Summary The Office of Inspector General (OIG), works within the U. S. Department of Transportation (DOT) to promote efficiency and effectiveness, and prevent or stop waste, fraud and abuse in departmental programs. We do this through audits and investigations. OIG also consults with the Congress about programs in progress and proposed new laws and regulations. The Inspector General Act of 1978 gives the Office of Inspector General autonomy to do its work without interference. Responsibilities As a Supervisory Information Technology Specialist (INFOSEC)/ Project and IT Manager you will: The incumbent is responsible for directing performance audits and leading audit teams in the objective and systemic examination of IT records, management reports, security controls, policies and practices affecting or reflecting the cybersecurity and operating results of information technology programs. The incumbent works with audit staff in providing an independent assessment of the performance of assigned IT programs and conducting activities related to the detection and prevention of fraud, waste, and abuse. In addition, the incumbent of this position works as an information technology specialist and manager of a red team responsible for performing vulnerability assessments and penetration tests on networks, systems, applications, cloud infrastructure, hardware, software and databases. The incumbent will also perform social engineering and physical breaching and be responsible for managing and maintaining the federal security accreditation of an IT Lab utilized by the red team. The incumbent's major duties and responsibilities will include but not be limited to: Directs a team in determining the effectiveness of organizations, IT programs and activities, and examining whether an entity is complying with all applicable laws and regulations utilizing government auditing and information security standards including Generally Accepted Government Auditing Standards (GAGAS) and National Institute of Standards and Technology (NIST) guidance. Directs team members that perform all phases of audit work and red team operations- planning the audit, conducting the audit/penetration tests, and preparing the audit report. The incumbent must ensure that all phases of the audit are done in accordance with GAGAS. Develops, interprets, plans, and applies policy, process, procedure and strategy in the delivery of multi-discipline IT services required to achieve data and system integration and interoperability for assigned systems and applications. Expert level experience in planning and execution of simulated cybersecurity attacks using threat intelligence and expert employment of emulated adversary tools including Kali Linux, Nessus, Netsparker (Invicti), AppdetectivePro, and Core Impact in a heterogeneous environment; and documenting findings and providing recommendations for security improvements. Expert level experience performing vulnerability assessments and penetration of systems/applications, hardware, software, and networks utilizing common hacking techniques such network scanning, vulnerability assessment, exploitation of identified weaknesses, password cracking, authorization bypass, bounds checking, access escalation, and filter evasion; and documenting findings and providing recommendations for security improvements. Trains and directs team members to conduct the audit survey; prepare the audit (evaluation and review) program; conduct red team operations; provide technical guidance to lower level staff assigned to the audit/penetration tests; prepare and/or review the working papers; write the debriefs and the draft report; presents findings and recommendations to internal and external stakeholders; supports team in issuing final written products that adhere to high quality standards and reflect internal OIG management review and comments received from the audited operating administration. Manages the OIG red team lab's systems and infrastructure development, life cycles, (i.e., systems documentation, design, implementation, and configuration management), budget planning and Contracting Officer's Representative (COR) duties including contract administration, automated and manual information processing systems. Serves as an Information System Security Officer (ISSO) incorporating the risk management framework (RMF) for identifying, assessing, mitigating, and monitoring risks of the IT Lab while providing security oversight and governance in maintaining an Authority to Operate (ATO) by ensuring compliance with FISMA, NIST and departmental policy. Develops annual and long-range audit plans, provides technical advice and guidance to subordinate staff for audit activities and coordination functions, and maintains close liaisons with Department program and management officials in the areas of assigned responsibility. Prepares periodic progress reports for OIG senior management and keeps management informed of all issues related to their assigned projects or areas of expertise in a timely manner. Conducting entrance and exit conferences with the audited agency and conducting follow-up inquiries to evaluate the adequacy of corrective actions taken on prior audit findings. Selects, places, and develops subordinates; recognizes, supports, and rewards excellent work from employees supervised; and timely and efficiently addresses poor performance of employees supervised. Requirements Conditions of Employment Must be a U.S. Citizen. Submit application and resume online by 11:59 P.M. EST on the closing date. This position is subject to a background investigation. This position requires a secret clearance. Federal employees must meet Time-In-Grade (TIG) requirements for merit promotion consideration. TIG is the 52-week requirement Federal employees in competitive service, General Schedule (GS) positions at GS-5 and above must serve before they are eligible for promotion to the next grade level. Applicants must meet qualifications and time-in-grade requirements by the closing date of this announcement. Qualifications To be eligible, applicants must meet the basic education and/or experience requirements below. Specialized Experience GS-14: To qualify, you must have at least one year of specialized experience equivalent to the GS-13 grade level in the federal service including: expert knowledge of wide range of IT concepts, theory, computer methods and procedures; expert knowledge applying cyber- security and information security principles and concepts sufficient to plan, coordinate, and assess IT security operations and the security of data, networks, systems and applications; providing technical advice and guidance regarding IT security issues; conducting penetration testing, red teaming, audits and/or assessments of IT programs; conducting interviews with officials; conducting comprehensive analysis and studies requiring the application of complex analytical and statistical methods and techniques; and preparing audit assessment reports. And Experience Experience must be IT related; the experience may be demonstrated by paid or unpaid experience and/or completion of specific, intensive training (for example, IT certification), as appropriate GS-5 through GS-15 (or equivalent): For all positions individuals must have IT-related experience demonstrating each of the four competencies listed below. The employing agency is responsible for identifying the specific level of proficiency required for each competency at each grade level based on the requirements of the position being filled. Attention to Detail - Is thorough when performing work and conscientious about attending to detail. Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services. Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately. Problem Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations. Preferred Qualifications: 5+ years of security testing experience (red teaming, cloud security, application security, or network security) One or more of the following industry certifications: OSCP, OSWA, OSWP, OSWE, OSEP, OSED, GPEN, GCPN, GWAPT, GMOB, GAWN, GXPN, eWPT, eCPPT, eMAPT, PNPT Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, etc Experience with server administration, TCP/IP networking, vulnerability identification and exploitation, vulnerability exploit code development, offensive security operation coordination and communication, vulnerability tracking and remediation, mobile testing Familiarity with various programming languages such as Python, C, Ruby, ASM are a plus Experience with cloud-based environments (GCP, Azure, AWS, etc.) Experience with common testing frameworks, such as the MITRE ATT&CK framework Experience with NIST 800-53 rev 5, NIST 800-115 Qualifications must be met by the closing date of the announcements. Education Additional Information OIG carries out its mission by issuing audit reports, evaluations, management advisories, and other products with findings and recommendations to improve program delivery and performance. THIS POSITION MAY BE SUBJECT TO PRE-EMPLOYMENT AND RANDOM DRUG TESTING This position has been identified as a telework-eligible position. Candidates will be asked to fill out a Declaration for Federal Employment (Optional Form 306). Individuals selected for positions will be required to certify that their application materials are accurate when they enter on duty. Any male applicant who was born after December 31, 1959, and who is subsequently selected for this position must certify that he is registered for the military selective service by the date he is to enter on duty. False certification may result in termination after appointment. THIS AGENCY PROVIDES REASONABLE ACCOMMODATIONS TO APPLICANTS WITH DISABILITIES. IF YOU NEED A REASONABLE ACCOMMODATION FOR ANY PART OF THE APPLICATION AND HIRING PROCESS, PLEASE NOTIFY THE AGENCY. THE DECISION ON GRANTING REASONABLE ACCOMMODATIONS WILL BE ON A CASE-BY-CASE BASIS. ALL APPLICANTS WILL RECEIVE CONSIDERATION REGARDLESS OF RACE, COLOR, RELIGION, GENDER, SEXUAL ORIENTATION, NATIONAL ORIGIN, AGE, POLITICAL AFFILIATION, UNION AFFILIATION OR NON-AFFILIATION, MARITAL STATUS, NON-DISQUALIFYING PHYSICAL HANDICAP, OR ANY OTHER NON-MERIT REASON. THE OFFICE OF INSPECTOR GENERAL (OIG), U. S. DEPARTMENT OF TRANSPORTATION (DOT) IS AN EQUAL OPPORTUNITY EMPLOYER. Relocation expenses will not be paid.
