IT Cybersecurity Specialist (Cyber Defense Forensics Analyst) (Direct Hire)

District of Columbia, D.C
Oct 11, 2019
Oct 19, 2019
Analyst, IT
Full Time


For more information on the Department of Justice and the United States Attorneys' Offices, visit .

As needed, additional positions may be filled using this announcement.
Learn more about this agency


Serves as the Cyber Defense Forensics Analyst (CDFA) for the Executive Office for the United States Attorneys (EOUSA) Cybersecurity Staff. Reports directly to the Insider Threat Program Manager on all EOUSA Cyber Defense, Forensic and Insider Threat initiatives. Utilizes data collected from a variety of EOUSA/USAO cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs, user behavior analysis logs etc) and physical defense tools to analyze events that occur within EOUSA's IT Enterprise environment for the purposes of mitigating the Insider Threat. The Cyber Defense Forensics Analyst also supports all U.S. Attorneys' Offices (USAOs) and the Executive Office for the United States Attorneys' (EOUSA) staff serving as the technical lead for the Insider Threat Prevention and Detection Program. The CDFA insures sufficient awareness, prevention, analysis, detection and mitigation of insider threats nationwide in compliance with Executive Order 13587 - Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information and Department of Justice Order 0901 Insider Threat. The CDFA support EOUSA and all 94 USAOs comprising roughly 15,000 users, 25,000 plus endpoints, three Core Enterprise Facilities, one Enterprise Data Center, two commercial cloud providers, and 250 work sites spanning both the continental United States and territories. The CDFA works with the EOUSA SOC Program Manager and Fusion Cell staff conducting cyber defensive and threat hunting operations.

Travel Required

Occasional travel - You may be expected to travel for this position.

Supervisory status

Promotion Potential


Conditions of Employment

  • You must be a United States Citizen or National.
  • Background investigation, credit check, and drug test required.
  • You must be registered for Selective Service, if applicable.
  • If selected, you may be required to complete a one year probationary period.
  • You must meet all qualification requirements upon the closing date of this announcement.


GS-13: Applicants must have one year of specialized experience equivalent to the GS-12 in federal service. Specialized experience is defined as conducting cyber defense analysis from data collected across a broad spectrum of cyber defense tools and services (e.g., IDS alerts, firewalls, network traffic logs, endpoint protection/endpoint detection and response tools, host-based tools, commercial cloud services; supporting large scale organizational Insider Threat Prevention and Detection Programs, counter-intelligence techniques and tools, user behavior analytic tools, correlation and analysis of large data sets, conducting forensic analysis across desktop, server, mobile and cloud environments, experience with multiple forensic tools and processes, techniques in maintaining chain of custody and preserving evidence. In addition, you must have IT-related experience demonstrating each of the four competencies listed: Attention to Detail, Customer Service, Oral Communication, and Problem Solving.
Examples of specialized experience may include:
  • Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).
  • Knowledge of key cyber threat actors and their equities.
  • Knowledge of indications and warning.
  • Knowledge of the fundamentals of digital forensics to extract actionable intelligence
  • Evaluates, analyzes, and synthesizes large quantities of data (which may be fragmented and contradictory) into high quality, fused cyber hunting/cybersecurity intelligence products.
  • Applies critical thinking to analyze organizational patterns and relationships and anticipates key target or threat activities which are likely to prompt a leadership decision.
  • Evaluates, analyzes, and synthesizes large quantities of data (which may be fragmented and contradictory) into high quality, fused cyber hunting/cybersecurity intelligence products.
  • Works across teams conducting data analytics and correlation on large data sets.
  • Derives actionable intelligence to mitigate cyber and insider threats
  • Conducts forensic analyses in and for both Windows and Unix/Linux environments.
  • Preserves evidence integrity according to standard operating procedures or national standards.
  • Collects, processes, packages, transports, and stores electronic evidence to avoid alteration, loss, physical damage, or destruction of data.
  • Uses forensic tool suites (e.g., EnCase, Sleuthkit, FTK), conducts forensic analyses in multiple operating system environments (e.g., mobile device systems).
  • Processes digital evidence, to include protecting and making legally sound copies of evidence.
  • Collects and preserves digital evidence, conducts analysis and writes reports
  • Works across staffs regarding the implementation, operation and sustainment of organizational Insider Threat Prevention and Detection Program.
  • Leading Integrated Process Teams coordinating all technical aspects of the Insider Threat program.
  • Supporting organizational governance venues.

Interagency Career Transition Assistance Plan (ICTAP)- The ICTAP provides eligible displaced Federal competitive service employees with selection priority over other candidates for competitive service vacancies. If your agency has notified you in writing that you are a displaced employee eligible for ICTAP consideration, you may receive selection priority if: 1) this vacancy is within your ICTAP eligibility; 2) you apply under the instructions in this announcement; and 3) you are found eligible and qualified for this vacancy. To be eligible and qualified, you must satisfy all eligibility and qualification requirements for the vacant position as outlined in this announcement. You must provide proof of eligibility to receive selection priority. Such proof may include a copy of your written notification of ICTAP eligibility or a copy of your separation personnel action form. Additional information about ICTAP eligibility is at: .


Additional information

Payment of relocation expenses will not be authorized.

A relocation incentive may be considered as appropriate based on qualifications.

The Department of Justice offers a comprehensive benefits package that includes, in part, paid vacation; sick leave; holidays; telework; life insurance; health benefits; and participation in the Federal Employees Retirement System.

Veterans' Preference - Since Direct Hire Recruitment Authority is being used, traditional Veterans' Preference rules do not apply. Qualified preference eligibles will be given full consideration for this position. While veterans' preference does not apply in Direct Hire Authority, preference eligibles can submit their supporting documentation listed as Optional in the Required Documentation section of this vacancy announcement.

Selective Service: If you are a male applicant born after December 31, 1959, you must certify that you have registered with the Selective Service System, or are exempt from having to do so under the Selective Service Law. See .

Reasonable Accommodation Statement: Federal Agencies must provide reasonable accommodation to applicants with disabilities, where appropriate. Applicants requiring reasonable accommodation for any part of the application and hiring process should contact the hiring agency directly. Determinations on requests for reasonable accommodation will be made on a case-by-case basis.

EEO Statement: The United States Government does not discriminate in employment on the basis of race, color, religion, sex, national origin, political affiliation, sexual orientation, marital status, status as a parent, genetic information, disability, age, membership or nonmembership in an employee organization, or on the basis of personal favoritism.

How You Will Be Evaluated

You will be evaluated for this job based on how well you meet the qualifications above.

Your resume and all supporting documentation you submit, to include your responses to the Occupational Questionnaire, will be used to determine whether you meet the minimum job qualifications listed in this announcement. If you rate yourself higher than what is supported by the documentation you submit, you may be excluded from consideration for this job. If it is determined you meet minimum qualification requirements, you will be referred to the selecting official. Under the provisions of the Direct Hire Authority, category rating and veterans' preference do not apply; therefore, your responses to the assessment questionnaire will not be used to determine a scored rating. Instead, all applicants that are determined to meet minimum qualifications, as defined by this vacancy announcement, will be referred to the selecting official for consideration.

Qualified, eligible CTAP and ICTAP applicants will be referred to the selecting official under the selection priority placement program. If you are basically qualified for this job, your resume and supporting documentation will be compared to your responses to the Occupational Questionnaire. If you rate yourself higher than what is supported by your application materials, your responses may be adjusted and/or you may be excluded from consideration for this job.

The Occupational Questionnaire will take you approximately 10 minutes to complete.

Background checks and security clearance

Security clearance

Drug test required

Position sensitivity and risk
Special-Sensitive (SS)/High Risk

Trust determination process

Required Documents

You must provide a complete Application Package which includes:

- Required: Your responses to the Online Occupational Questionnaire (This is completed automatically during the apply online process).

- Required: Your resume showing relevant experience and dates (for full consideration you must include day/month/year) of employment and work schedule for each (e.g., part-time XX hours per week or full-time) (cover letter optional).). Experience refers to paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional; philanthropic; religious; spiritual; community, student, social). Volunteer work helps build critical competencies, knowledge, and skills and can provide valuable training and experience that translates directly to paid employment. You will receive credit for all qualifying experience, including volunteer experience.

- Required, if applicable: CTAP/ICTAP documentation to include a copy of a separation notice or other proof of eligibility for priority selection; a copy of an SF-50, Notification of Personnel Action, showing current position, grade, promotion potential, and duty location; AND a copy of your most recent performance appraisal.

- Optional , if applicable: Veterans' Preference documentation.
Member Copy 4 of your DD-214 (Certificate of Release or Discharge from Active Duty); or if you are a current Active Duty member, a certification on appropriate military branch letterhead that indicates: 1) your service dates, 2) expected discharge or release date from active duty with a release/discharge date no later than 120 days from the closing date of this announcement, and 3) the character of service (e.g., Honorable); or other official documentation (e.g., documentation of receipt of a campaign badge or expeditionary medal) that shows your military service was performed under honorable conditions. If you are a disabled veteran, a Purple Heart recipient, or widow/widower if a veteran, the spouse of a disabled veteran or the parent of a disabled or deceased veteran, a Standard Form (SF) 15, "Application for 10-Point Veteran Preference" dated October 2013 and the required documentation identified on the reverse side of the SF-15 to support your preference claim.

If you are relying on your education to meet qualification requirements:

Education must be accredited by an accrediting institution recognized by the U.S. Department of Education in order for it to be credited towards qualifications. Therefore, provide only the attendance and/or degrees from schools accredited by accrediting institutions recognized by the U.S. Department of Education .

Failure to provide all of the required information as stated in this vacancy announcement may result in an ineligible rating or may affect the overall rating.

Similar jobs