NLM Security Specialist I - III

About The Position

Requirements

• 4 years of relevant information security or cybersecurity experience (Security Specialist I)
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, or related fields (Security Specialist I)
• Knowledge and practice of the Federal Information Security Modernization Act (FISMA) and related compliance frameworks (Security Specialist I)
• Experience with NIST Special Publications including SP 800-53, SP 800-171, SP 800-88, and SP 800-64 (Security Specialist I)
• Experience supporting or maintaining Authority to Operate (ATO) documentation and System Security Plans (SSPs) (Security Specialist I)
• Familiarity with vulnerability scanning and management tools such as Tenable Security Center, Nessus, or Prowler (Security Specialist I)
• Ability to identify, document, and track security vulnerabilities and support remediation within prescribed timelines (Security Specialist I)
• Strong written and oral communication skills, including the ability to convey technical security concepts in plain language (Security Specialist I)
• 6 years of progressive information security or cybersecurity experience in a federal or government contracting environment (Security Specialist II)
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, Cybersecurity, or related fields; advanced degree preferred (Security Specialist II)
• Demonstrated expertise in FISMA compliance, including full lifecycle management of ATO documentation and SSP development and maintenance (Security Specialist II)
• Advanced knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200 security categorization standards (Security Specialist II)
• Proven experience conducting vulnerability assessments, threat identification, and penetration testing using tools such as Tenable Security Center, Prowler, Netsparker, Checkmarx, and/or OWASP-based tools (Security Specialist II)
• Experience managing and responding to cybersecurity incidents in accordance with federal incident response policies, including reporting to CSIRC/NIH IRT within required timelines (Security Specialist II)
• Experience administering and securing cloud environments across multiple platforms including AWS, Google Cloud (GC), and/or Microsoft Azure, including Identity and Access Management (IAM) (Security Specialist II)
• Strong written and oral communication skills with demonstrated ability to brief senior leadership and government officials on security posture, risk, and remediation strategies (Security Specialist II)
• 8+ years of progressive, senior-level information security or cybersecurity experience, with a significant portion in a federal government or government contracting environment (Security Specialist III)
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Cybersecurity, Information Technology, or related fields; Master's degree strongly preferred (Security Specialist III)
• Expert-level knowledge and demonstrated leadership in FISMA compliance, including strategic oversight of ATO lifecycle management, SSP development, and continuous monitoring programs across enterprise-level federal information systems (Security Specialist III)
• Expert knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200, with demonstrated ability to apply these frameworks to complex, multi-system environments (Security Specialist III)
• Demonstrated experience leading enterprise vulnerability management programs, including the design and oversight of vulnerability assessment methodologies, penetration testing programs, and threat identification strategies (Security Specialist III)
• Proven leadership in cybersecurity incident response at the enterprise level, including coordination with federal agencies such as the NIH CSIRC IRT, US-CERT, and HHS OCIO (Security Specialist III)
• Senior-level experience architecting and securing enterprise multi-cloud environments across AWS, GC, and Microsoft Azure, including advanced IAM strategy, cloud security posture management, and FedRAMP compliance oversight (Security Specialist III)
• Demonstrated ability to brief and advise senior government officials, CORs, Contracting Officers, ISSOs, and CISOs on enterprise security posture, risk, and strategic remediation approaches (Security Specialist III)
• Proven experience leading and mentoring teams of security professionals and coordinating cross-functional security activities across large, complex IT programs (Security Specialist III)

Nice To Haves

• Experience with application security scanning tools such as Netsparker, Checkmarx, or OWASP-based tools
• Familiarity with security assessment tools and penetration testing methodologies
• Experience supporting cloud security operations across AWS, GC, and/or Microsoft Azure environments, including IAM administration and cloud resource monitoring
• Knowledge of container security and orchestration platforms such as Kubernetes, Docker, OpenShift, or Anthos
• Experience with CI/CD pipeline security integration using tools such as GitLab, GitHub Actions, Nexus, or equivalent platforms
• Familiarity with Infrastructure as Code (IaC) security practices using tools such as Terraform, Ansible, Puppet, or AWS CDK
• Experience with monitoring and logging tools such as EFK stack, Prometheus, Grafana, or Splunk for security event analysis
• Knowledge of HHS/NIH security policies, including HSPD-12, PIV credentialing requirements, and HHS IS2P
• Experience with Privacy Impact Assessments (PIA), Privacy Threshold Analyses (PTA), and handling of PII and PHI in compliance with the Privacy Act, HIPAA, and applicable federal regulations
• Familiarity with FISMA-moderate environments such as FEHRDI or equivalent federal health data systems
• Experience with secure coding practices in accordance with US-CERT standards and OWASP guidelines
• Familiarity with ticketing and documentation systems such as JIRA, ServiceNow, and Confluence
• Experience with FedRAMP requirements for cloud service providers and cloud security architecture best practices
• Familiarity with distributed computing security, including Hadoop and related open-source frameworks
• Experience with enterprise records management and media sanitization governance in accordance with NARA policies and NIST SP 800-88
• Experience with HHS/NIH-specific security frameworks, including the HHS Personnel Security and Suitability Program and PIV credentialing governance (For Levels II and III)
• Experience with HIPAA business associate agreement requirements and PHI governance in federal health IT environments (For Levels II and III)
• Relevant certifications such as CISSP, CISM, CISA, CEH, or equivalent federal security credentials (For Levels II and III)
• Expert knowledge of FedRAMP, cloud service provider security governance, and strategic oversight of enterprise security training programs in accordance with HHS RBT requirements (For Level III)
• Experience providing strategic security oversight for biomedical informatics, data science, and clinical data analytics programs within federal research environments (For Level III)

Responsibilities

• Support or lead cybersecurity and risk management activities across NLM enterprise systems, networks, databases, and application development environments, ensuring alignment with FISMA, NIST, HHS, and NIH security policies and requirements
• Assist in or manage the lifecycle of Authority to Operate (ATO) documentation and System Security Plans (SSPs), supporting annual reviews and updates in response to evolving programmatic and security requirements
• Support or lead the design and implementation of secure computing environments in accordance with Government FISMA policies, including firewalls, intrusion detection systems, and disaster recovery planning
• Conduct or oversee vulnerability assessments and threat identification activities; document findings and support or lead remediation efforts within prescribed timelines in accordance with HHS Policy for Vulnerability Management and POAM requirements
• Track and manage known vulnerabilities using Tenable Security Center and related security tools, ensuring resolution in alignment with HHS vulnerability management timelines
• Respond to or coordinate responses to all Alerts and Indicators of Compromise (IOCs) provided by the NIH CSIRC IRT teams within 24 hours, whether the response is positive or negative
• Support or lead incident response activities for suspected and confirmed information security and privacy incidents and breaches, ensuring reporting to the NIH IRT within one (1) hour of discovery and coordinating all required follow-up actions in accordance with HHS, NIH, and US-CERT policies
• Assist in or oversee the protection of Controlled Unclassified Information (CUI) in accordance with Executive Order 13556, NIST SP 800-171, and applicable regulations, ensuring CUI is marked appropriately, disclosed on a need-to-know basis, and protected or destroyed in accordance with NIST SP 800-88
• Ensure all sensitive federal data and information, including PII, PHI, and proprietary information, is encrypted in transit and at rest using FIPS 140-2/140-3 validated encryption solutions
• Support or provide security management and oversight to identify and address security vulnerabilities in both Windows and Linux systems
• Assist in or lead secure coding quality assurance activities in accordance with US-CERT standards and OWASP guidelines
• Support or oversee the security of FISMA-moderate environments such as FEHRDI, ensuring that systems handling sensitive clinical and health-related data comply with all applicable security and privacy requirements
• Assist in or lead Privacy Impact Assessments (PIA) and Privacy Threshold Analyses (PTA) in coordination with the NIH Office of the Senior Official for Privacy, ensuring assessments are reviewed and updated at least every three years or upon major system changes or new PII collection
• Support or oversee media sanitization activities in accordance with NIST SP 800-88 at contract closeout and as directed throughout the contract period
• Complete mandatory annual HHS/NIH Information Security Awareness, Privacy, and Records Management training prior to beginning work and annually thereafter; maintain and submit training records within required timelines
• Adhere to HHS Information Technology General Rules of Behavior and applicable Rules of Behavior for Privileged Users, obtaining and maintaining signed acknowledgments at contract initiation and annually thereafter
• Complete and maintain required Non-Disclosure Agreements (NDAs) for access to non-public government information prior to performing work under the contract
• Support or manage the submission and maintenance of contractor staff rosters and background investigation documentation in accordance with contract timelines and requirements
• Assist in or provide technical guidance to ensure that all developed ICT solutions meet Section 508 accessibility requirements and HHS digital accessibility conformance standards
• Support or lead the coordination of authenticated and unauthenticated vulnerability scanning activities across operating systems, networks, databases, and web applications using NIST SCAP-compliant tools
• Identify themselves as contractor personnel in all contract-related meetings, communications, and correspondence in accordance with contract requirements
• Contribute to monthly activity and financial status reports, providing security program updates to the Program Manager and COR as directed
• Manage the full lifecycle of ATO documentation and SSPs, ensuring annual reviews, continuous monitoring activities, and updates in response to evolving programmatic, threat, and regulatory requirements (Security Specialist II)
• Lead vulnerability assessment and penetration testing programs, presenting findings to senior leadership and government officials and managing enterprise-wide remediation activities (Security Specialist II)
• Provide technical security guidance to development teams, advising on secure architecture design, application security reviews, and full SDLC security integration (Security Specialist II)
• Lead cloud security operations across AWS, GC, and Azure platforms, including advanced IAM administration, cloud security posture management, and monitoring of cloud resource efficiency and security effectiveness (Security Specialist II)
• Develop, review, and maintain Incident and Breach Response Plans (IRP) in accordance with HHS/NIH, OMB, and US-CERT requirements (Security Specialist II)
• Coordinate with ISSOs, CISOs, and federal security officials on security posture, risk assessments, and compliance activities (Security Specialist II)
• Lead privacy governance activities, overseeing PIA and PTA processes and ensuring compliance with Privacy Act, HIPAA Rules, and applicable HHS policies (Security Specialist II)
• Oversee the integration of security controls within CI/CD pipelines, IaC frameworks, and containerized environments, ensuring DevSecOps principles are embedded throughout the software delivery lifecycle (Security Specialist II)
• Contribute to the development and delivery of role-based cybersecurity training programs in accordance with HHS policy and the HHS Role-Based Training Memorandum (Security Specialist II)
• Provide technical mentorship to Security Specialist I staff, reviewing security assessments and coordinating security activities across cross-functional teams (Security Specialist II)
• Support records management and data governance activities, ensuring compliance with NARA policies, HHS Agency Records Control Schedules, and applicable federal records management laws (Security Specialist II)
• Serve as the senior cybersecurity subject matter expert and strategic leader for all information security activities across the NLM/LHNCBC contract, providing expert guidance to the Program Manager, government officials, and cross-functional technical teams (Security Specialist III)
• Architect and oversee the implementation of enterprise security programs across on-premises, hybrid, and multi-cloud infrastructures in alignment with FISMA, NIST, HHS, and NIH security governance frameworks (Security Specialist III)
• Lead enterprise cloud security architecture strategy across AWS, GC, and Azure platforms, including advanced IAM governance, FedRAMP compliance oversight, and cloud security posture management at scale (Security Specialist III)
• Direct enterprise cybersecurity incident response activities, establishing and maintaining coordinated relationships with NIH CSIRC IRT, HHS OCIO, US-CERT, and other federal stakeholders; manage complex breach investigations and ensure organizational readiness and continuous improvement (Security Specialist III)
• Lead enterprise encryption governance, ensuring all sensitive federal data is encrypted using FIPS 140-2/140-3 validated solutions and maintaining key management practices in accordance with HHS standards (Security Specialist III)
• Oversee the strategic integration of security controls within DevSecOps pipelines, IaC frameworks, and containerized environments at enterprise scale (Security Specialist III)
• Lead enterprise privacy governance programs, providing strategic oversight of PIA and PTA activities and serving as the primary liaison to NIH privacy officials on all contract-related privacy matters (Security Specialist III)
• Direct enterprise security training and awareness programs, ensuring all contractor and subcontractor personnel complete mandatory training and overseeing role-based training for personnel with significant security responsibilities (Security Specialist III)
• Lead post-incident analysis activities, producing comprehensive post-incident reports including root cause analysis, lessons learned, and strategic recommendations for vulnerability mitigation and program improvement (Security Specialist III)
• Mentor and provide strategic leadership to Security Specialist I and II staff, establishing performance standards, professional development pathways, and technical excellence frameworks across the security team (Security Specialist III)
• Lead security transition planning activities, ensuring comprehensive documentation, knowledge transfer, and security continuity planning are completed in advance of contract transitions in accordance with the approved transition-out plan (Security Specialist III)
• Serve as the primary point of coordination between the contractor security team and government security officials, including ISSOs, CISOs, the NIH Office of the SOP, and the HHS OCIO, on all matters related to enterprise security posture, risk management, and compliance (Security Specialist III)

Benefits

• full health and dental for you and your dependents
• retirement and HSA accounts
• short- and long-term disability insurance
• life and accident insurance
• paid time off
• 11 federal holidays