Job Requirements
Annapolis, MD
Top Secret/SCI Polygraph
Career Level not specified
$190,000 - $220,000
Job Description
Software Analyst supports the mission of the National Information Assurance Partnership by conducting in-depth software assurance and Software Bill of Materials (SBOM) analysis for commercial technologies seeking evaluation, authorization, or deployment within National Security Systems (NSS) and other sensitive U.S. Government environments.
This role focuses heavily on software supply chain transparency, software provenance, open-source software (OSS) risk analysis, vulnerability identification, and vendor cybersecurity practices. The analyst evaluates software components, dependencies, development practices, and third-party supplier risks to identify potential threats to the confidentiality, integrity, and availability of government systems.
The position requires strong technical analysis, cybersecurity knowledge, and the ability to assess software ecosystems from both a security and supply chain perspective.
Key Responsibilities
• Conduct Software Bill of Materials (SBOM) analysis on commercial software products, platforms, and applications undergoing evaluation or review.
• Analyze software dependencies, transitive dependencies, and third-party libraries to identify supply chain risks and hidden software exposure.
• Review and validate SBOM formats and standards including:
○ SPDX
○ CycloneDX
○ SWID tags
• Assess software provenance, code lineage, package integrity, and software component authenticity.
• Identify known vulnerabilities and software weaknesses through:
○ CVE analysis
○ KEV review
○ Vulnerability databases
○ Threat intelligence sources
• Evaluate risks associated with:
○ Open-source software (OSS)
○ Foreign-developed software components
○ Unsupported or end-of-life dependencies
○ Unmaintained libraries
○ Software obfuscation or lack of transparency
• Perform secure software supply chain assessments aligned with:
○ NIST SSDF
○ Executive Order 14028
○ Federal software assurance guidance
○ NIAP protection profile requirements
• Conduct due diligence research on software vendors, developers, maintainers, and software ecosystems.
• Analyze vendor secure development practices including:
○ Secure coding methodologies
○ Build pipeline security
○ CI/CD protections
○ Dependency management
○ Patch management
○ Code signing
• Review software development and deployment architectures for potential supply chain attack vectors.
• Support Common Criteria evaluations and software assurance activities through technical risk analysis and supply chain assessments.
• Produce technical reports, analytical findings, risk summaries, and executive-level briefings related to software supply chain security.
• Collaborate with government, industry, evaluation labs, and cybersecurity stakeholders to improve software assurance practices and SBOM utilization.
Monitor emerging software supply chain threats, malware campaigns, dependency compromise incidents, and malicious package activity.
Security Clearance Requirements
• TS/SCI w/Polygraph to start.
Preferred Education & Certifications
• (U) Fourteen (14) years experience as a SE in programs and contracts of similar scope, type and complexity is required. Bachelor's degree in System Engineering, Computer Science, Information Systems, Engineering Science, Engineering Management, or related discipline from an accredited college or university is required. Five (5) years of additional SE experience may be substituted for a bachelor's degree.
• Preferred certifications may include:
○ CISSP
○ CSSLP
○ Security+
○ GIAC certifications
○ Certified SCRM Professional
○ Cloud security certifications
Application security certifications
Salary: $190,000-$220,000. This represents the typical salary range for this position, but is not guaranteed. Salary is based on experience, location and contractual requirements which could fall outside of the range listed.
This role focuses heavily on software supply chain transparency, software provenance, open-source software (OSS) risk analysis, vulnerability identification, and vendor cybersecurity practices. The analyst evaluates software components, dependencies, development practices, and third-party supplier risks to identify potential threats to the confidentiality, integrity, and availability of government systems.
The position requires strong technical analysis, cybersecurity knowledge, and the ability to assess software ecosystems from both a security and supply chain perspective.
Key Responsibilities
• Conduct Software Bill of Materials (SBOM) analysis on commercial software products, platforms, and applications undergoing evaluation or review.
• Analyze software dependencies, transitive dependencies, and third-party libraries to identify supply chain risks and hidden software exposure.
• Review and validate SBOM formats and standards including:
○ SPDX
○ CycloneDX
○ SWID tags
• Assess software provenance, code lineage, package integrity, and software component authenticity.
• Identify known vulnerabilities and software weaknesses through:
○ CVE analysis
○ KEV review
○ Vulnerability databases
○ Threat intelligence sources
• Evaluate risks associated with:
○ Open-source software (OSS)
○ Foreign-developed software components
○ Unsupported or end-of-life dependencies
○ Unmaintained libraries
○ Software obfuscation or lack of transparency
• Perform secure software supply chain assessments aligned with:
○ NIST SSDF
○ Executive Order 14028
○ Federal software assurance guidance
○ NIAP protection profile requirements
• Conduct due diligence research on software vendors, developers, maintainers, and software ecosystems.
• Analyze vendor secure development practices including:
○ Secure coding methodologies
○ Build pipeline security
○ CI/CD protections
○ Dependency management
○ Patch management
○ Code signing
• Review software development and deployment architectures for potential supply chain attack vectors.
• Support Common Criteria evaluations and software assurance activities through technical risk analysis and supply chain assessments.
• Produce technical reports, analytical findings, risk summaries, and executive-level briefings related to software supply chain security.
• Collaborate with government, industry, evaluation labs, and cybersecurity stakeholders to improve software assurance practices and SBOM utilization.
Monitor emerging software supply chain threats, malware campaigns, dependency compromise incidents, and malicious package activity.
Security Clearance Requirements
• TS/SCI w/Polygraph to start.
Preferred Education & Certifications
• (U) Fourteen (14) years experience as a SE in programs and contracts of similar scope, type and complexity is required. Bachelor's degree in System Engineering, Computer Science, Information Systems, Engineering Science, Engineering Management, or related discipline from an accredited college or university is required. Five (5) years of additional SE experience may be substituted for a bachelor's degree.
• Preferred certifications may include:
○ CISSP
○ CSSLP
○ Security+
○ GIAC certifications
○ Certified SCRM Professional
○ Cloud security certifications
Application security certifications
Salary: $190,000-$220,000. This represents the typical salary range for this position, but is not guaranteed. Salary is based on experience, location and contractual requirements which could fall outside of the range listed.
group id: 10448007
