Hybrid Supervisory Information Technology Specialist (INFOSEC/Pen Tester) bei Department of Transportation

Supervisory Information Technology Specialist (INFOSEC/Pen Tester)

Department: Department of Transportation

Location(s): District of Columbia, District of Columbia

Salary Range: $142488 - $185234 Per Year

Job Summary: The Office of Inspector General (OIG), works within the U. S. Department of Transportation (DOT) to promote efficiency and effectiveness, and prevent or stop waste, fraud and abuse in departmental programs. We do this through audits and investigations. OIG also consults with the Congress about programs in progress and proposed new laws and regulations. The Inspector General Act of 1978 gives the Office of Inspector General autonomy to do its work without interference.

Major Duties:

• As a Supervisory Information Technology Specialist (INFOSEC)/ Project and IT Manager you will: The incumbent is responsible for directing performance audits and leading audit teams in the objective and systemic examination of IT records, management reports, security controls, policies and practices affecting or reflecting the cybersecurity and operating results of information technology programs. The incumbent works with audit staff in providing an independent assessment of the performance of assigned IT programs and conducting activities related to the detection and prevention of fraud, waste, and abuse. In addition, the incumbent of this position works as an information technology specialist and manager of a red team responsible for performing vulnerability assessments and penetration tests on networks, systems, applications, cloud infrastructure, hardware, software and databases. The incumbent will also perform social engineering and physical breaching and be responsible for managing and maintaining the federal security accreditation of an IT Lab utilized by the red team. The incumbent’s major duties and responsibilities will include but not be limited to: Directs a team in determining the effectiveness of organizations, IT programs and activities, and examining whether an entity is complying with all applicable laws and regulations utilizing government auditing and information security standards including Generally Accepted Government Auditing Standards (GAGAS) and National Institute of Standards and Technology (NIST) guidance. Directs team members that perform all phases of audit work and red team operations- planning the audit, conducting the audit/penetration tests, and preparing the audit report. The incumbent must ensure that all phases of the audit are done in accordance with GAGAS. Develops, interprets, plans, and applies policy, process, procedure and strategy in the delivery of multi-discipline IT services required to achieve data and system integration and interoperability for assigned systems and applications. Expert level experience in planning and execution of simulated cybersecurity attacks using threat intelligence and expert employment of emulated adversary tools including Kali Linux, Nessus, Netsparker (Invicti), AppdetectivePro, and Core Impact in a heterogeneous environment; and documenting findings and providing recommendations for security improvements. Expert level experience performing vulnerability assessments and penetration of systems/applications, hardware, software, and networks utilizing common hacking techniques such network scanning, vulnerability assessment, exploitation of identified weaknesses, password cracking, authorization bypass, bounds checking, access escalation, and filter evasion; and documenting findings and providing recommendations for security improvements. Trains and directs team members to conduct the audit survey; prepare the audit (evaluation and review) program; conduct red team operations; provide technical guidance to lower level staff assigned to the audit/penetration tests; prepare and/or review the working papers; write the debriefs and the draft report; presents findings and recommendations to internal and external stakeholders; supports team in issuing final written products that adhere to high quality standards and reflect internal OIG management review and comments received from the audited operating administration. Manages the OIG red team lab’s systems and infrastructure development, life cycles, (i.e., systems documentation, design, implementation, and configuration management), budget planning and Contracting Officer's Representative (COR) duties including contract administration, automated and manual information processing systems. Serves as an Information System Security Officer (ISSO) incorporating the risk management framework (RMF) for identifying, assessing, mitigating, and monitoring risks of the IT Lab while providing security oversight and governance in maintaining an Authority to Operate (ATO) by ensuring compliance with FISMA, NIST and departmental policy. Develops annual and long-range audit plans, provides technical advice and guidance to subordinate staff for audit activities and coordination functions, and maintains close liaisons with Department program and management officials in the areas of assigned responsibility. Prepares periodic progress reports for OIG senior management and keeps management informed of all issues related to their assigned projects or areas of expertise in a timely manner. Conducting entrance and exit conferences with the audited agency and conducting follow-up inquiries to evaluate the adequacy of corrective actions taken on prior audit findings. Selects, places, and develops subordinates; recognizes, supports, and rewards excellent work from employees supervised; and timely and efficiently addresses poor performance of employees supervised.

Qualifications: To be eligible, applicants must meet the basic education and/or experience requirements below. Specialized Experience GS-14: To qualify, you must have at least one year of specialized experience equivalent to the GS-13 grade level in the federal service including: expert knowledge of wide range of IT concepts, theory, computer methods and procedures; expert knowledge applying cyber- security and information security principles and concepts sufficient to plan, coordinate, and assess IT security operations and the security of data, networks, systems and applications; providing technical advice and guidance regarding IT security issues; conducting penetration testing, red teaming, audits and/or assessments of IT programs; conducting interviews with officials; conducting comprehensive analysis and studies requiring the application of complex analytical and statistical methods and techniques; and preparing audit assessment reports. And Experience Experience must be IT related; the experience may be demonstrated by paid or unpaid experience and/or completion of specific, intensive training (for example, IT certification), as appropriate GS-5 through GS-15 (or equivalent): For all positions individuals must have IT-related experience demonstrating each of the four competencies listed below. The employing agency is responsible for identifying the specific level of proficiency required for each competency at each grade level based on the requirements of the position being filled. Attention to Detail - Is thorough when performing work and conscientious about attending to detail. Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services. Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately. Problem Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations. Preferred Qualifications: 5+ years of security testing experience (red teaming, cloud security, application security, or network security) One or more of the following industry certifications: OSCP, OSWA, OSWP, OSWE, OSEP, OSED, GPEN, GCPN, GWAPT, GMOB, GAWN, GXPN, eWPT, eCPPT, eMAPT, PNPT Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, etc Experience with server administration, TCP/IP networking, vulnerability identification and exploitation, vulnerability exploit code development, offensive security operation coordination and communication, vulnerability tracking and remediation, mobile testing Familiarity with various programming languages such as Python, C, Ruby, ASM are a plus Experience with cloud-based environments (GCP, Azure, AWS, etc.) Experience with common testing frameworks, such as the MITRE ATT&CK framework Experience with NIST 800-53 rev 5, NIST 800-115 Qualifications must be met by the closing date of the announcements.

How to Apply: Applications submitted via WWW.USAJOBS.GOV must be received before midnight eastern time on the closing date of the announcement. No extensions will be granted. If you fail to submit a COMPLETE on-line resume, you WILL NOT be considered for this position. Please make sure that the responses provided in the questionnaire are fully supported by your resume, that your resume is detailed and you have highlighted your most relevant experience for this position (to include starting and ending dates of employment for each position held), and education (if applicable) as it relates to this job opportunity. If you fail to provide this information, it may result in you being rated "ineligible" or "not qualified" for this position. If you exaggerate or falsify your experience, education and/or your responses to questions, your ratings are subject to change or you may be removed from employment consideration. Applicants who do not respond to the application questions will be rated ineligible. If applying on-line poses a hardship to any applicant, the Servicing Personnel Office listed on the announcement will provide assistance to ensure that applications are submitted on-line by the closing date. Applicants must contact the Servicing Human Resources Office PRIOR TO THE CLOSING DATE to speak to someone who can provide assistance for on-line submission. Requests for extensions will not be granted.

Application Deadline: 2025-08-04