NLM Security Specialist I - III

Security Specialist I – III

Lexical Intelligence provides software and services related to processing large-scale biomedical information sources. Our Natural Language Processing (NLP) and analytics software is used by policy and decision makers to evaluate and prioritize current and emerging areas of research.

We are looking for Security Specialists (I – III) to work within the National Library of Medicine (NLM), Lister Hill National Center for Biomedical Communications (LHNCBC), located at Building 38A on the NIH campus in Bethesda, MD. The Security Specialists will have experience in federal information security and compliance, vulnerability assessment and risk management, and cloud and application security operations. The Security Specialists will have a firm understanding of FISMA requirements, NIST security standards, HHS/NIH cybersecurity policies, and federal information security governance frameworks. The Security Specialists shall be able to work well within a team of multidisciplinary IT professionals including DevOps engineers, software developers, data scientists, and clinical informatics specialists. The selected applicants will be subject to a pre-employment background and reference check.

Level Descriptions

Security Specialist I – Entry to mid-level professional with foundational experience in federal information security and compliance. Works under supervision, executing defined security tasks, supporting vulnerability assessments, and contributing to compliance documentation and incident response activities. Focuses primarily on operational security support, training compliance, and assisting with ATO documentation and security scanning activities.

Security Specialist II – Mid to senior-level professional with demonstrated experience leading security activities across complex federal IT programs. Works with greater independence, managing vulnerability programs, overseeing ATO lifecycle activities, and providing technical security guidance to development and operations teams. Contributes to cloud security governance, incident response leadership, and privacy compliance programs.

Security Specialist III – Senior-level professional serving as the strategic security leader for enterprise cybersecurity programs. Provides expert guidance on security architecture, governance, and risk management across multi-team, multi-system environments. Leads enterprise ATO programs, directs incident response and breach management, and serves as the primary security liaison to senior government officials and federal security stakeholders.

Required Qualifications

Security Specialist I

• 4 years of relevant information security or cybersecurity experience
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, or related fields
• Knowledge and practice of the Federal Information Security Modernization Act (FISMA) and related compliance frameworks
• Experience with NIST Special Publications including SP 800-53, SP 800-171, SP 800-88, and SP 800-64
• Experience supporting or maintaining Authority to Operate (ATO) documentation and System Security Plans (SSPs)
• Familiarity with vulnerability scanning and management tools such as Tenable Security Center, Nessus, or Prowler
• Ability to identify, document, and track security vulnerabilities and support remediation within prescribed timelines
• Strong written and oral communication skills, including the ability to convey technical security concepts in plain language

Security Specialist II

• 6 years of progressive information security or cybersecurity experience in a federal or government contracting environment
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Information Technology, Cybersecurity, or related fields; advanced degree preferred
• Demonstrated expertise in FISMA compliance, including full lifecycle management of ATO documentation and SSP development and maintenance
• Advanced knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200 security categorization standards
• Proven experience conducting vulnerability assessments, threat identification, and penetration testing using tools such as Tenable Security Center, Prowler, Netsparker, Checkmarx, and/or OWASP-based tools
• Experience managing and responding to cybersecurity incidents in accordance with federal incident response policies, including reporting to CSIRC/NIH IRT within required timelines
• Experience administering and securing cloud environments across multiple platforms including AWS, Google Cloud (GC), and/or Microsoft Azure, including Identity and Access Management (IAM)
• Strong written and oral communication skills with demonstrated ability to brief senior leadership and government officials on security posture, risk, and remediation strategies

Security Specialist III

• 8\+ years of progressive, senior-level information security or cybersecurity experience, with a significant portion in a federal government or government contracting environment
• Bachelor's degree or other degree(s) in Computer Science, Information Security, Cybersecurity, Information Technology, or related fields; Master's degree strongly preferred
• Expert-level knowledge and demonstrated leadership in FISMA compliance, including strategic oversight of ATO lifecycle management, SSP development, and continuous monitoring programs across enterprise-level federal information systems
• Expert knowledge of NIST Special Publications including SP 800-53, SP 800-64, SP 800-88, SP 800-171, and FIPS 199/200, with demonstrated ability to apply these frameworks to complex, multi-system environments
• Demonstrated experience leading enterprise vulnerability management programs, including the design and oversight of vulnerability assessment methodologies, penetration testing programs, and threat identification strategies
• Proven leadership in cybersecurity incident response at the enterprise level, including coordination with federal agencies such as the NIH CSIRC IRT, US-CERT, and HHS OCIO
• Senior-level experience architecting and securing enterprise multi-cloud environments across AWS, GC, and Microsoft Azure, including advanced IAM strategy, cloud security posture management, and FedRAMP compliance oversight
• Demonstrated ability to brief and advise senior government officials, CORs, Contracting Officers, ISSOs, and CISOs on enterprise security posture, risk, and strategic remediation approaches
• Proven experience leading and mentoring teams of security professionals and coordinating cross-functional security activities across large, complex IT programs

Preferred Qualifications

• Experience with application security scanning tools such as Netsparker, Checkmarx, or OWASP-based tools
• Familiarity with security assessment tools and penetration testing methodologies
• Experience supporting cloud security operations across AWS, GC, and/or Microsoft Azure environments, including IAM administration and cloud resource monitoring
• Knowledge of container security and orchestration platforms such as Kubernetes, Docker, OpenShift, or Anthos
• Experience with CI/CD pipeline security integration using tools such as GitLab, GitHub Actions, Nexus, or equivalent platforms
• Familiarity with Infrastructure as Code (IaC) security practices using tools such as Terraform, Ansible, Puppet, or AWS CDK
• Experience with monitoring and logging tools such as EFK stack, Prometheus, Grafana, or Splunk for security event analysis
• Knowledge of HHS/NIH security policies, including HSPD-12, PIV credentialing requirements, and HHS IS2P
• Experience with Privacy Impact Assessments (PIA), Privacy Threshold Analyses (PTA), and handling of PII and PHI in compliance with the Privacy Act, HIPAA, and applicable federal regulations
• Familiarity with FISMA-moderate environments such as FEHRDI or equivalent federal health data systems
• Experience with secure coding practices in accordance with US-CERT standards and OWASP guidelines
• Familiarity with ticketing and documentation systems such as JIRA, ServiceNow, and Confluence
• Experience with FedRAMP requirements for cloud service providers and cloud security architecture best practices
• Familiarity with distributed computing security, including Hadoop and related open-source frameworks
• Experience with enterprise records management and media sanitization governance in accordance with NARA policies and NIST SP 800-88
• (For Levels II and III) Experience with HHS/NIH-specific security frameworks, including the HHS Personnel Security and Suitability Program and PIV credentialing governance
• (For Levels II and III) Experience with HIPAA business associate agreement requirements and PHI governance in federal health IT environments
• (For Levels II and III) Relevant certifications such as CISSP, CISM, CISA, CEH, or equivalent federal security credentials
• (For Level III) Expert knowledge of FedRAMP, cloud service provider security governance, and strategic oversight of enterprise security training programs in accordance with HHS RBT requirements
• (For Level III) Experience providing strategic security oversight for biomedical informatics, data science, and clinical data analytics programs within federal research environments

Responsibilities

All Levels

• Support or lead cybersecurity and risk management activities across NLM enterprise systems, networks, databases, and application development environments, ensuring alignment with FISMA, NIST, HHS, and NIH security policies and requirements
• Assist in or manage the lifecycle of Authority to Operate (ATO) documentation and System Security Plans (SSPs), supporting annual reviews and updates in response to evolving programmatic and security requirements
• Support or lead the design and implementation of secure computing environments in accordance with Government FISMA policies, including firewalls, intrusion detection systems, and disaster recovery planning
• Conduct or oversee vulnerability assessments and threat identification activities; document findings and support or lead remediation efforts within prescribed timelines in accordance with HHS Policy for Vulnerability Management and POAM requirements
• Track and manage known vulnerabilities using Tenable Security Center and related security tools, ensuring resolution in alignment with HHS vulnerability management timelines
• Respond to or coordinate responses to all Alerts and Indicators of Compromise (IOCs) provided by the NIH CSIRC IRT teams within 24 hours, whether the response is positive or negative
• Support or lead incident response activities for suspected and confirmed information security and privacy incidents and breaches, ensuring reporting to the NIH IRT within one (1) hour of discovery and coordinating all required follow-up actions in accordance with HHS, NIH, and US-CERT policies
• Assist in or oversee the protection of Controlled Unclassified Information (CUI) in accordance with Executive Order 13556, NIST SP 800-171, and applicable regulations, ensuring CUI is marked appropriately, disclosed on a need-to-know basis, and protected or destroyed in accordance with NIST SP 800-88
• Ensure all sensitive federal data and information, including PII, PHI, and proprietary information, is encrypted in transit and at rest using FIPS 140-2/140-3 validated encryption solutions
• Support or provide security management and oversight to identify and address security vulnerabilities in both Windows and Linux systems
• Assist in or lead secure coding quality assurance activities in accordance with US-CERT standards and OWASP guidelines
• Support or oversee the security of FISMA-moderate environments such as FEHRDI, ensuring that systems handling sensitive clinical and health-related data comply with all applicable security and privacy requirements
• Assist in or lead Privacy Impact Assessments (PIA) and Privacy Threshold Analyses (PTA) in coordination with the NIH Office of the Senior Official for Privacy, ensuring assessments are reviewed and updated at least every three years or upon major system changes or new PII collection
• Support or oversee media sanitization activities in accordance with NIST SP 800-88 at contract closeout and as directed throughout the contract period
• Complete mandatory annual HHS/NIH Information Security Awareness, Privacy, and Records Management training prior to beginning work and annually thereafter; maintain and submit training records within required timelines
• Adhere to HHS Information Technology General Rules of Behavior and applicable Rules of Behavior for Privileged Users, obtaining and maintaining signed acknowledgments at contract initiation and annually thereafter
• Complete and maintain required Non-Disclosure Agreements (NDAs) for access to non-public government information prior to performing work under the contract
• Support or manage the submission and maintenance of contractor staff rosters and background investigation documentation in accordance with contract timelines and requirements
• Assist in or provide technical guidance to ensure that all developed ICT solutions meet Section 508 accessibility requirements and HHS digital accessibility conformance standards
• Support or lead the coordination of authenticated and unauthenticated vulnerability scanning activities across operating systems, networks, databases, and web applications using NIST SCAP-compliant tools
• Identify themselves as contractor personnel in all contract-related meetings, communications, and correspondence in accordance with contract requirements
• Contribute to monthly activity and financial status reports, providing security program updates to the Program Manager and COR as directed

Additional Responsibilities – Security Specialist II

• Manage the full lifecycle of ATO documentation and SSPs, ensuring annual reviews, continuous monitoring activities, and updates in response to evolving programmatic, threat, and regulatory requirements
• Lead vulnerability assessment and penetration testing programs, presenting findings to senior leadership and government officials and managing enterprise-wide remediation activities
• Provide technical security guidance to development teams, advising on secure architecture design, application security reviews, and full SDLC security integration
• Lead cloud security operations across AWS, GC, and Azure platforms, including advanced IAM administration, cloud security posture management, and monitoring of cloud resource efficiency and security effectiveness
• Develop, review, and maintain Incident and Breach Response Plans (IRP) in accordance with HHS/NIH, OMB, and US-CERT requirements
• Coordinate with ISSOs, CISOs, and federal security officials on security posture, risk assessments, and compliance activities
• Lead privacy governance activities, overseeing PIA and PTA processes and ensuring compliance with Privacy Act, HIPAA Rules, and applicable HHS policies
• Oversee the integration of security controls within CI/CD pipelines, IaC frameworks, and containerized environments, ensuring DevSecOps principles are embedded throughout the software delivery lifecycle
• Contribute to the development and delivery of role-based cybersecurity training programs in accordance with HHS policy and the HHS Role-Based Training Memorandum
• Provide technical mentorship to Security Specialist I staff, reviewing security assessments and coordinating security activities across cross-functional teams
• Support records management and data governance activities, ensuring compliance with NARA policies, HHS Agency Records Control Schedules, and applicable federal records management laws

Additional Responsibilities – Security Specialist III

• Serve as the senior cybersecurity subject matter expert and strategic leader for all information security activities across the NLM/LHNCBC contract, providing expert guidance to the Program Manager, government officials, and cross-functional technical teams
• Architect and oversee the implementation of enterprise security programs across on-premises, hybrid, and multi-cloud infrastructures in alignment with FISMA, NIST, HHS, and NIH security governance frameworks
• Lead enterprise cloud security architecture strategy across AWS, GC, and Azure platforms, including advanced IAM governance, FedRAMP compliance oversight, and cloud security posture management at scale
• Direct enterprise cybersecurity incident response activities, establishing and maintaining coordinated relationships with NIH CSIRC IRT, HHS OCIO, US-CERT, and other federal stakeholders; manage complex breach investigations and ensure organizational readiness and continuous improvement
• Lead enterprise encryption governance, ensuring all sensitive federal data is encrypted using FIPS 140-2/140-3 validated solutions and maintaining key management practices in accordance with HHS standards
• Oversee the strategic integration of security controls within DevSecOps pipelines, IaC frameworks, and containerized environments at enterprise scale
• Lead enterprise privacy governance programs, providing strategic oversight of PIA and PTA activities and serving as the primary liaison to NIH privacy officials on all contract-related privacy matters
• Direct enterprise security training and awareness programs, ensuring all contractor and subcontractor personnel complete mandatory training and overseeing role-based training for personnel with significant security responsibilities
• Lead post-incident analysis activities, producing comprehensive post-incident reports including root cause analysis, lessons learned, and strategic recommendations for vulnerability mitigation and program improvement
• Mentor and provide strategic leadership to Security Specialist I and II staff, establishing performance standards, professional development pathways, and technical excellence frameworks across the security team
• Lead security transition planning activities, ensuring comprehensive documentation, knowledge transfer, and security continuity planning are completed in advance of contract transitions in accordance with the approved transition-out plan
• Serve as the primary point of coordination between the contractor security team and government security officials, including ISSOs, CISOs, the NIH Office of the SOP, and the HHS OCIO, on all matters related to enterprise security posture, risk management, and compliance

Responsibilities include ensuring compliance with organizational security and privacy policies, protecting sensitive data and systems, reporting security incidents, and participating in required cybersecurity training. The role also involves implementing best practices related to access control, data handling, and risk mitigation within the scope of assigned duties.

Salary and Benefits: We offer a competitive salary and a generous benefits package, including at no cost: full health and dental for you and your dependents, retirement and HSA accounts, short- and long-term disability insurance, life and accident insurance, paid time off, and 11 federal holidays.

Location: Bethesda, MD .

Equal Employment Opportunity Policy: Lexical Intelligence, LLC, provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

Lexical Intelligence, LLC \| 2001 Veirs Mill Rd 546 \| Rockville, MD 20851