Job Description
Job Description
Designation
Key Personnel
GSA MAS Labor Category
Security Architect
Level of Effort
1.0 FTE (1,880 hours per period), all five performance periods
Location / Hours
Remote-first; periodic on-site in Bethesda, MD; core hours 7:00 a.m.–6:00 p.m. ET M–F plus emergency after-hours
Clearance
Tier 2 Public Trust (MBI-5B) — must obtain and maintain
Key Personnel Conditions
Key Personnel designation under HHSAR 352.237-75 (RFQ Section G.3). A signed Letter of Commitment is required at quote submission (RFQ L.6.1, Factor 3, as amended). The incumbent may not be diverted or replaced without Contracting Officer written consent for the life of the task order (Base plus four option periods, through August 2031). U.S. work authorization and the ability to obtain and maintain a Tier 2 (Public Trust / MBI-5B) background investigation are required (RFQ H.11.11). Performance is remote-first with periodic on-site presence at NIH facilities in Bethesda, MD for meetings, exercises, and incident response (SOW Section 7). Core coverage hours are 7:00 a.m. to 6:00 p.m. ET, Monday through Friday, with emergency after-hours availability (RFQ F.5).
Role Summary
Technical authority for the NIH/OD-OIT security architecture and owner of the program's most visible engineering deliverables: the Baseline Zero Trust Security Architecture Reference Documents (due 90 days after award) and the Data Center Privileged Access Standard Operating Procedure (due 60 days after development of the Zero Trust privileged access architecture).
Leads the design, documentation, and implementation of Zero Trust security solutions across on-premises and cloud environments in accordance with OMB Memorandum M-22-09, and provides strategic thought leadership to the OD CISO on security engineering, emerging threats, and modernization.
Key Responsibilities
• Develop, document, and drive Government approval of Zero Trust reference architectures and security patterns for cloud and on-premises systems; define the maturity roadmap across the five Zero Trust pillars (identity, devices, networks, applications/workloads, data).
• Architect privileged access controls (PAM, formalized RDP/SSH access points) and author the Privileged Access SOP; align enforcement with Zero Trust policy goals.
• Provide senior engineering direction across the contractor-managed security stack — SIEM, EDR, next-generation firewall, WAF, DLP, PAM, IDS/IPS, and cloud security — including gap identification, tool optimization, and the System Administration and Engineering Gaps Remediation Reports.
• Support enhanced incident response capability design within Zero Trust architectures; advise Tier 2/3 forensics and SOC engineering on detection and containment patterns.
• Contribute architecture input to RMF authorization boundaries, FedRAMP package reviews, and C-SCRM third-party risk assessments; brief executives and produce decision-quality architecture artifacts.
RequirementsMinimum Qualifications
- Bachelor’s degree in computer science Security, Information Technology, or a related field. Master's Degree in IT Security/ Zero Trust preferred.
- 10+ years in security engineering or architecture for enterprise or federal environments, including 3+ years designing or implementing Zero Trust architectures referencing OMB M-22-09, NIST SP 800-207, and/or the CISA Zero Trust Maturity Model.
- CISSP-ISSAP (or CISSP plus SABSA/TOGAF with documented Zero Trust delivery). – WE have room on this
- Hands-on architectural command of at least four of: enterprise SIEM, EDR, NGFW, WAF, DLP, PAM, IDS/IPS, CASB/cloud security — in hybrid on-premises plus cloud) environments.
- Demonstrated authorship of Government-approved architecture reference documents or SOPs — written deliverables are a core output of this position, not an afterthought.
- Experience within FISMA Moderate environments; fluency in NIST SP 800-53 Rev. 5 control architecture implications.
Preferred Qualifications
• Zero Trust implementation at HHS/NIH or another federal health agency; familiarity with research-computing and PHI/PII data-protection contexts.
• Cloud security architecture certification (CCSP, or AWS/Azure security specialty).
• Experience designing SOAR/automation-enabled operations and AI-security overlays; NIST AI RMF 1.0 exposure supports SOW 5.10 requirements for AI/ML systems.
BenefitsStandard Employee Benefits.
50% Health Insurance Paid by Innosoft, Paid Vacation, 401K Match, STD LTD and AD&D paid by Innosoft.
