cFocus Software seeks a Sr. Lead Security Engineer to join our program supporting the Federal Communications Commission (FCC). This position is on-site in Washington, DC.

Qualifications: Bachelor's degree in Information Technology, Cybersecurity, Computer Science, Information Technologies, or other related fields Certified Information Systems Security Professional (CISSP) or Information Systems Security Engineering Professional (ISSEP) certifications required. and Microsoft Certified Cybersecurity Architect Expert 7+ years of experience performing cyber infrastructure support activities in Enterprise Cybersecurity Support government contracts Core competencies in Cybersecurity Engineering practices Possess the knowledge, skills, tasks, and capabilities described in the Work Role for Infrastructure Support (PD-WRL-004) as outlined in the NICE Work Role Framework

Duties: Support Identity, Credential, and Access Control Management Provide updates and reviews of the FCC's comprehensive Software Bill of Materials (SBOM) for all software components, including all open-source, third-party, and proprietary software. Update the SBOM regularly to reflect any changes in the software components, including patches, updates, and new integrations. Identify and document any known vulnerabilities associated with the components listed in the SBOM. Ensure that all software components comply with relevant security standards and regulations Perform static code analysis to identify potential security vulnerabilities, coding errors, and adherence to coding standards. Conduct dynamic code analysis to detect runtime vulnerabilities and ensure software behaves securely under various conditions Manually review source code to identify complex security issues that automated tools might miss. Provide detailed recommendations for fixing identified vulnerabilities and ensure the development team understands and implements these fixes. Maintain thorough documentation of the review process, findings, and remediation steps for future reference and audits Provide both internal and external security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, and network Identify vulnerabilities and weaknesses within FCC systems, determining exposure and complexity of exploits. Conduct penetration testing of the enterprise IT environment. Assess the effectiveness of security controls implemented to protect FCC systems in support of the Authorization Process and Security Impact Analysis through Change Management. Mimic attacks of threat actors are defined by the Cyber Threat Intelligence (CTI) Team to assess and improve IT system resilience, SOC monitoring effectiveness, and tuning security tools within the FCC. Perform ad hoc, focused pen tests to validate the effectiveness of corrective actions to address identified weaknesses. Perform Penetration Testing Services for any internal or public websites and associated systems Develop and execute plans that include penetration testing of all OCIO systems. Validate remediations by re-testing all Critical and High findings identified through penetration testing. Perform network mapping and vulnerability scanning, support phishing simulations, report findings, and make remediation recommendations. Develop a Quarterly Penetration Testing Schedule and Annual Internal Penetration Testing Standard Operating Procedures (SOP).