The incumbent serves as the Chief Information Security Officer (CISO) and Senior Agency Information Security Officer (SAISO) leading the cybersecurity and privacy strategy and program implementation to protect NASA's missions and enterprise. Responsibilities include establishing strategy, policies, programs, and frameworks for the security of classified and unclassified information and information systems at NASA. Also, manages the Cybersecurity and Privacy Division within the Office of the CIO.
As a basic requirement for entry into the Senior Executive Service (SES), you must clearly articulate and describe within your two (2) page resume evidence of progressively responsible supervisory, managerial, or professional experience which involved management of a program or organization of significant scope and complexity, normally obtained over several years by serving in positions at the GS-15 level or equivalent. Your resume must provide information regarding your professional experience and accomplishments that demonstrate your ability to perform the duties of this position and meet the five Executive Core Qualifications (ECQs). Your resume must also clearly demonstrate your ability to meet the Mandatory Technical Qualification (MTQ). If you fail to do so, your application will be rated ineligible. If you are currently serving under a career SES appointment, are eligible for reinstatement into the SES (this means you were previously employed as a Career SES employee and you successfully completed a one-year probationary period) or have successfully completed a SES Candidate Development Program and been certified by OPM, your resume must clearly state that you are a current career SES, eligible for reinstatement, or SES CDP certified and year of certification. Please DO NOT submit separate documents addressing the ECQs or MTQ. Only your resume capped at two (2) pages will be accepted and considered. Any additional documents submitted will not be accepted. EXECUTIVE CORE QUALIFICATIONS (ECQ): ECQ 1 - Leading Change: The ability to bring about strategic change, both within and outside the organization, to meet organizational goals. Inherent to this ECQ is the ability to establish an organizational vision and to implement it in a continuously changing environment. ECQ 2 - Leading People: The ability to lead people toward meeting the organization's vision, mission, and goals. Inherent to this ECQ is the ability to provide an inclusive workplace that fosters the development of others, facilitates cooperation and teamwork, and supports constructive resolution of conflicts. ECQ 3 - Results Driven: The ability to meet organizational goals and customer expectations. Inherent to this ECQ is the ability to make decisions that produce high-quality results by applying technical knowledge, analyzing problems, and calculating risks. ECQ 4 - Business Acumen: The ability to manage human, financial, and information resources strategically. ECQ 5 - Building Coalitions: The ability to build coalitions internally and with other Federal agencies, State and local governments, nonprofit and private sector organizations, foreign governments, or international organizations to achieve common goals. MANDATORY TECHNICAL QUALIFICATIONS (MTQ): MTQ - Demonstrated experience in overseeing enterprise-wide cybersecurity and privacy functions and initiatives, including managing incident response, governance, risk management, and advanced threat protection. This includes experience in leading the design and execution of cybersecurity efforts and strategies across a large organizational environment. Your application package must be in your own words. Experience statements copied from a position description, vacancy announcement, or other reference material constitutes plagiarism and may result in disqualification and losing consideration for the job. NASA prohibits the use of artificial intelligence (AI) or AI-assisted tool in drafting application and assessment responses. Please visit https://www.nasa.gov/careers/how-to-apply/#Artificial-Intelligence to review NASA's guidance on the use of AI tools during the application process. RESOURCES Additional information about the SES and ECQs can be found on the Office of Personnel Management (OPM) SES Website.
The Chief Information Security Officer (CISO)/Senior Agency Information Security Officer (SAISO): Establishes and manages NASA's Cyber Risk Management Framework in accordance with Federal requirements (Federal Information Security Management Act (FISMA), Continuous Diagnostics and Monitoring Requirements, etc.), Department of Homeland Security guidance, and National Institute of Standards and Technology (NIST). Ensures NASA's policies and procedures are consistent and effective in the protection of Agency information assets. Assesses the state of NASA's cybersecurity posture, which includes monitoring NASA's cyber vulnerabilities, maintaining an awareness of the threats to NASA, and providing appropriate information to leadership for awareness. Collaborates with senior executive stakeholders across NASA's mission programs, centers, mission support community, and external partners to develop and implement comprehensive strategies and policies that effectively address current and future cybersecurity risks. Ensures these efforts are aligned with NASA's overarching goals, enhancing the resilience and security posture of the Agency and increasing the likelihood of mission success. Maintains extensive knowledge of Federal legislation, directives, guidelines and best practices for IT security and privacy, especially guidance from NIST. Also, maintains knowledge of risk assessment and management practices and manages complex Agency-wide project plans for mitigation of IT security vulnerabilities. Leads a cross-functional team to identify and implement protective controls that minimize the Agency's attack surface, reduces critical points of exposure, increases the efficacy of existing/new technical countermeasures, and drives cost effectiveness through the development of economies of scale. Operates a set of technical capabilities that ingest signal from internal sensors (e.g., endpoint agents, proxies, firewalls, packet capture, NetFlow) and captures telemetry from external sources (e.g., vulnerability scans, vulnerability disclosures, third parties, cloud providers) to identify threats. Oversees all activities as captured in the incident response plan, including but not limited to incident characterization, incident severity determination, and incident declaration, along with containment, eradication, and post-mortem analysis/actions. Uses digital forensics to support these activities. Provides executive guidance to establish and manage relationships with external parties (intelligence community, law enforcement, national security) and external commercial parties (hardware/software vendors, service providers) to enrich and advance the Agency's approach to active defense. Oversees enterprise IT contracts (cybersecurity and privacy services) ensuring high-quality, efficient performance; including consolidating cybersecurity and privacy work from various center and enterprise information technology contracts.