Overview
Skills
Job Details
Comtech LLC is seeking an experienced Security Analyst (Risk & Reporting) to support the PSD Database Penetration Testing Project for the Vermont Agency of Digital Services (ADS).
This role will be responsible for assessing, analyzing, and reporting on vulnerabilities discovered through penetration tests, as well as developing comprehensive risk documentation in alignment with NIST and FISMA standards. The analyst will serve as the key liaison between the technical testing team and ADS leadership, transforming complex security findings into actionable, risk-ranked insights.
The Security Analyst (Risk & Reporting) will be responsible for tasks including but not limited to:
- Analyze penetration testing and vulnerability assessment results to determine impact, likelihood, and remediation priorities using CVSS (Common Vulnerability Scoring System) methodologies..
- Develop detailed Risk Analysis Reports, Executive Summaries, and Remediation Recommendations tailored to different stakeholder audiences (technical and non-technical).
- Track and report vulnerabilities, trends, and mitigation progress throughout the engagement lifecycle.
- Evaluate identified issues for compliance with NIST SP 800-53, NIST SP 800-115, and FISMA controls.
- Perform threat modeling, risk categorization, and vulnerability trending analysis to assist in long-term risk mitigation strategies.
- Work closely with the Lead Penetration Tester and Database Security Specialist to validate findings, document technical details, and confirm remediation effectiveness.
- Develop and maintain dashboards, vulnerability registers, and compliance matrices aligned with ADS reporting formats.
- Ensure all documentation and findings meet state and federal reporting requirements for IT security assessments.
- Support the creation of Risk Acceptance Reports and Security Posture Improvement Plans to help ADS leadership prioritize mitigation efforts.
- Contribute to final project deliverables including the Comprehensive Risk Assessment Report, Mitigation Validation Plan, and Post-Test Summary Report.
Required Qualifications - Security Analyst (Risk & Reporting) | |
M1. | Bachelor s degree in Cybersecurity, Computer Science, Information Systems, or a related technical discipline (or equivalent experience). |
M2. | 6+ years of experience in vulnerability assessment, risk analysis, or IT security auditing. |
M3. | Proven ability to translate complex technical vulnerabilities into clear, concise, and actionable risk statements. |
M4. | Strong understanding of CVSS v3.x scoring models, NIST RMF, and FISMA-aligned risk management practices. |
M5. | Experience working with SIEM, vulnerability scanners (e.g., Nessus, Qualys, OpenVAS), and ticketing systems (e.g., ServiceNow, Jira). |
M6. | Excellent technical writing skills, including the ability to produce polished executive-level reports and metrics dashboards. |
M7. | Working knowledge of network, application, and database vulnerabilities and corresponding remediation strategies. |
M8. | Familiarity with FedRAMP, FISMA, and CIS Controls. |
M9. | Experience working collaboratively within penetration testing or red team engagements to ensure consistent documentation and follow-through on findings. |
M10. | Exceptional attention to detail, data accuracy, and communication skills. |
Mandatory Certifications - Security Analyst (Risk & Reporting) | |
C1. | GIAC Certified Incident Handler (GCIH) or equivalent (e.g., GCIA, GSEC, CEH, or CISSP) |
C2. | Certified Risk and Information Systems Control (CRISC) |
C3. | CompTIA Security+ |
C4. | Certified Information Systems Auditor (CISA) |