At CMS, we believe that at the core of our organization are the employees who carry out the Agency’s vision of expanding coverage and improving health outcomes.
About the role:
As an IT Specialist (Security), referred to here as an Ethical Hacker, you will conduct ethical hacking, vulnerability assessments, and security evaluations of CMS information technology systems, networks, and applications.
Salary:
$69,373 to - $133,142 per year
Where we're hiring:
What you'll do:
- Conduct authorized ethical hacking and vulnerability assessments in accordance with the National Institute of Standards and Technology (NIST), HHS, CMS, and the Office of Management and Budget (OMB) requirements, guidance, and directives.
- Participate in simulated cyberattacks using the same techniques as malicious hackers to identify potential vulnerabilities and weaknesses in systems, networks, and applications.
- Develop strategies for comprehensive security testing and vulnerability identification across the enterprise.
- Prepare internal and external reports to support IT operations, such as the Federal Information Security Act (FISMA), the Chief Financial Officer, and others as directed.
- Analyze short, medium, and long-range projects for solutions of complex operational or policy issues in areas such as penetration testing, vulnerability assessment, social engineering testing, network security evaluation, and others as directed.
Qualifications:
In order to qualify for the GS-09, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-07 grade level in the Federal government, obtained in either the private or public sector, to include:
- Participating in penetration testing engagements, red team operations, or advanced persistent threat (APT) simulations across enterprise networks, cloud environments, and critical infrastructure to identify security vulnerabilities or attack vectors; AND
- Assisting team members with conducting vulnerability research and assessments to identify systemic weaknesses and architectural flaws; AND
- Assisting team members on custom exploit development or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows.
See Education Field for substitutions available at the GS-09 Level.
In order to qualify for the GS-11, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-09 grade level in the Federal government, obtained in either the private or public sector, to include:
- Participating in penetration testing engagements, red team operations, or advanced persistent threat (APT) simulations across enterprise networks, cloud environments, and critical infrastructure to identify security vulnerabilities or attack vectors; AND
- Collaborating with team or project members in evaluating security architectures, information technology (IT) system designs, or security controls across IT environments, including hybrid cloud infrastructures, zero-trust architectures, and multi-tier applications to identify systemic weaknesses and architectural flaws; AND
- Collaborating with team or project members in applying exploitation techniques, custom exploit development, or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows; AND
- Conducting vulnerability research and assessments to present findings and make recommendations to the supervisor or team lead.
See Education Field for substitutions available at the GS-11 Level.
In order to qualify for the GS-12, you must meet the IT Competencies below AND the following: You must demonstrate in your resume at least one year (52 weeks) of qualifying specialized experience equivalent to the GS-11 grade level in the Federal government, obtained in either the private or public sector, to include:
- Planning, leading, or executing penetration testing engagements, red team operations, or advanced persistent threat (APT) simulations across enterprise networks, cloud environments, and critical infrastructure to identify security vulnerabilities or attack vectors; AND
- Evaluating security architectures, information technology (IT) system designs, or security controls across IT environments, including hybrid cloud infrastructures, zero-trust architectures, and multi-tier applications to identify systemic weaknesses and architectural flaws; AND
- Applying exploitation techniques, custom exploit development, or creating or modifying security bypassing testing tools and scripts (e.g., Python, PowerShell, Ruby, Bash) to address unique testing scenarios and automate security assessment workflows; AND
- Conducting vulnerability research and assessments to present findings and make recommendations to leadership.
IT-related Competencies for Experience Only Qualifications:
- Attention to Detail - Is thorough when performing work and conscientious about attending to detail.
- Customer Service - Works with clients and customers (that is, any individuals who use or receive the services or products that your work unit produces, including the general public, individuals who work in the agency, other agencies, or organizations outside the Government) to assess their needs, provide information or assistance, resolve their problems, or satisfy their expectations; knows about available products and services; is committed to providing quality products and services.
- Oral Communication - Expresses information (for example, ideas or facts) to individuals or groups effectively, taking into account the audience and nature of the information (for example, technical, sensitive, controversial); makes clear and convincing oral presentations; listens to others, attends to nonverbal cues, and responds appropriately.
- Problem-Solving - Identifies problems; determines accuracy and relevance of information; uses sound judgment to generate and evaluate alternatives, and to make recommendations.
Experience refers to both paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional, philanthropic, religious, spiritual, community, student, social). Volunteer work helps build critical competencies, knowledge, and skills, and can provide valuable training and experience that translates directly to paid employment. You will receive credit for all qualifying experience, including volunteer experience.
Education Substitute for GS-09: You may qualify for this position with education and/or experience OR a combination of experience and education.
Substitution of Education for Experience: You may substitute education for specialized experience at the GS-09 level by possessing a Master's or equivalent graduate degree or two full years of progressively higher level graduate education leading to such a degree or equivalent graduate degree in computer science, engineering, information science, information systems management, mathematics, operations research, statistics, or technology management or degree that provided a minimum of 24 semester hours in one or more of the fields identified above and required the development of adaptations of applications, systems or networks. (TRANSCRIPTS REQUIRED AT TIME OF APPLICATION).
- OR -
Combination of Experience and Education: Only graduate education in excess of the amount required for the GS-07 grade level may be used to qualify applicants for positions at the grade GS-09. Therefore, only education in excess of one full year of graduate-level education may be used to combine education and experience.
TRANSCRIPTS are required to verify satisfactory completion of the educational requirement related to substitution of education for experience and combination of experience and education. Please see "Required Documents" section below for what documentation is required at the time of application.
Education Substitute for GS-11: You may qualify for this position with education and/or experience OR a combination of experience and education.
Substitution of Education for Experience: You may substitute education for specialized experience at the GS-11 level by possessing a Ph.D. or equivalent doctoral degree or 3 full years of progressively higher level graduate education leading to a Ph.D. or equivalent doctoral degree in computer science, engineering, information science, information systems management, mathematics, operations research, statistics, or technology management or degree that provided a minimum of 24 semester hours in one or more of the fields identified above and required the development of adaptation of applications, systems or networks. (TRANSCRIPTS REQUIRED)
Combination of Experience and Education: Only graduate education in excess of the amount required for the GS-09 grade level may be used to qualify applicants for positions at the grade GS-11. Therefore, only education in excess of a master's or equivalent graduate degree, or 2 full years of progressively higher-level graduate education leading to such a degree, may be used to combine education and experience.
Your resume (limited to no more than 2 pages) must include detailed information as it relates to the responsibilities and specialized experience for this position. Evidence of copying and pasting directly from the vacancy announcement without clearly documenting supplemental information to describe your experience will result in an ineligible rating. This will prevent you from being considered further.
You MUST apply through USAJOBS by 2/27/2026 to be considered.
