Summary The purpose of the position is to develop and or analyze procedures and systems for identifying, assessing, and reporting the effectiveness of cybersecurity risk management within VA's information technology (IT) enterprise. Cybersecurity risk management compliance is evaluated as it relates to both IT and traditional programs through the identification, assessment, and reporting process. This is accomplished through intense control reviews and analysis. Responsibilities OIT Mission: The mission of the Office of Information and Technology (OIT) is to collaborate with our business partners to create the best experience for all Veterans. OIT Vision: To become a world-class organization that provides a seamless, unified Veteran experience through the delivery of state-of-the-art technology. Major Duties: Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs) Evaluate agency-wide compliance programs against short- and long-range objectives Analyzes and evaluates, on a quantitative or qualitative basis, the effectiveness of cybersecurity risk management compliance and inspection programs and/or operations Develop detailed plans, goals, and objectives for the long-range implementation of administration programs, and develops criteria for evaluating the effectiveness of the compliance and inspection programs Plan and recommend modifications or adjustments based on exercise results or system environment Participate in the development, planning and organization of education programs on topics applicable to risk management functions Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. Provide expert analysis and advice on complex risk management compliance and/or programs issues Responsible for the independent review and analysis of cybersecurity risk management date from multiple data sources to identify risks and systemic problems, and to determine the quality and appropriateness of cybersecurity risk management Monitor, assess, and communicate effectiveness of cybersecurity risk management processes to include preparation and dissemination of reports to internal and outside agencies Work Schedule: Shifts possible: Monday-Friday, 8am - 4:30 pm Compressed/Flexible: Not Authorized Telework: Adhoc telework may be authorized at management's discretion. Position Description/PD#: IT Specialist (Infosec)/PD17079A Relocation/Recruitment Incentives: Not Authorized Permanent Change of Station (PCS): Not Authorized PCS Appraised Value Offer (AVO): Not Authorized Physical Demands: The work is sedentary. Some work may require walking and standing in conjunction with travel and attendance at meetings and conferences away from the work site and carrying light items such as papers or books. Working Conditions: The work area is adequately lighted, heated, and ventilated. The work environment involves everyday risks or discomforts that require normal safety precautions. This position requires minimal travel. The incumbent may be required to use both air and ground transportation. Designated Drug Testing Position: Not applicable. This is a non-bargaining unit eligible position. Requirements Conditions of Employment You must be a U.S. Citizen to apply for this job To be considered for this position, you must complete all required steps in the process. In addition to the application and questionnaire, this position requires an online assessment. The online assessment measures critical general competencies required to perform the job. Physical Requirements: The work required does not inherently include any physical requirements essential for successful job performance that could not otherwise be performed with accommodation or workplace adjustment. A pre-placement physical examination is not required. Subject to background/security investigation Selected applicants will be required to complete an online onboarding process. Acceptable form(s) of identification will be required to complete pre-employment requirements (https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents). Effective May 7, 2025, driver's licenses or state-issued dentification cards that are not REAL ID compliant cannot be utilized as an acceptable form of identification for employment. As a condition of employment for accepting this position, you will be required to serve a 1-year probationary period during which we will evaluate your fitness and whether your continued employment advances the public interest. In determining if your employment advances the public interest, we may consider: your performance and conduct; the needs and interests of the agency; whether your continued employment would advance organizational goals of the agency or the Government; and whether your continued employment would advance the efficiency of the Federal service. Upon completion of your probationary period , your employment will be terminated unless you receive certification, in writing, that your continued employment advances the public interest. Qualifications To qualify for this position, applicants must meet all requirements by the closing date of this announcement, 05/08/2026.You may qualify based on your experience as described below: Basic Requirements: Experience must be IT related; the experience may be demonstrated by paid or unpaid experience and/or completion of specific, intensive training (for example, IT certification), as appropriate. For all positions individuals must have IT-related experience demonstrating each of the five competencies listed below. The employing agency is responsible for identifying the specific level of proficiency required for each competency at each grade level based on the requirements of the position being filled. Information Assurance - Knowledge of methods and procedures to protect information systems and data by ensuring their availability, authentication, confidentiality, and integrity. Information Systems/Network Security - Knowledge of methods, tools, and procedures, including development of information security plans, to prevent information systems vulnerabilities, and provide or restore security of information systems and network services. Planning and Evaluating - Organizes work, sets priorities, and determines resource requirements; determines short- or long-term goals and strategies to achieve them; coordinates with other organizations or parts of the organization to accomplish goals; monitors progress and evaluates outcomes. Risk Management - Knowledge of the principles, methods, and tools used for risk assessment and mitigation, including assessment of failures and their consequences. Compliance - Knowledge of procedures for assessing, evaluating, and monitoring programs or projects for compliance with Federal laws, regulations, and OMB circulars. AND Specialized Experience: You must have one year of specialized experience equivalent to at least the next lower grade GS-12 in the normal line of progression for the occupation in the organization. Specialized experience is defined as: experience that includes being responsible for the independent review and analysis of cybersecurity risk management data from multiple data sources to identify risks and systemic problems, and to determining the quality and appropriateness of cybersecurity risk management; conducting independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37); and performing cybersecurity risk management activities which are designed to improve the processes and procedures and overall cybersecurity of the enterprise. Applicant must also possess specialized experience supporting Risk Management Framework (RMF) compliance functions to include Governance, Risk and Compliance (GRC) capabilities and OIG Federal Information Security Management Act (FISMA) and Federal Information System Controls Audit (FISCAM) Audits. Education There is no educational substitution at this grade level. Additional Information Under the Fair Chance to Compete Act, the Department of Veterans Affairs prohibits requesting an applicant's criminal history prior to accepting a tentative job offer. For more information about the Act and the complaint process, visit Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP) at The Fair Chance Act. If selected you will be required to report to one of the following locations: Washington, District of Columbia Hines, Illinois Eatontown, New Jersey Albany, New York Philadelphia County, Pennsylvania Austin, Texas Salt Lake City, Utah Shepherdstown, West Virginia If space is not immediately available a temporary exception to telework may be granted. If/when workspace is identified, the employee is expected to report to their assigned duty location Receiving Service Credit or Earning Annual (Vacation) Leave: Federal Employees earn annual leave at a rate (4, 6 or 8 hours per pay period) which is based on the number of years they have served as a Federal employee. VA may offer newly-appointed Federal employee's credit for their job-related non-federal experience or active duty uniformed military service. This credited service can be used in determining the rate at which they earn annual leave. Such credit must be requested and approved prior to the appointment date and is not guaranteed. This job opportunity announcement may be used to fill additional vacancies. If you are unable to apply online or need an alternate method to submit documents, please reach out to the Agency Contact listed in this Job Opportunity Announcement. The Interagency Career Transition Assistance Plan (ICTAP) and Career Transition Assistance Plan (CTAP) provide eligible displaced VA competitive service employees with selection priority over other candidates for competitive service vacancies. To be qualified you must submit appropriate documentation (a copy of the agency notice, your most recent performance rating, and your most recent SF-50 noting current position, grade level, and duty location) and be found well-qualified for this vacancy. To be well-qualified: applicants must possess experience that exceeds the minimum qualifications of the position including all selective factors, and who are proficient in most of the required competencies of the job. Information about ICTAP and CTAP eligibility is on OPM's Career Transition Resources website at http://www.opm.gov/policy-data-oversight/workforce-restructuring/employee-guide-to-career-transition/.
