:
• Program policies and common controls
• Standard Operating Procedures (SOPs)/Guides
• Program common controls
• Security artifacts and a1tifact templates, and
• Concept of Operations (CONOPS)
• Other security-related technical documentation as directed by the Government.
The Contractor shall update the aforementioned processes, procedures, and other living
documents as needed and create new work products to fill identified gaps. The Contractor shall
review and provide guidance for documentation developed by the service and product teams
ensuring that these work products are completed following NIST guidance, commercial best
practices, and the applicable federal policies. The Contractor shall provide guidance to service
and product teams for security information systems in accordance with CNSSI 1253, and NIST
SP 800-30, 800-37, 800-39, 800-137. The Contractor shall review work products, including
security artifacts to ensure that the target is secured/documented appropriately (i.e., in
accordance with CISA and DRS-defined security requirements) and that the documentation
reflects and properly addresses CISA and DHS security requirements. In addition, the Contractor
shall support service and product teams with the selection and tailoring of security controls
appropriate to the information system and the system's security objectives for confidentiality,
integrity, and availability in accordance with NIST and CNSS guidance. The Contractor shall
perform this iteratively throughout the system life cycle. The Government shall make the final
determination as to the work product that is considered acceptable.
A scheme for storing and managing all documentation must be developed and/or maintained
under this contract and, as appropriate, disseminated via mechanisms such as Microsoft
SharePoint. The tools and methods selected to perform this function must be approved by the
COR/GOV POC prior to implementation if different than the tools currently in use.

Additional activities include ML Security Operations, Offensive Security, risk assessments, consistent communication, and detailed technical documentation.

Responsibilities and Duties:

The SME Cyber Vulnerability Assessment Analyst is responsible for leading penetration testing, developing advanced security scenarios and testing systems against those scenarios, developing advanced security architectures for the implementation of custom countermeasures, provides security considerations to advise system engineering teams with the objective to reduce errors, flaws, and weaknesses that may constitute security vulnerability, performing advanced code analysis, and performing advanced protocol analysis for nation-state and state-sponsored cyber threat actor capabilities.

Required skills:
  • 10+ years of proven experience as a Security Engineer with supervisory/leadership abilities to oversee large teams responsible for planning, analyzing, implementing, and maintaining many different projects.
  • This individual must have experience assessing security implementation of cloud and hybrid environments to include pipelines, applications and services
  • Experience ensuring an industry best practice implementation utilizing agile practices for scanning and end to end vulnerability remediation 
  • Expert in all information security planning, compliance and risk management, manage teams, ensure they have appropriate skill sets, and tie the teams and results together;
  • experience in identify vulnerabilities and understand and recommend countermeasures
  • Experience with analyzing the network to determine if appropriate security is applied; possess and apply knowledge NIST RMF;
  • Developed and implemented test plans and ensure execution; and evaluates the costs and benefits of security functions and considerations from analysis of alternatives, engineering trade-offs and risk treatment decisions. 
  • The SME Cyber Vulnerability Assessment Analyst requires an active clearance up to TS/SCI security clearance.

Preferred Qualifications and Skills

  • Agency experience (ideally DHS CISA)
  • Cyber program experience
  • SAFe and DevSecOps experience

.

Benefits

TestPros offers a competitive salary, medical/dental/vision insurance, life insurance, paid time off, paid holidays, 401(k) retirement plan with company match, opportunities for professional growth, cell phone discounts, and much more! All benefits are per TestPros current policies and are subject to change without notice.  Benefits are available to full-time employees.​

TestPros, Inc. is an Equal Opportunity Employer.

EEO Statement

All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity, marital status, age, national origin, protected veteran status, or disability. VEVRAA Federal Contractor.

Apply: Cyber Vulnerability Assessment Analyst SME with TS/SCI
* Required fields
First name*
Last name*
Email address*
Location
Phone number*
Resume*

Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or paste resume

Paste your resume here or attach resume file

Desired salary*
Do you have a TS/SCI?*
Do you have 10+ years of proven experience as a Security Engineer?*
DO you have certifications?*
Do you have CISA/DHS experience?*
The following questions are entirely optional.
To comply with government Equal Employment Opportunity and/or Affirmative Action reporting regulations, we are requesting (but NOT requiring) that you enter this personal data. This information will not be used in connection with any employment decisions, and will be used solely as permitted by state and federal law. Your voluntary cooperation would be appreciated. Learn more.
Gender
Race/Ethnicity

Invitation for Job Applicants to Self-Identify as a U.S. Veteran
  • A “disabled veteran” is one of the following:
    • a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or
    • a person who was discharged or released from active duty because of a service-connected disability.
  • A “recently separated veteran” means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.
  • An “active duty wartime or campaign badge veteran” means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.
  • An “Armed forces service medal veteran” means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.
Veteran status
I IDENTIFY AS ONE OR MORE OF THE CLASSIFICATIONS OF PROTECTED VETERAN LISTED ABOVE
I AM NOT A PROTECTED VETERAN
I DON’T WISH TO ANSWER

Voluntary Self-Identification of Disability
Voluntary Self-Identification of Disability Form CC-305
OMB Control Number 1250-0005
Expires 04/30/2026
Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Please check one of the boxes below:
YES, I HAVE A DISABILITY, OR HAVE HAD ONE IN THE PAST
NO, I DO NOT HAVE A DISABILITY AND HAVE NOT HAD ONE IN THE PAST
I DO NOT WANT TO ANSWER

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Name Date
Human Check*