Vulnerability and Patch Management Program Lead/Coordinator

Full Time/Permanent Role only

Greetings!

This is Raghwendra from Tek Navigators, and I’m reaching out regarding an excellent job opportunity with one of Tek Navigators’ premier clients located in Location: Vancouver, WA (Onsite). I came across your profile during my search for qualified professionals and wanted to check your interest in exploring this role.

Role- Vulnerability & Patch Management Program Lead / Coordinator (2 Openings)

Location- Vancouver WA (Onsite)

Secret or L clearance needed to be considered

Max. Salary- 150k + benefits (Relocation will paid)

Job Summary-

Vulnerability and Patch Management Program Lead will serve as the single point of accountability for planning, executing, and assuring all task order deliverables. In this role you will lead the day-to-day vulnerability and patch program activities, ensure strict adherence to the Vulnerability Management Procedures and the Patch Program Plan, and deliver high-quality, auditable outputs on time. The Lead coordinates across governance, security, and operational stakeholders, communicates clearly and frequently, and maintains rigorous documentation and metrics to meet acceptance criteria defined by the COR/Field Inspector. Secret or L clearance needed to be considered.

Responsibilities

• Delivery ownership and quality assurance
• Own the master delivery schedule and acceptance of all contract outputs:
• Create Weekly technical risk and vulnerability assessments
• Create Weekly evaluations and recommendations
• Develop as-needed mitigation plans for vulnerabilities
• Develop/Update Monthly best practice guides
• Enforce acceptance criteria, conduct internal quality reviews, and manage any required resubmissions
• Maintain audit-ready evidence and complete traceability from discovery to closure
• Translate BPA policies and procedures into practical workflows and checklists for the team
• Oversee weekly discovery using Splunk Vulnerability Assessment dashboards; validate scope, applicability, severity (CVSS), and KEV status
• Coordinate with the Patch Program Manager, Patch Coordinators, and Resource Managers (RMs) to plan, schedule, and verify remediation activities
• Ensure correct use of approved workflows and tools (e.g., Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds; Windows Offline where applicable)
• Verify remediation
• Support the Vulnerability Waiver process, shepherd approvals with the ISO/ISSO, and track expirations with required 60/30/14/7-day notifications
• Coordinate extension packages for mitigation plan due dates requiring CIP Senior Manager approval; maintain risk/issue logs and decision records
• Serve as primary interface to Governance, JD ISO/ISSO, CIP Senior Manager, RMs, N-SOC/Dispatch (as needed), and the COR/FI
• Lead status meetings; provide clear written updates, decision briefs, and risk/impact communications
• Coach team members and stakeholders on procedures, evidence standards, and best practice
• Produce and submit all weekly and monthly deliverables on time and in the required formats
• Maintain program metrics: KEV and critical SLA adherence, due-date accuracy, backlog burn-down, ticket quality (CVE/CVSS/KEV fields), RFC/CMS linkage integrity, waiver hygiene
• Maintain patch source lists and schedules; author monthly best practice guides and propose process improvements.

Qualifications

• 5+ years experience with vulnerability and/or patch management programs in government, critical infrastructure, or regulated environments
• CISSP certification

Demonstrated experience delivering:

• Weekly vulnerability assessments and recommendations, monthly best practice guides, and as-needed mitigation plans that meet formal acceptance criteria
• End-to-end ticket lifecycle management in an ITSM (e.g., ChangeGear) with rigorous evidence and change control linkage

Strong working knowledge of:

• NIST SP 800-53r5 System and Information Integrity, NIST SP 800-40r4 patch lifecycle, FISMA, and NERC CIP-007-6 R2
• CISA KEV catalog, CVE/CVSS scoring, and due-date/SLA management

Tool proficiency:

• Splunk (Vulnerability Assessment App), Nessus (or equivalent), ChangeGear IRs, RFC/change management, and CMS baselining
• Familiarity with one or more patch tools: Ivanti, SCCM, Puppet/Yum, Cisco CSPC/SolarWinds, and offline Windows workflows
• Excellent written and verbal communication skills, including the ability to produce clear, formal deliverables and present actionable guidance to technical and executive stakeholders

Preferred Qualifications:

• Experience in OT/ICS or utility/energy sector programs
• Direct familiarity with BPA governance, Vulnerability Management Procedure, and OT Patch Program Plan
• Certifications: Security+, CySA+, CISSP, GSEC, ITIL, PMP, Splunk, Tenable/Nessus, Microsoft, Linux, or Cisco.

Measures of Success:

• 100% on-time delivery of weekly and monthly outputs; ≥95% first-pass acceptance by COR/FI
• KEV and critical vulnerability due dates consistently met; accurate ticket data and complete RFC/CMS evidence at closure
• Documented reduction in vulnerability backlog and improved patching cycle efficiency
• Clear, consistent stakeholder communications and positive feedback from governance and operations

Work Conditions:

• Primarily onsite at BPA’s Dittmer Control Center; work may align to maintenance windows to minimize operational impact
• Minimal travel; no foreign travel. Must comply with BPA safety, information protection, and access policies

If this role aligns with your experience and career goals, please share your updated resume and the best time to connect.

Looking forward to hearing from you!