Vulnerability and Patch Management Program Lead

Edgewater’s Vulnerability and Patch Management Program Lead will serve as the single point of accountability for planning, executing, and assuring all task order deliverables. In this role you will lead the day-to-day vulnerability and patch program activities, ensure strict adherence to the Vulnerability Management Procedures and the Patch Program Plan, and deliver high-quality, auditable outputs on time. The Lead coordinates across governance, security, and operational stakeholders, communicates clearly and frequently, and maintains rigorous documentation and metrics to meet acceptance criteria defined by the COR/Field Inspector. Secret or L clearance needed to be considered. 

• Delivery ownership and quality assurance 

• Own the master delivery schedule and acceptance of all contract outputs: 

• Create Weekly technical risk and vulnerability assessments  

• Create Weekly evaluations and recommendations 

• Develop as-needed mitigation plans for vulnerabilities  

• Develop/Update Monthly best practice guides  

• Enforce acceptance criteria, conduct internal quality reviews, and manage any required resubmissions 

• Maintain audit-ready evidence and complete traceability from discovery to closure 

• Translate BPA policies and procedures into practical workflows and checklists for the team 

• Oversee weekly discovery using Splunk Vulnerability Assessment dashboards; validate scope, applicability, severity (CVSS), and KEV status 

• Coordinate with the Patch Program Manager, Patch Coordinators, and Resource Managers (RMs) to plan, schedule, and verify remediation activities 

• Ensure correct use of approved workflows and tools (e.g., Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds; Windows Offline where applicable) 

• Verify remediation 

• Support the Vulnerability Waiver process, shepherd approvals with the ISO/ISSO, and track expirations with required 60/30/14/7-day notifications 

• Coordinate extension packages for mitigation plan due dates requiring CIP Senior Manager approval; maintain risk/issue logs and decision records 

• Serve as primary interface to Governance, JD ISO/ISSO, CIP Senior Manager, RMs, N-SOC/Dispatch (as needed), and the COR/FI 

• Lead status meetings; provide clear written updates, decision briefs, and risk/impact communications 

• Coach team members and stakeholders on procedures, evidence standards, and best practice  

• Produce and submit all weekly and monthly deliverables on time and in the required formats 

• Maintain program metrics: KEV and critical SLA adherence, due-date accuracy, backlog burn-down, ticket quality (CVE/CVSS/KEV fields), RFC/CMS linkage integrity, waiver hygiene 

• Maintain patch source lists and schedules; author monthly best practice guides and propose process improvements. 

• 5+ years experience with vulnerability and/or patch management programs in government, critical infrastructure, or regulated environments 

• Demonstrated experience delivering: 

• Weekly vulnerability assessments and recommendations, monthly best practice guides, and as-needed mitigation plans that meet formal acceptance criteria 

• End-to-end ticket lifecycle management in an ITSM (e.g., ChangeGear) with rigorous evidence and change control linkage 

• Strong working knowledge of: 

• NIST SP 800-53r5 System and Information Integrity, NIST SP 800-40r4 patch lifecycle, FISMA, and NERC CIP-007-6 R2 

• CISA KEV catalog, CVE/CVSS scoring, and due-date/SLA management 

• Tool proficiency: 

• Splunk (Vulnerability Assessment App), Nessus (or equivalent), ChangeGear IRs, RFC/change management, and CMS baselining 

• Familiarity with one or more patch tools: Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds, and offline Windows workflows 

• Excellent written and verbal communication skills, including the ability to produce clear, formal deliverables and present actionable guidance to technical and executive stakeholders 

Preferred Qualifications: 

• Experience in OT/ICS or utility/energy sector programs 

• Direct familiarity with BPA governance, Vulnerability Management Procedure, and OT Patch Program Plan 

• Certifications: Security+, CySA+, CISSP, GSEC, ITIL, PMP, Splunk, Tenable/Nessus, Microsoft, Linux, or Cisco. 

Measures of Success: 

• 100% on-time delivery of weekly and monthly outputs; ≥95% first-pass acceptance by COR/FI 

• KEV and critical vulnerability due dates consistently met; accurate ticket data and complete RFC/CMS evidence at closure 

• Documented reduction in vulnerability backlog and improved patching cycle efficiency 

• Clear, consistent stakeholder communications and positive feedback from governance and operations 

Work Conditions: 

• Primarily onsite at BPA’s Dittmer Control Center; work may align to maintenance windows to minimize operational impact 

• Minimal travel; no foreign travel. Must comply with BPA safety, information protection, and access policies 

About Us:  

Edgewater Federal Solutions is a privately held government contracting firm located near Frederick, MD. The company was founded in 2002 with the vision of being highly recognized and admired for supporting customer missions through employee empowerment, exceptional services, and timely delivery. Edgewater is ISO 9001, 20000-1, 27001 certified, appraised at CMMI Level 3 Maturity for Development and Services, and has been named in the Top Workplaces in the Greater Washington Area Small Companies for 2018 through 2025. 

It has been and continues to be the policy of Edgewater Federal Solutions to provide equal employment opportunities to all employees and applicants for employment without regard to race, color, religion, gender, sexual orientation, national origin, age, disability, marital status, veteran status, and/or other status protected by applicable law.