Ethical Hacker

Full Job Description

This position is located in the Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), Office of Information Technology (OIT), Info Security & Privacy Group (ISPG), Division of Cyber Threat & Security Operations.

As an IT Specialist (Security), referred to here as an Ethical Hacker, GS-2210-9/11/12, you will conduct ethical hacking, vulnerability assessments, and security evaluations of CMS information technology systems, networks, and applications.

ALL QUALIFICATION REQUIREMENTS MUST BE MET BY THE CLOSING DATE OF THIS ANNOUNCEMENT.

Your resume (limited to no more than 2 pages) must include detailed information as it relates to the responsibilities and specialized experience for this position.

Evidence of copying and pasting directly from the vacancy announcement without clearly documenting supplemental information to describe your experience will result in an ineligible rating.

This will prevent you from being considered further.

In order to qualify for the GS-09, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-07 grade level in the Federal government, obtained in either the private or public sector, to include: Participating in penetration testing engagements, red team operations, or advance persistent threat (APT) simulations across enterprise networks, cloud environment, and critical infrastructure to identify security vulnerabilities or attack vector; AND Assisting team members with conducting vulnerability research and assessments to identify systemic weaknesses and architectural flaws; AND Assisting team members on custom exploit development or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows.

See Education Field for substitutions available at the GS-09 Level.

In order to qualify for the GS-11, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-09 grade level in the Federal government, obtained in either the private or public sector), to include: Participating in penetration testing engagements, red team operations, or advance persistent threat (APT) simulations across enterprise networks, cloud environment, and critical infrastructure to identify security vulnerabilities or attack vectors; AND Collaborating with team or project members in evaluating security architectures, information technology (IT) system designs, or security controls across IT environments including hybrid cloud infrastructures, zero-trust architectures, and multi-tier applications to identify systemic weaknesses and architectural flaws; AND Collaborating with team or project members in applying exploitation techniques, custom exploit development, or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows; AND Conducting vulnerability research and assessments to present findings and make recommendations to the supervisor or team lead.

See Education Field for substitutions available at the GS-11 Level.

In order to qualify for the GS-12, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-11 grade level in the Federal government, obtained in either the private or public sector, to include: Planning, leading, or executing penetration testing engagements, red team operations, or advance persistent threat (APT) simulations across enterprise networks, cloud environment, and critical infrastructure to identify security vulnerabilities or attack vectors; AND Evaluating security architectures, information technology (IT) system designs, or security controls across IT environments including hybrid cloud infrastructures, zero-trust architectures, and multi-tier applications to identify systemic weaknesses and architectural flaws; AND Applying exploitation techniques, custom exploit development, or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows; AND Conducting vulnerability research and assessments to present findings and make recommendations leadership.

IT-related Competencies for Experience Only Qualifications: Attention to Detail - Is thorough when performing work and conscientious about attending to detail.

Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services.

Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately.

Problem-Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations.

Experience refers to both paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional, philanthropic, religious, spiritual, community, student, social).

Volunteer work helps build critical competencies, knowledge, and skills and can provide valuable training and experience that translates directly to paid employment.

You will receive credit for all qualifying experience, including volunteer experience.

Click the following link to view the occupational questionnaire: https://apply.usastaffing.gov/ViewQuestionnaire/12885784 Major Duties:

• Conduct authorized ethical hacking and vulnerability assessments in accordance with the National Institute of Standards and Technology (NIST), HHS, CMS, and the Office of Management and Budget (OMB) requirements, guidance, and directives.
• Participate in simulated cyberattacks using the same techniques as malicious hackers to identify potential vulnerabilities and weaknesses in systems, networks, and applications.
• Develop strategies for comprehensive security testing and vulnerability identification across the enterprise.
• Prepare internal and external reports to support IT operations, such as the Federal Information Security Act (FISMA), Chief Financial Officer, and others as directed.
• Analyze short, medium, and long-range projects for solutions of complex operational or policy issues in areas such as penetration testing, vulnerability assessment, social engineering testing, network security evaluation, and others as directed.