Vulnerability and Patch Management Program Lead

Vulnerability and Patch Management Program Lead

FULL TIME IN Vancouver WA

Secret or L clearance needed to be considered.

• Delivery ownership and quality assurance
• Own the master delivery schedule and acceptance of all contract outputs:
• Create Weekly technical risk and vulnerability assessments 
• Create Weekly evaluations and recommendations
• Develop as-needed mitigation plans for vulnerabilities 
• Develop/Update Monthly best practice guides 
• Enforce acceptance criteria, conduct internal quality reviews, and manage any required resubmissions
• Maintain audit-ready evidence and complete traceability from discovery to closure
• Translate BPA policies and procedures into practical workflows and checklists for the team
• Oversee weekly discovery using Splunk Vulnerability Assessment dashboards; validate scope, applicability, severity (CVSS), and KEV status
• Coordinate with the Patch Program Manager, Patch Coordinators, and Resource Managers (RMs) to plan, schedule, and verify remediation activities
• Ensure correct use of approved workflows and tools (e.g., Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds; Windows Offline where applicable)
• Verify remediation
• Support the Vulnerability Waiver process, shepherd approvals with the ISO/ISSO, and track expirations with required 60/30/14/7-day notifications
• Coordinate extension packages for mitigation plan due dates requiring CIP Senior Manager approval; maintain risk/issue logs and decision records
• Serve as primary interface to Governance, JD ISO/ISSO, CIP Senior Manager, RMs, N-SOC/Dispatch (as needed), and the COR/FI
• Lead status meetings; provide clear written updates, decision briefs, and risk/impact communications
• Coach team members and stakeholders on procedures, evidence standards, and best practice 
• Produce and submit all weekly and monthly deliverables on time and in the required formats
• Maintain program metrics: KEV and critical SLA adherence, due-date accuracy, backlog burn-down, ticket quality (CVE/CVSS/KEV fields), RFC/CMS linkage integrity, waiver hygiene
• Maintain patch source lists and schedules; author monthly best practice guides and propose process improvements.

Qualifications

• 5+ years experience with vulnerability and/or patch management programs in government, critical infrastructure, or regulated environments
• CISSP certification
• Demonstrated experience delivering:
• Weekly vulnerability assessments and recommendations, monthly best practice guides, and as-needed mitigation plans that meet formal acceptance criteria
• End-to-end ticket lifecycle management in an ITSM (e.g., ChangeGear) with rigorous evidence and change control linkage
• Strong working knowledge of:
• NIST SP 800-53r5 System and Information Integrity, NIST SP 800-40r4 patch lifecycle, FISMA, and NERC CIP-007-6 R2
• CISA KEV catalog, CVE/CVSS scoring, and due-date/SLA management
• Tool proficiency:
• Splunk (Vulnerability Assessment App), Nessus (or equivalent), ChangeGear IRs, RFC/change management, and CMS baselining
• Familiarity with one or more patch tools: Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds, and offline Windows workflows
• Excellent written and verbal communication skills, including the ability to produce clear, formal deliverables and present actionable guidance to technical and executive stakeholders

Preferred Qualifications:

• Experience in OT/ICS or utility/energy sector programs
• Direct familiarity with BPA governance, Vulnerability Management Procedure, and OT Patch Program Plan
• Certifications: Security+, CySA+, CISSP, GSEC, ITIL, PMP, Splunk, Tenable/Nessus, Microsoft, Linux, or Cisco.

Measures of Success:

• 100% on-time delivery of weekly and monthly outputs; ≥95% first-pass acceptance by COR/FI
• KEV and critical vulnerability due dates consistently met; accurate ticket data and complete RFC/CMS evidence at closure
• Documented reduction in vulnerability backlog and improved patching cycle efficiency
• Clear, consistent stakeholder communications and positive feedback from governance and operations

Work Conditions:

• Primarily onsite at BPA’s Dittmer Control Center; work may align to maintenance windows to minimize operational impact
• Minimal travel; no foreign travel. Must comply with BPA safety, information protection, and access policies