CDAO - IT Cybersecurity Specialist

About The Position

Requirements

• U.S. Citizenship is required.
• Candidate is encouraged to provide e-portfolio, project samples, Github, etc. to their submission package.
• Males born after 12-31-59 must be registered or exempt from Selective Service https://www.sss.gov/Home/Registration
• This position is subject to provisions of the WHS/OSD Priority Placement Program (please see details below)
• Applicants for employment are covered by federal laws and Presidential Executive Orders designed to safeguard federal employees and job applicants from discrimination based on race, color, religion, sex (including pregnancy, gender identity, and sexual orientation), parental status, national origin, age, disability, genetic information (including family medical history), political affiliation, military service, or other non-merit-based factors
• A three-year trial period may be required if not previously completed a trial or probationary period in the excepted or competitive service
• Must be determined suitable for federal employment.
• Required to participate in the direct deposit program.
• This position is subject to pre-employment and random drug testing.
• We may use this announcement to fill additional vacancies within 90 days of the closing date.
• Recruitment, relocation, or retention incentives may be authorized based on the availability of funds.
• This position is being recruited under 10 USC 1599f into the Cyber Excepted Service and does NOT convey eligibility to be converted to the Competitive Service.
• For more information on the Cyber Excepted Service Personnel System, click here https://public.cyber.mil/cw/dod-cyber-excepted-service-ces/
• This position requires a Top Secret/ Sensitive Compartmented Information (SCI) security clearance.
• Because this position is in the Cyber Excepted Service, Veterans' Preference will be applied to preference-eligible candidates, as defined by Section 2108 of the Title 5 U.S.C. in accordance with the procedures provided in DoD Instruction
• If you are a veteran claiming veteran's preference, as defined by Section 2108 of Title 5 U.S.C., you must submit documents verifying your eligibility with your application package.
• This position may require work other than normal duty hours, which may include evenings, weekends, and/or holidays and/or mandatory overtime.
• This position may occasionally require travel away from the normal duty station via military or commercial aircraft.
• Military Spouse Preference (MSP) Eligible: Military Spouse Preference applicants, must be selected and placed at the highest grade level for which they have applied and been determined best qualified up to and including the full performance level. You must include a completed copy of the Military Spouse PPP Self-Certification Checklist dated within 30 days along with the documents identified on the checklist to verify your eligibility for Military Spouse Preference. https://acpol2.army.mil/chra_dodea/PPP_MSP_self_certification_checklist.pdf
• Military Reserve (MR) and National Guard (NG) Technicians PPP Eligible: MR and NG technicians PPP applicants must be selected and placed at the full performance level if determined well qualified. You must include a completed copy of the Military Reserve and National Guard Technician PPP Self-Certification Checklist to verify your eligibility for Military Reserve and National Guard Technician preference. https://www.dcpas.osd.mil/sites/default/files/military_reserve_and_guard_tech_ppp_self_cert_checklist.pdf
• Military Reserve (MR) and National Guard (NG) Technicians Receiving Disability Retirement PPP Eligible: MR and NG technicians receiving disability retirement PPP applicants must be selected and placed at the full performance level if determined well qualified. You must include a completed copy of the Military Reserve and National Guard Technician Disability PPP Self-Certification Checklist to verify your eligibility for Military Reserve and National Guard Technician Disability preference. https://www.dcpas.osd.mil/sites/default/files/military_reserve_and_guard_disability_ppp_self_cert_checklist.pdf
• Retained Grade PPP Eligible: Retained Grade PPP applicants, must be selected and placed at the full performance level if determined well qualified. You must include a completed copy of the Retained Grade PPP Self-Certification Checklist to verify your eligibility for Retained Grade preference. https://www.dcpas.osd.mil/sites/default/files/retained_grade_ppp_self_cert_checklist.pdf

Nice To Haves

• Ensuring compliance with federal information security and privacy requirements, including implementing and assessing National Institute of Standards and Technology (NIST) Special Publication 800-53 controls, Federal Information Security Modernization Act (FISMA), and FedRAMP requirements.
• Demonstrated knowledge of cybersecurity principles, cyber threats and vulnerabilities, risk management processes (including assessment and mitigation), and the operational impacts of cybersecurity lapses, as well as familiarity with relevant laws, regulations, and policies (Federal, DoW, and international) related to cybersecurity and critical infrastructure.
• Proficiency in computer networking concepts and protocols, network security methodologies, network security architecture (including defense-in-depth and Zero Trust), IT security principles and methods (e.g., firewalls, encryption), and cloud computing service and deployment models (SaaS, IaaS, PaaS, private/public/hybrid/on-premises/off-premises).
• Evaluating and validating security controls, conducting risk assessments and authorizations per the Risk Management Framework, using cyber defense and vulnerability assessment tools (including open source and penetration testing tools), and determining protection needs for information systems and networks.

Responsibilities

• Plans and executes comprehensive independent assessments of enterprise information systems, enclaves, and cloud environments to evaluate the implementation and effectiveness of assigned NIST SP 800-53 security controls.
• Drives the RMF process by reviewing, analyzing, and validating highly complex System Security Plans (SSPs), Security Assessment Reports (SARs), and other required authorization documentation to support Interim Authority to Test (IATT) and Authorization to Operate (ATO) decisions.
• Analyzes vulnerability scan results, penetration testing reports, and threat intelligence to determine the residual risk to the mission environment. Identifies systemic security issues across multiple systems or networks.
• Evaluates and approves Plans of Action and Milestones (POA&Ms) proposed by Information System Owners. Assesses the feasibility and effectiveness of technical remediation strategies to reduce the organizational attack surface.
• Serves as a senior cybersecurity advisor to Authorizing Officials, Program Managers, and Information System Owners. Defends risk-based recommendations, briefs senior leadership on critical security vulnerabilities, and influences enterprise-wide security architecture decisions.
• Establishes and oversees continuous monitoring strategies for authorized systems to ensure security controls remain effective over time and that any changes to the system architecture do not introduce unacceptable risks.
• Interprets complex national, federal, and agency-level cybersecurity policies (e.g., FISMA, FedRAMP, DoD directives) and translates them into actionable assessment procedures and compliance metrics for the organization.
• Develop and implement methods to monitor, measure, and evaluate risk, compliance, and assurance efforts; ensure systems meet IT security, resilience, and dependability requirements; and maintain and verify the currency of information systems assurance and accreditation materials.
• Draft statements of preliminary or residual security risks for system operation, support the assessment of Privacy Impact Assessments (PIA) to ensure appropriate security controls for PII, and plan and conduct security authorization reviews while developing assurance cases for initial system and network installations.
• Apply coding and testing standards, utilize security testing tools (such as fuzzing and static analysis), conduct code reviews, perform validation by comparing actual and expected results to identify impacts and risks, and provide technical evaluations of software, systems, or networks by documenting their security posture, capabilities, and vulnerabilities.
• Develop specifications and processes to ensure risk, compliance, and assurance efforts conform to security, resilience, and dependability requirements at all levels (application, system, network); develop and implement independent cybersecurity audit processes for software, networks, and systems; and oversee ongoing audits to ensure compliance with organizational and mandatory requirements, verifying that staff accurately follow established procedures.
• Recommend new or revised security, resilience, and dependability measures based on review results; verify implementation of security postures, document deviations, and recommend corrective actions; develop security compliance processes and audits for external services such as cloud providers and data centers; and, as Authorizing Official, determine the acceptability of security and privacy risks associated with operating or using systems, services, or applications, including those from external providers.