Clarification from the agency

This announcement is open to: - Current or former federal employees in the Competitive Service. - Veterans who are VEOA eligible - Individuals with disabilities - Individuals with Special Hiring Authorities

The Deputy Chief Information Officer / Chief Information Security Officer (DCIO/CISO) plays a critical leadership role in shaping enterprise technology strategy and advancing cybersecurity capabilities across the National Gallery of Art. The position provides executive oversight of the information security program and end-user technology services, ensuring the protection of digital assets and the reliable delivery of IT services that support mission-critical operations. Working in close partnership with the CIO, the DCIO/CISO helps drive strategic initiatives, optimize technology investments, and establish governance, standards, and performance measures that enable staff to effectively engage with and steward the Gallery’s collections and operations.

• Serves as the most senior authority on cybersecurity for the Gallery, with responsibility for developing, approving and enforcing enterprise-wide cybersecurity policies, standards and control frameworks aligned with NIST, FISMA/FIPS, OMB guidance and other applicable federal requirements. Establishes and maintains the strategic cybersecurity roadmap, including defined maturity targets and performance metrics. Directs enterprise risk assessments, third-party vendor management, threat detection and incident response. Provides executive-level reporting on cybersecurity posture, risk exposure and remediation strategies to senior leadership and governance bodies. Ensures that cybersecurity requirements are fully integrated into acquisitions, system development, cloud services and vendor management activities.
• Directs the User Services Department (TDS-US), overseeing Tier 1 through 4 support, endpoint engineering, asset lifecycle management and identity and access management. Ensures effective collaboration and integration among User Services, Information Security and IT Operations, while maintaining a proactive, customer-focused IT experience that delivers positive outcomes. Establishes service-level objectives and performance metrics to ensure secure and reliable end-user computing services; manages remediation of cybersecurity vulnerabilities, baseline compliance and system upgrades in alignment with defined KPIs and targets to protect against cyber threats. Oversees the IT Asset Management program, including long-range technology replacement planning to provide high performing systems for staff productivity. Maintains a software and services catalog while identifying opportunities to consolidate applications to simplify management and reduce organizational cost.
• Works with full delegated CIO authority, in the absence of the CIO, to lead the organization and exercise executive decision-making. Partners closely with the CIO to shape enterprise IT strategy, capital planning and performance management frameworks. Represents TDS in enterprise governance bodies, risk management councils and emergency operations forums. Provides executive-level guidance on Technology risk, modernization priorities and strategies that strengthen operational resilience across the institution.
•  Supervises senior managers and professional staff while leading enterprise strategic planning for cybersecurity and end-user computing, including defining documented outcomes, performance metrics and targets aligned to the Gallery’s strategic plan and benchmarking excellence. Oversees workforce planning, performance management, succession planning and leadership development for the Information Security and User Services Teams. Cultivates a culture of accountability, innovation, customer service and continuous improvement.
• Responsible for the development and execution of budgets for Information Security and User Services, including managing operating budgets, resource plans, and financial forecasts. Serves as a senior-level Contracting Officer’s Representative (COR) for security and user services contracts, with primary oversight of the helpdesk and endpoint computing services. Ensures contracted services meet performance expectations, comply with requirements, and promote accountability.

Conditions of employment

• You must be a United States Citizen.
• This employer participates in the e-Verify program.
• Males born after 12-31-59 must be registered for Selective Service
• See "Other Information" section regarding Selective Service requirements.
• Suitable for Federal employment, determined by a background investigation
• May be required to successfully complete a probationary period

Resumes must be no longer than two-pages in length. The resume must address minimum qualifications and other requirements listed in the job announcement. Beginning on September 27, 2025, job seekers can modify existing resumes stored in their USAJOBS profile or upload or build a new resume in their USAJOBS profile to meet the two-page requirement and mark a resume as searchable in the Agency Talent Portal (ATP). Job seekers must choose a resume that is two pages or less to make it searchable and apply for jobs.

Your resume serves as the basis for qualification determinations and must highlight your most relevant and significant work experience and education (if applicable) as it relates to this job opportunity. Experience refers to paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional; philanthropic; religious; spiritual; community, student, social). Your resume must include the dates of all qualifying experience (from month/year to month/year) and the number of hours worked/volunteered per week.

Qualifications

Specialized Experience Statement: To meet the minimum qualifications for this position, candidates must possess a minimum of one year of specialized experience at or equivalent to grade level GS-15 in the public, private, or non-profit sectors . Specialized experience is defined as: 

1) Leading enterprise cybersecurity programs and policy in a complex organization;

2) Developing and enforcing cybersecurity standards and control frameworks aligned with federal requirements;

3) Directing cyber risk management, incident response, and security performance reporting; exercising executive leadership in enterprise IT strategy, governance, capital planning, and operational resilience;

4) Overseeing end-user computing or user services functions that include help desk operations, endpoint engineering, identity and access management, and asset lifecycle management;

5) Supervising senior managers or multidisciplinary professional staff;

and

6) Managing budgets, forecasts, and high-value IT contracts, including serving in a senior contract oversight or COR capacity.

OPM Qualifications Standard:

Individual Occupational Requirements: Information Technology (IT) Management Series 2210 (Alternative A)

MANDATORY QUALIFICATIONS:
Applicants must address the following mandatory qualifications separate from their resumes. Statements must provide specific examples that address relevant experience, accomplishments and evidence that you possess demonstrated superior technical qualifications. You will not be considered for this position if you fail to submit qualification statements specifically addressing each mandatory technical qualification requirement.

Mandatory Technical Qualifications (MTQs): Maximum of two pages per MTQ.

• MTQ 1. Mastery of the theories, concepts, standards and practices of Information Technology (IT) enterprise portfolio management and leadership, with particular emphasis on effective strategic planning and implementation. This includes the ability to coordinate, plan, and direct projects staffed with representatives of highly collaborative, cross-functional teams to ensure successful completion.
• MTQ 2. Mastery of the principles, methods, services, best practices and techniques used in the IT field and their application to advance and enable business strategic priorities. This requires the possession of expert knowledge of the critical role Information Technology plays in advancing and supporting business and mission priorities. This includes the ability to apply this expert knowledge in the context of a large organization with a variety of complex program responsibilities.
• MTQ 3. Leverages expert knowledge of advancements in the information technology industry to address mission and business issues and challenges; to develop and implement cutting edge, innovative solutions for the organization; to plan and conduct feasibility studies, and to advise senior organizational management concerning resource management strategies.
• MTQ 4. Leading Change: This core qualification involves the ability to bring about strategic change, both within and outside the organization, to meet organizational goals. Inherent to this core qualification is the ability to establish an organizational vision and to implement it in a continuously changing environment.
• MTQ 5. Leading People: This core qualification involves the ability to lead people toward meeting the organization’s vision, mission, and goals. Inherent to this core qualification is the ability to provide an inclusive workplace that fosters the development of others, facilitates cooperation and teamwork, and supports constructive resolution of conflicts.

Other Relevant Eligibility Criteria:

Must maintain availability for executive incident response and occasional work outside normal business hours

May be required to carry a Gallery-issued phone during non-work hours.

Your responses to the MTQs will be evaluated based on how clearly and concisely you emphasize your level of responsibilities, particularly, the scope and complexity of the programs, activities, or services managed; program accomplishments; policy initiatives undertaken; level of contacts; the sensitivity and criticality of the issues addressed; and the results of actions taken.

You are required to submit separate narrative statements for each MTQ to receive consideration for this position. Please see the REQUIRED DOCUMENTS section for complete details regarding the page limitation and formatting requirement.

Applicants must carefully review the information in the "How You Will Be Evaluated" section for important information and instructions pertaining to the multi-hurdle assessment process for this position.

While not required by regulation, agencies may require that at least 1 year of the specialized experience must be at least equivalent to experience at GS-15 (5 CFR 319.301(c)(2)).

Only experience and education obtained by the closing date of this announcement will be considered.

Experience refers to paid and unpaid experience, including volunteer work done through National Service programs (e.g., Peace Corps, AmeriCorps) and other organizations (e.g., professional; philanthropic; religious; spiritual; community, student, social). Volunteer work helps build critical competencies, knowledge, and skills and can provide valuable training and experience that translates directly to paid employment. You will receive credit for all qualifying experience, including volunteer experience.

How you will be evaluated

You will be evaluated for this job based on how well you meet the qualifications above.

Applications will be evaluated based on the quality and extent of accomplishments and experience as they relate to the Mandatory Technical Qualifications (MTQs). This information will be obtained from the application and narrative statements. Failure to provide specific information in each of the narrative statements will result in you receiving a lower rating or disqualification. A minimum qualifications screening will be conducted by Human Resources. Eligible applicants will then be evaluated by evaluated by a screening panel composed of a diverse mix of senior executives and/or general officers selected from organizational and/or functional backgrounds relevant to this position. The panel will rate minimally qualified applicants in order to determine which candidates are considered  "Superior" (top), "Very Good" (middle), or "Acceptable" (bottom) category. Generally, only the individuals in the Superior (top) category will be referred to the Hiring Manager/Selection Official for interview. Please make sure you answer all questions and follow all instructions carefully. Errors or omissions may affect your evaluation.

Note: the Category Rating Process does not add veterans' preference points or apply the "rule of three" instead Category Rating protects the rights of qualified veterans by placing them ahead of qualified non-preference eligibles within each category. Qualified preference-eligibles will be listed at the top of their assigned category and considered before qualified non-preference-eligibles in that same category. And preference eligible applicants that meet the qualification requirements for the position and have a compensable service-connected disability rating of ten percent or more are listed at the top of the superior (top) category, except in the case of scientific or professional positions at the GS-9 level or higher. Your responses should be clear and concise and show a level of accomplishment and a degree of responsibility. We use a multi-step process to evaluate and refer applicants:

1. Screen for Eligibility and Minimum Requirements: Your application must show that you meet all requirements, including any minimum education and/or experience required for this position. You may be found "not qualified" if you do not possess the minimum competencies required for the position. If your application is incomplete, we may rate you as ineligible.

2. Ranking and Rating: You will be evaluated by a screening panel composed of a diverse mix of senior executives and/or general officers panel based on your responses to the mandatory technical qualification (MTQ) requirements stated in this announcement.

3. Referral: If you are among the Superior (best qualified) candidates, your application will be referred to the hiring manager/selecting official for consideration and possible interview.

In addition to a resume, each applicant is required to submit a comprehensive narrative statement addressing each MTQ individually.