Vulnerability Management Analyst

The FedRAMP Vulnerability Management Analyst is a contract role focused on reviewing vulnerability deviation requests and working directly with engineering and development teams to ensure timely remediation or formal approval of exceptions within a FedRAMP authorized SaaS environment. The analyst keeps the exception workflow moving by validating requests, guiding teams on compensating controls, and updating program artifacts while maturing policies and procedures that support continuous compliance.

Responsibilities:

• Receive and evaluate deviation and risk acceptance requests; confirm CVSS scores, affected assets, and proposed compensating controls.
• Meet with engineers and developers to understand technical constraints, agree on remediation timelines, and document alternative solutions that satisfy FedRAMP Moderate or High requirements.
• Draft or refine risk acceptance forms and POA&M entries; shepherd each request through security, compliance, and Authorizing Official approval.
• Maintain an up to date exception register with owners, due dates, and re validation checkpoints; remind stakeholders as deadlines approach.
• Update vulnerability management runbooks, service level agreements, and playbooks to reflect the approved deviation handling process and any new tooling integrations.
• Help integrate scanners or ticketing systems such as Prisma Cloud, Tenable, Qualys, and Jira so deviation status is captured and tracked automatically.
• Advise engineering teams on FedRAMP control requirements, acceptable compensating controls, and best practices for patching or mitigating findings.
• Support audits by supplying requested evidence and context prepared by the compliance team.

Requirements:

• At least three years in vulnerability or risk management.
• Prior coordination with software engineering or DevOps teams on vulnerability remediation is strongly preferred.
• Experience with container and cloud environments such as EKS, ECS, or Kubernetes is beneficial.