NLM Security Specialist I - III

Job Description

Job Description:\n\nSalary: $90,000 - $135,000 Security Specialist I III Lexical Intelligence provides software and services related to processing large-scale biomedical information sources. Our Natural Language Processing (NLP) and analytics software is used by policy and decision makers to evaluate and prioritize current and emerging areas of research. We are looking for Security Specialists (I III) to work within the National Library of Medicine (NLM), Lister Hill National Center for Biomedical Communications (LHNCBC), located at Building 38A on the NIH campus in Bethesda, MD. The Security Specialists will have experience in federal information security and compliance, vulnerability assessment and risk management, and cloud and application security operations. The Security Specialists will have a firm understanding of FISMA requirements, NIST security standards, HHS/NIH cybersecurity policies, and federal information security governance frameworks. The Security Specialists shall be able to work well within a team of multidisciplinary IT professionals including DevOps engineers, software developers, data scientists, and clinical informatics specialists. The selected applicants will be subject to a pre-employment background and reference check. Level Descriptions Security Specialist I Entry to mid-level professional with foundational experience in federal information security and compliance. Works under supervision, executing defined security tasks, supporting vulnerability assessments, and contributing to compliance documentation and incident response activities. Focuses primarily on operational security support, training compliance, and assisting with ATO documentation and security scanning activities. Security Specialist II Mid to senior-level professional with demonstrated experience leading security activities across complex federal IT programs. Works with greater independence, managing vulnerability programs, overseeing ATO lifecycle activities, and providing technical security guidance to development and operations teams. Contributes to cloud security governance, incident response leadership, and privacy compliance programs. Security Specialist III Senior-level professional serving as the strategic security leader for enterprise cybersecurity programs. Provides expert guidance on security architecture, governance, and risk management across multi-team, multi-system environments. Leads enterprise ATO programs, directs incident response and breach management, and serves as the primary security liaison to senior government officials and federal security stakeholders. Required Qualifications Security Specialist I4 years of relevant information security or cybersecurity experienceBachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, or related fieldsKnowledge and practice of the Federal Information Security Modernization Act (FISMA) and related compliance frameworksExperience with NIST Special Publications including SP 800-53, SP 800-171, SP 800-88, and SP 800-64Experience supporting or maintaining Authority to Operate (ATO) documentation and System Security Plans (SSPs)Familiarity with vulnerability scanning and management tools such as Tenable Security Center, Nessus, or ProwlerAbility to identify, document, and track security vulnerabilities and support remediation within prescribed timelinesStrong written and oral communication skills, including the ability to convey technical security concepts in plain language Security Specialist II6 years of progressive information security or cybersecurity experience in a federal or government contracting environmentBachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, Cybersecurity, or related fields; advanced degree preferredDemonstrated expertise in FISMA compliance, including full lifecycle management of ATO documentation and SSP development and maintenanceAdvanced knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200 security categorization standardsProven experience conducting vulnerability assessments, threat identification, and penetration testing using tools such as Tenable Security Center, Prowler, Netsparker, Checkmarx, and/or OWASP-based toolsExperience managing and responding to cybersecurity incidents in accordance with federal incident response policies, including reporting to CSIRC/NIH IRT within required timelinesExperience administering and securing cloud environments across multiple platforms including AWS, Google Cloud (GC), and/or Microsoft Azure, including Identity and Access Management (IAM)Strong written and oral communication skills with demonstrated ability to brief senior leadership and government officials on security posture, risk, and remediation strategies Security Specialist III8+ years of progressive, senior-level information security or cybersecurity experience, with a significant portion in a federal government or government contracting environmentBachelor's degree or other degree(s) in Computer Science, Information Security, Cybersecurity, Information Technology, or related fields; Master's degree strongly preferredExpert-level knowledge and demonstrated leadership in FISMA compliance, including strategic oversight of ATO lifecycle management, SSP development, and continuous monitoring programs across enterprise-level federal information systemsExpert knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200, with demonstrated ability to apply these frameworks to complex, multi-system environmentsDemonstrated experience leading enterprise vulnerability management programs, including the design and oversight of vulnerability assessment methodologies, penetration testing programs, and threat identification strategiesProven leadership in cybersecurity incident response at the enterprise level, including coordination with federal agencies such as the NIH CSIRC IRT, US-CERT, and HHS OCIOSenior-level experience architecting and securing enterprise multi-cloud environments across AWS, GC, and Microsoft Azure, including advanced IAM strategy, cloud security posture management, and FedRAMP compliance oversightDemonstrated ability to brief and advise senior government officials, CORs, Contracting Officers, ISSOs, and CISOs on enterprise security posture, risk, and strategic remediation approachesProven experience leading and mentoring teams of security professionals and coordinating cross-functional security activities across large, complex IT programs Preferred QualificationsExperience with application security scanning tools such as Netsparker, Checkmarx, or OWASP-based toolsFamiliarity with security assessment tools and penetration testing methodologiesExperience supporting cloud security operations across AWS, GC, and/or Microsoft Azure environments, including IAM administration and cloud resource monitoringKnowledge of container security and orchestration platforms such as Kubernetes, Docker, OpenShift, or AnthosExperience with CI/CD pipeline security integration using tools such as GitLab, GitHub Actions, Nexus, or equivalent platformsFamiliarity with Infrastructure as Code (IaC) security practices using tools such as Terraform, Ansible, Puppet, or AWS CDKExperience with monitoring and logging tools such as EFK stack, Prometheus, Grafana, or Splunk for security event analysisKnowledge of HHS/NIH security policies, including HSPD-12, PIV credentialing requirements, and HHS IS2PExperience with Privacy Impact Assessments (PIA), Privacy Threshold Analyses (PTA), and handling of PII and PHI in compliance with the Privacy Act, HIPAA, and applicable federal regulationsFamiliarity with FISMA-moderate environments such as FEHRDI or equivalent federal health data systemsExperience with secure coding practices in accordance with US-CERT standards and OWASP guidelinesFamiliarity with ticketing and documentation systems such as JIRA, ServiceNow, and ConfluenceExperience with FedRAMP requirements for cloud service providers and cloud security architecture best practicesFamiliarity with distributed computing security, including Hadoop and related open-source frameworksExperience with enterprise records management and media sanitization governance in accordance with NARA policies and NIST SP 800-88(For Levels II and III) Experience with HHS/NIH-specific security frameworks, including the HHS Personnel Security and Suitability Program and PIV credentialing governance(For Levels II and III) Experience with HIPAA business associate agreement requirements and PHI governance in federal health IT environments(For Levels II and III) Relevant certifications such as CISSP, CISM, CISA, CEH, or equivalent federal security credentials(For Level III) Expert knowledge of FedRAMP, cloud service provider security governance, and strategic oversight of enterprise security training programs in accordance with HHS RBT requirements(For Level III) Experience providing strategic security oversight for biomedical informatics, data science, and clinical data analytics programs within federal research environments Responsibilities All LevelsSupport or lead cybersecurity and risk management activities across NLM enterprise systems, networks, databases, and application development environments, ensuring alignment with FISMA, NIST, HHS, and NIH security policies and requirementsAssist in or manage the lifecycle of Authority to Operate (ATO) documentation and System Security Plans (SSPs), supporting annual reviews and updates in response to evolving programmatic and security requirementsSupport or lead the design and implementation of secure computing environments in accordance with Government FISMA policies, including firewalls, intrusion detection systems, and disaster recovery planningConduct or oversee vulnerability assessments and threat identification activities; document findings and support or lead remediation efforts within prescribed timelines in accordance with HHS Policy for Vulnerability Management and POAM requirementsTrack and manage known vulnerabilities using Tenable Security Center and related security tools, ensuring resolution in alignment with HHS vulnerability management timelinesRespond to or coordinate responses to all Alerts and Indicators of Compromise (IOCs) provided by the NIH CSIRC IRT teams within 24 hours, whether the response is positive or negativeSupport or lead incident response activities for suspected and confirmed information security and privacy incidents and breaches, ensuring reporting to the NIH IRT within one (1) hour of discovery and coordinating all required follow-up actions in accordance with HHS, NIH, and US-CERT policiesAssist in or oversee the protection of Controlled Unclassified Information (CUI) in accordance with Executive Order 13556, NIST SP 800-171, and applicable regulations, ensuring CUI is marked appropriately, disclosed on a need-to-know basis, and protected or destroyed in accordance with NIST SP 800-88Ensure all sensitive federal data and information, including PII, PHI, and proprietary information, is encrypted in transit and at rest using FIPS 140-2/140-3 validated encryption solutionsSupport or provide security management and oversight to identify and address security vulnerabilities in both Windows and Linux systemsAssist in or lead secure coding quality assurance activities in accordance with US-CERT standards and OWASP guidelinesSupport or oversee the security of FISMA-moderate environments such as FEHRDI, ensuring that systems handling sensitive clinical and health-related data comply with all applicable security and privacy requirementsAssist in or lead Privacy Impact Assessments (PIA) and Privacy Threshold Analyses (PTA) in coordination with the NIH Office of the Senior Official for Privacy, ensuring assessments are reviewed and updated at least every three years or upon major system changes or new PII collectionSupport or oversee media sanitization activities in accordance with NIST SP 800-88 at contract closeout and as directed throughout the contract periodComplete mandatory annual HHS/NIH Information Security Awareness, Privacy, and Records Management training prior to beginning work and annually thereafter; maintain and submit training records within required timelinesAdhere to HHS Information Technology General Rules of Behavior and applicable Rules of Behavior for Privileged Users, obtaining and maintaining signed acknowledgments at contract initiation and annually thereafterComplete and maintain required Non-Disclosure Agreements (NDAs) for access to non-public government information prior to performing work under the contractSupport or manage the submission and maintenance of contractor staff rosters and background investigation documentation in accordance with contract timelines and requirementsAssist in or provide technical guidance to ensure that all developed ICT solutions meet Section 508 accessibility requirements and HHS digital accessibility conformance standardsSupport or lead the coordination of authenticated and unauthenticated vulnerability scanning activities across operating systems, networks, databases, and web applications using NIST SCAP-compliant toolsIdentify themselves as contractor personnel in all contract-related meetings, communications, and correspondence in accordance with contract requirementsContribute to monthly activity and financial status reports, providing security program updates to the Program Manager and COR as directed Additional Responsibilities Security Specialist IIManage the full lifecycle of ATO documentation and SSPs, ensuring annual reviews, continuous monitoring activities, and updates in response to evolving programmatic, threat, and regulatory requirementsLead vulnerability assessment and penetration testing programs, presenting findings to senior leadership and government officials and managing enterprise-wide remediation activitiesProvide technical security guidance to development teams, advising on secure architecture design, application security reviews, and full SDLC security integrationLead cloud security operations across AWS, GC, and Azure platforms, including advanced IAM administration, cloud security posture management, and monitoring of cloud resource efficiency and security effectivenessDevelop, review, and maintain Incident and Breach Response Plans (IRP) in accordance with HHS/NIH, OMB, and US-CERT requirementsCoordinate with ISSOs, CISOs, and federal security officials on security posture, risk assessments, and compliance activitiesLead privacy governance activities, overseeing PIA and PTA processes and ensuring compliance with Privacy Act, HIPAA Rules, and applicable HHS policiesOversee the integration of security controls within CI/CD pipelines, IaC frameworks, and containerized environments, ensuring DevSecOps principles are