Vulnerability and Patch Management Coordinator

Vulnerability and Patch Management CoordinatorJob LocationsUS-WA-VancouverID2025-4214CategoryInformation TechnologyTypeFull TimeOverviewEdgewater's Vulnerability and Patch Management Coordinator supports the discovery, tracking, risk prioritization, and closure verification of software and configuration vulnerabilities across BPA's Operational Technology environments. The successful candidate executes within the BPA Vulnerability Management Procedure, prioritizes CISA Known Exploited Vulnerabilities (KEVs), manages ChangeGear IRs, coordinates with Resource Managers (RMs), and administers the vulnerability waiver process-producing the weekly/monthly deliverables.Deliverables include Weekly technical risk and vulnerability assessments and weekly evaluations/recommendations; Monthly best practice guides focused on vulnerability identification, tracking, KEV handling, waiver hygiene, and evidence sufficiency; Vulnerability source lists, dashboards, and metrics to support continuous improvement. Secret or L clearance needed to be considered.ResponsibilitiesVulnerability discovery and prioritizationPatch program coordinationTicket creation and managementKEV administrationVerification and closureReporting and best practices: Deliver weekly technical risk and vulnerability assessments and weekly evaluations/recommendations; Produce monthly best practice guides focused on vulnerability identification, tracking, KEV handling, waiver hygiene, and evidence sufficiency; Maintain vulnerability source lists, dashboards, and metrics to support continuous improvement.Qualifications2-5+ years of relevant experience in vulnerability management within government, regulated, or critical infrastructure environments, including:Documenting vulnerability assessments, mitigation plans, and vulnerability-related analysis.Managing vulnerability tickets and evidence through change/CM processes to closure.Working knowledge of:NIST SP 800-53r5 System and Information Integrity; FISMA concepts; NERC CIP context for vulnerability due dates and evidence.CISA KEV catalog, CVE/CVSS, and vulnerability due date management.Tool proficiency:Splunk (Vulnerability Assessment App), Nessus (or equivalent), ChangeGear (or similar ITSM/IR), and CMS baselining; ability to relate RFCs as evidence.Strong coordination, documentation, and stakeholder communication skills.Ability to obtain and maintain DOE/BPA access; complete BPA trainings; maintain network access per cadence requirements.Preferred Qualifications:2-5+ years of vulnerability coordination in OT/ICS, utility/energy, or other highly regulated environments.Experience running waiver processes (eligibility, approvals, expirations) and KEV escalations.Certifications: Security+, CySA+, GSEC, ITIL, Splunk, Tenable/Nessus, or equivalent.Deliverables and Measures of Success:Weekly: formally documented technical risk and vulnerability assessments; evaluations and recommendations accepted by COR/FIAs needed: mitigation plans for vulnerabilities (when required by procedure) with complete, auditable evidenceMonthly: best practice guides focused on vulnerability managementPerformance metrics:KEV and critical vulnerability timelines met; accurate ticket fields (CVE/CVSS/KEV/due dates)Proper RFC relation and CMS baseline verification prior to closure (CIP/Production); Nessus verification for non-CIP after two scansTimely waiver processing and proactive expiration notificationsWork Conditions:Primarily onsite at BPA's Dittmer Control Center; work may align to m

Created: 2025-12-05