Compliance and Continuous Monitoring Engineer - Vulnerability Management (Top Secret Clearance)

Who we are:

ShorePoint is a fast-growing, industry recognized and award-winning cybersecurity services firm with a focus on high-profile, high-threat, private and public-sector customers who demand experience and proven security models to protect their data. ShorePoint subscribes to a “work hard, play hard” mentality and celebrates individual and company successes. We are passionate about our mission and going above and beyond to deliver for our customers. We are equally passionate about an environment that supports creativity, accountability, diversity, inclusion and a focus on giving back to our community. 

The Perks:

As recognized members of the Cyber Elite, we work together in partnership to defend our nation’s critical infrastructure while building meaningful and exciting career development opportunities in a culture tailored to the individuals technical and professional growth. We are committed to the belief that our team members do their best work when they are happy and well cared for. In support of this philosophy, we offer a comprehensive benefits package, including major carriers for health care providers. Highlighted benefits offered: 144 hours of PTO, 11 holidays, 85% of insurance premium covered, 401k, continued education, certifications maintenance and reimbursement and more.

Who we’re looking for:

We are seeking Compliance and Continuous Monitoring Engineer - Vulnerability Management (Top Secret Clearance) with expertise in security assessments, vulnerability management and continuous monitoring. The ideal candidate will support assessment and authorization activities, conduct technical security evaluations and ensure enterprise systems remain compliant with federal cybersecurity standards. The Compliance and Continuous Monitoring Engineer (Vulnerability Management) role will provide hands-on scanning, reporting and compliance support to strengthen the enterprise cybersecurity posture. This is a unique opportunity to shape the growth, development and culture of an exciting and fast-growing company in the cybersecurity market.

What you’ll be doing:

Work closely with organizations to ensure full comprehension of security controls; conduct site visits as required.

Assist with compliance assessments using tailored control matrices; provide expert assessment support.

Conduct annual reviews of security controls to ensure continued compliance.

Establish footholds on endpoints to provide day-to-day visibility into enterprise security posture.

Develop and maintain processes and best practices for evaluating assessment and authorization data.

Use industry-standard automation tools to review system configurations and security control compliance.

Conduct NIST control assessments in support of system authorization and continuous monitoring.

Develop and maintain Security Assessment Reports (SARs) and Risk Assessment Reports (RARs).

Employ a scan-patch-scan methodology to ensure proper remediation of vulnerabilities.

Conduct vulnerability scanning on a weekly to bi-weekly basis using industry-standard tools.

Report scan data to system administrators to support timely remediation.

Perform false positive and vulnerability analysis to validate findings and prioritize remediation.

Configure applications to ingest, process and report vulnerability data from assessments and self-assessments.

Conduct long-term trend analysis to identify changes in enterprise security posture.

Provide dashboard views and executive-level reports to communicate risk, vulnerability and compliance posture.

Configure authenticated and unauthenticated scans of web servers (e.g., Apache, IIS) to identify vulnerabilities such as outdated software, misconfigurations, exposed services and SSL/TLS weaknesses.

Assess both in-house and COTS web applications to identify OWASP Top 10 risks, including SQL injection, cross-site scripting (XSS) and insecure HTTP headers.

Lead technical troubleshooting sessions with administrators and leadership to analyze findings, validate issues and drive remediation efforts.

Maintain a general understanding of network architecture diagrams to support vulnerability analysis and remediation planning.

What you need to know:

Strong understanding of federal frameworks including NIST 800-53 and 800-53A.

Knowledge of SANS and OWASP Top 10 vulnerabilities and best practices.

Ability to synthesize and analyze large volumes of vulnerability and scan data.

Ability to clearly articulate findings in written and verbal form.

Must have’s:

Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, Mathematics, Engineering or a related field or additional 10+ years of IT experience in lieu of degree.

One or more of the following certifications: (ISC)2 Certified Information Security Professional (CISSP), GIAC, GCIA or GCIH

Proven ability to analyze complex requirements and translate them into clear, actionable tasks and processes through critical thinking.

Ability to perform vulnerability and compliance assessments on all devices identified during enterprise network scans, including operating systems oracle and MySQL databases and web applications.

Proficiency with enterprise-class scanning tools such as Tenable Nessus and Tenable Security Center, database scanning tools such as AppDetective and DbProtect and web scanning tools such as Web Inspect, with strong knowledge of security best practices and common vulnerabilities for each technology, including SANS and OWASP Top 10.

Experience performing enterprise-level assessment scanning of networks, databases and web applications.

Ability to configure and perform host, port and service discoveries on large enterprise networks and identify target operating systems and applications or services from discovery results.

Proficiency in configuring, troubleshooting and administering Tenable Security Center, Tenable Nessus standalone, AppDetective and Web Inspect.

Strong understanding of security policies used by intelligence organizations, as well as NIST guidelines (e.g., 800-53 and 800-53A).

Ability to think critically and creatively and to synthesize and analyze large volumes of scan data.

Strong written and verbal communication skills with the ability to present findings clearly and comprehensively.

Applicants must possess an Top-Secret clearance with SCI eligibility and ability to pass a Counterintelligence (CI) polygraph.

Beneficial to have:

Experience with open-source and commercial testing tools, including Nessus, NMAP, AppDetective, Hailstorm, Guardium and Web Inspect.

Where it’s done:

Onsite (Washington, DC.)