Cybersecurity Auditor - Intermediate – DOT at Nexthreat – Washington, District of Columbia

Job Title: Cybersecurity Auditor - Intermediate

Location: Washington, DC

Job Category:Information Technology

Time Type:Full-time

Potential for Telework: offsite work granted in advance in writing by the COR

Minimum Clearance Required to Start: Must possess a DoD SECRET Clearance and be eligible for an IT-II Non-Critical Sensitive clearance or Tier 3 (T3) upon assignment

Employee Type: W2 or 1099

Citizenship:US Citizen, no Dual Citizenship

NexThreat is seeking a highly capable Cybersecurity Auditor at an Intermediate level to independently perform complex security analyses of classified and unclassified applications, systems, and enclaves to ensure compliance with security requirements. The role includes conducting Command Cyber Readiness Inspections (CCRI), cybersecurity vulnerability evaluations, and a range of security testing activities. The successful candidate will apply advanced security techniques, technologies, and tools across highly complex computer systems and networks, perform vulnerability and risk analyses, and contribute to penetration studies. This position requires deep knowledge of DoD security regulations and DISA STIGs, as well as hands-on experience with CCRI processes and penetration testing.

- Independently perform complex security analyses of classified and unclassified applications, systems, and enclaves to verify compliance with security requirements.

- Conduct Command Cyber Readiness Inspections (CCRI) and comprehensive cybersecurity vulnerability evaluations.

- Apply a broad set of security techniques, technologies, and tools to assess security posture in highly complex computer systems and networks.

- Perform vulnerability and risk analyses and participate in computer security penetration studies to identify and remediate security gaps.

- Analyze and define security requirements for computer and networking systems, including mainframes, workstations, and personal computers; recommend practical solutions to meet security requirements.

- Gather, organize, and interpret technical information about an organizations mission goals and needs; translate findings into actionable security improvements.

- Provide enterprise-wide technical analysis and direction for problem definition, analysis, and remediation of complex systems and enclaves.

- Deliver actionable recommendations and advice to client executive management on system improvements, optimization, and ongoing maintenance across areas, including:

- Information Systems Architecture

- Automation, Telecommunications, and Networking

- Communication Protocols

- Application Software

- Electronic Email, VOIP, and Video Teleconferencing (VTC)

- Demonstrate competence across all phases of information systems auditing, from planning and scoping to evidence collection, testing, reporting, and follow-up.

- Prepare clear, concise audit reports and executive summaries with prioritized remediation plans and realistic timelines.

- Collaborate with cross-functional teams (IT, security, operations, and management) to implement and validate corrective actions.

- Stay current with evolving cybersecurity threats, controls, standards, and regulatory requirements to maintain audit readiness.

Proven Expertise and Experience

- Demonstrated proficiency in performing CCRI, vulnerability assessments, and penetration testing on networks, databases, computer applications, and IT frameworks.

- Seven years of IT experience.

- Five years of IA (Information Assurance) experience.

- Strong analytical and problem-solving skills for resolving security issues.

- Strong skills in implementing and configuring networks and network components.

CCRI and Technical Specializations

- Command Cyber Readiness Inspection (CCRI) experience in at least one of the following areas:

Nessus scan analysis

Operating Systems (Windows, Unix)

Boundary defense (network policy, router, firewall)

Internal defense (L2/L3 switches)

DNS policy and DNS servers (BIND/Windows)

HBSS (remote console, AV, ABM, PA, HIPS, ePO)

Traditional security (Common, Basic, NCV, SCV)

Wireless communications (BES, handhelds)

Tenable Certified Nessus Auditor

- Knowledge and understanding of DoD security regulations and DISA Security Technical Implementation Guides (STIGs)

- Understanding of SCAP (Security Content Automation Protocol)

Tools, Technologies, and Domains

- Familiarity with and proficiency in:

Vulnerability assessment tools (e.g., VULNERATOR, Nessus, SCCM)

USCYBERCOM CTO Compliance Program

Wireless vulnerability assessment

Web services (IIS, Apache, Proxy)

Databases (SQL Server, Oracle)

Email services (Exchange)

Vulnerability scans (NESSUS, SCCM)

Phishing exercises

Container image scans

USB security detection

Physical security considerations

- Familiarity with the AUTOCHECKLIST Tool (for audit checklists and evidence collection)

- Must possess a DoD SECRET Clearance and be eligible for an IT-II Non-Critical Sensitive clearance or Tier 3 (T3) upon assignment.

- Certified in one or more of the following penetration testing certifications (or equivalent):

- Licensed Penetration Tester (LPT)

- Certified Expert Penetration Tester (CEPT)

- Certified Ethical Hacker (CEH)

- GIAC Penetration Tester (GPEN)

- Familiarity with being a DISA Risk Management Executive, and capable of serving as a Certified CCRI Team Lead in the Cyber Standards Branch (as applicable).

- Bachelors degree in Information Security, Computer Science, Cybersecurity, or a related field (or equivalent practical experience).