Security Specialist I - III We are looking for Security Specialists (I - III) to work within the National Library of Medicine (NLM), Lister Hill National Center for Biomedical Communications (LHNCBC), located at Building 38A on the NIH campus in Bethesda, MD. The Security Specialists will have experience in federal information security and compliance, vulnerability assessment and risk management, and cloud and application security operations. The Security Specialists will have a firm understanding of FISMA requirements, NIST security standards, HHS/NIH cybersecurity policies, and federal information security governance frameworks. The Security Specialists shall be able to work well within a team of multidisciplinary IT professionals including DevOps engineers, software developers, data scientists, and clinical informatics specialists. The selected applicants will be subject to a pre-employment background and reference check. Level Descriptions Security Specialist I - Entry to mid-level professional with foundational experience in federal information security and compliance. Works under supervision, executing defined security tasks, supporting vulnerability assessments, and contributing to compliance documentation and incident response activities. Focuses primarily on operational security support, training compliance, and assisting with ATO documentation and security scanning activities. Security Specialist II - Mid to senior-level professional with demonstrated experience leading security activities across complex federal IT programs. Works with greater independence, managing vulnerability programs, overseeing ATO lifecycle activities, and providing technical security guidance to development and operations teams. Contributes to cloud security governance, incident response leadership, and privacy compliance programs. Security Specialist III - Senior-level professional serving as the strategic security leader for enterprise cybersecurity programs. Provides expert guidance on security architecture, governance, and risk management across multi-team, multi-system environments. Leads enterprise ATO programs, directs incident response and breach management, and serves as the primary security liaison to senior government officials and federal security stakeholders. Required Qualifications Security Specialist I - 4 years of relevant information security or cybersecurity experience - Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, or related fields - Knowledge and practice of the Federal Information Security Modernization Act (FISMA) and related compliance frameworks - Experience with NIST Special Publications including SP 800-53, SP 800-171, SP 800-88, and SP 800-64 - Experience supporting or maintaining Authority to Operate (ATO) documentation and System Security Plans (SSPs) - Familiarity with vulnerability scanning and management tools such as Tenable Security Center, Nessus, or Prowler - Ability to identify, document, and track security vulnerabilities and support remediation within prescribed timelines - Strong written and oral communication skills, including the ability to convey technical security concepts in plain language Security Specialist II - 6 years of progressive information security or cybersecurity experience in a federal or government contracting environment - Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, Cybersecurity, or related fields; advanced degree preferred - Demonstrated expertise in FISMA compliance, including full lifecycle management of ATO documentation and SSP development and maintenance - Advanced knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200 security categorization standards - Proven experience conducting vulnerability assessments, threat identification, and penetration testing using tools such as Tenable Security Center, Prowler, Netsparker, Checkmarx, and/or OWASP-based tools - Experience managing and responding to cybersecurity incidents in accordance with federal incident response policies, including reporting to CSIRC/NIH IRT within required timelines - Experience administering and securing cloud environments across multiple platforms including AWS, Google Cloud (GC), and/or Microsoft Azure, including Identity and Access Management (IAM) - Strong written and oral communication skills with demonstrated ability to brief senior leadership and government officials on security posture, risk, and remediation strategies Security Specialist III - 8+ years of progressive, senior-level information security or cybersecurity experience, with a significant portion in a federal government or government contracting environment - Bachelor's degree or other degree(s) in Computer Science, Information Security, Cybersecurity, Information Technology, or related fields; Master's degree strongly preferred - Expert-level knowledge and demonstrated leadership in FISMA compliance, including strategic oversight of ATO lifecycle management, SSP development, and continuous monitoring programs across enterprise-level federal information systems - Expert knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200, with demonstrated ability to apply these frameworks to complex, multi-system environments - Demonstrated experience leading enterprise vulnerability management programs, including the design and oversight of vulnerability assessment methodologies, penetration testing programs, and threat identification strategies - Proven leadership in cybersecurity incident response at the enterprise level, including coordination with federal agencies such as the NIH CSIRC IRT, US-CERT, and HHS OCIO - Senior-level experience architecting and securing enterprise multi-cloud environments across AWS, GC, and Microsoft Azure, including advanced IAM strategy, cloud security posture management, and FedRAMP compliance oversight - Demonstrated ability to brief and advise senior government officials, CORs, Contracting Officers, ISSOs, and CISOs on enterprise security posture, risk, and strategic remediation approaches - Proven experience leading and mentoring teams of security professionals and coordinating cross-functional security activities across large, complex IT programs Preferred Qualifications - Experience with application security scanning tools such as Netsparker, Checkmarx, or OWASP-based tools - Familiarity with security assessment tools and penetration testing methodologies - Experience supporting cloud security operations across AWS, GC, and/or Microsoft Azure environments, including IAM administration and cloud resource monitoring - Knowledge of container security and orchestration platforms such as Kubernetes, Docker, OpenShift, or Anthos - Experience with CI/CD pipeline security integration using tools such as GitLab, GitHub Actions, Nexus, or equivalent platforms - Familiarity with Infrastructure as Code (IaC) security practices using tools such as Terraform, Ansible, Puppet, or AWS CDK - Experience with monitoring and logging tools such as EFK stack, Prometheus, Grafana, or Splunk for security event analysis - Knowledge of HHS/NIH security policies, including HSPD-12, PIV credentialing requirements, and HHS IS2P - Experience with Privacy Impact Assessments (PIA), Privacy Threshold Analyses (PTA), and handling of PII and PHI in compliance with the Privacy Act, HIPAA, and applicable federal regulations - Familiarity with FISMA-moderate environments such as FEHRDI or equivalent federal health data systems - Experience with secure coding practices in accordance with US-CERT standards and OWASP guidelines - Familiarity with ticketing and documentation systems such as JIRA, ServiceNow, and Confluence - Experience with FedRAMP requirements for cloud service providers and cloud security architecture best practices - Familiarity with distributed computing security, including Hadoop and related open-source frameworks - Experience with enterprise records management and media sanitization governance in accordance with NARA policies and NIST SP 800-88 - (For Levels II and III) Experience with HHS/NIH-specific security frameworks, including the HHS Personnel Security and Suitability Program and PIV credentialing governance - (For Levels II and III) Experience with HIPAA business associate agreement requirements and PHI governance in federal health IT environments - (For Levels II and III) Relevant certifications such as CISSP, CISM, CISA, CEH, or equivalent federal security credentials - (For Level III) Expert knowledge of FedRAMP, cloud service provider security governance, and strategic oversight of enterprise security training programs in accordance with HHS RBT requirements - (For Level III) Experience providing strategic security oversight for biomedical informatics, data science, and clinical data analytics programs within federal research environments Responsibilities All Levels - Support or lead cybersecurity and risk management activities across NLM enterprise systems, networks, databases, and application development environments, ensuring alignment with FISMA, NIST, HHS, and NIH security policies and requirements - Assist in or manage the lifecycle of Authority to Operate (ATO) documentation and System Security Plans (SSPs), supporting annual reviews and updates in response to evolving programmatic and security requirements - Support or lead the design and implementation of secure computing environments in accordance with Government FISMA policies, including firewalls, intrusion detection systems, and disaster recovery planning - Conduct or oversee vulnerability assessments and threat identification activities; document findings and support or lead remediation efforts within prescribed timelines in accordance with HHS Policy for Vulnerability Management and POAM requirements - Track and manage known vulnerabilities using Tenable Security Center and related security tools, ensuring resolution in alignment with HHS vulnerability management timelines - Respond to or coordinate responses to all Alerts and Indicators of Compromise (IOCs) provided by the NIH CSIRC IRT teams within 24 hours, whether the response is positive or negative - Support or lead incident response activities for suspected and confirmed information security and privacy incidents and breaches, ensuring reporting to the NIH IRT within one (1) hour of discovery and coordinating all required follow-up actions in accordance with HHS, NIH, and US-CERT policies - Assist in or oversee the protection of Controlled Unclassified Information (CUI) in accordance with Executive Order 13556, NIST SP 800-171, and applicable regulations, ensuring CUI is marked appropriately, disclosed on a need-to-know basis, and protected or destroyed in accordance with NIST SP 800-88 - Ensure all sensitive federal data and information, including PII, PHI, and proprietary information, is encrypted in transit and at rest using FIPS 140-2/140-3 validated encryption solutions - Support or provide security management and oversight to identify and address security vulnerabilities in both Windows and Linux systems - Assist in or lead secure coding quality assurance activities in accordance with US-CERT standards and OWASP guidelines - Support or oversee the security of FISMA-moderate environments such as FEHRDI, ensuring that systems handling sensitive clinical and health-related data comply with all applicable security and privacy requirements - Assist in or lead Privacy Impact Assessments (PIA) and Privacy Threshold Analyses (PTA) in coordination with the NIH Office of the Senior Official for Privacy, ensuring assessments are reviewed and updated at least every three years or upon major system changes or new PII collection - Support or oversee media sanitization activities in accordance with NIST SP 800-88 at contract closeout and as directed throughout the contract period - Complete mandatory annual HHS/NIH Information Security Awareness, Privacy, and Records Management training prior to beginning work and annually thereafter; maintain and submit training records within required timelines - Adhere to HHS Information Technology General Rules of Behavior and applicable Rules of Behavior for Privileged Users, obtaining and maintaining signed acknowledgments at contract initiation and annually thereafter - Complete and maintain required Non-Disclosure Agreements (NDAs) for access to non-public government information prior to performing work under the contract - Support or manage the submission and maintenance of contractor staff rosters and background investigation documentation in accordance with contract timelines and requirements - Assist in or provide technical guidance to ensure that all developed ICT solutions meet Section 508 accessibility requirements and HHS digital accessibility conformance standards - Support or lead the coordination of authenticated and unauthenticated vulnerability scanning activities across operating systems, networks, databases, and web applications using NIST SCAP-compliant tools - Identify themselves as contractor personnel in all contract-related meetings, communications, and correspondence in accordance with contract requirements - Contribute to monthly activity and financial status reports, providing security program updates to the Program Manager and COR as directed Additional Responsibilities - Security Specialist II - Manage the full lifecycle of ATO documentation and SSPs, ensuring annual reviews, continuous monitoring activities, and updates in response to evolving programmatic, threat, and regulatory requirements - Lead vulnerability assessment and penetration testing programs, presenting findings to senior leadership and government officials and managing enterprise-wide remediation activities - Provide technical security guidance to development teams, advising on secure architecture design, application security reviews, and full SDLC security integration - Lead cloud secur