Information System Security Officer

Index Analytics LLC is a rapidly growing Baltimore-based small business providing health-related consulting services to the federal government. At the center of our company culture is a commitment to instilling a dynamic and employee-friendly place to work. We place a priority on promoting a supportive and collegial team environment and enhancing staff experience through career development and educational opportunities.

Position Overview

The Information System Security Officer (ISSO) is assigned responsibility for maintaining the appropriate operational security posture for Contract Supported IT Systems that support federal programs. The ISSO will provide security subject matter expertise and compliance for contract-supported federally owned information technology infrastructure. The ISSO will participate in the security community of practice within the organization. The ISSO will also mentor resources and provide input to policies and processes across associated Federal Agencies.

Responsibilities

• Provide cybersecurity support for contract-supported organizations programs systems or enclaves
• Provide direction and guidance for security posture of systems that are contract-supported federally owned to include management of initiatives involving policy creation security training and processes that impact or improve security
• Aid project teams on compiling documentation for CSRAP SCA/ACT SIA and ATO prior to project implementation and support the recurring and ongoing security requirements
• Work with Federal Agency ISSOs to monitor and track security operations in CFACTS progress of remediations to security findings
• Provide security guidance to project team(s) on solution implementation and assess CMS TRA or NIST documentation for best practices and compliance standards
• Work with developers to support secure coding practices research application-related security findings and manage information security risks throughout all the phases of the SDLC
• Use automated tools to perform static and dynamic security testing of source code to identify vulnerabilities and attack vectors in web applications
• Provide support for proposing coordinating implementing and enforcing information systems security policies standards and methodologies
• Maintain operational security posture of information systems or programs to ensure information systems security policies standards and procedures are established and documented
• Assist program and project managers with day-to-day security operations for secure development and engineering of information systems
• Evaluate security solutions to ensure they meet security requirements for processing sensitive and or protected information
• Perform vulnerability and risk assessment analyses as needed to support validation and accreditation activities of contract-supported federally owned IT systems
• Maintain configuration management (CM) for information system security software hardware and firmware
• Document changes to the information system and assess the security impact of those changes
• Prepare and review documentation to include Systems Security Plans (SSPs) Risk Assessment Reports Assess and Authorize (A&A) packages and System Requirements Traceability Matrices (SRTMs) for contract-supported federally owned IT systems
• Support security authorization activities in compliance with U.S. Department of Health & Human Services (HHS) for the Centers for Medicaid and Medicare services (CMS) and Food and Drug administration (FDA)
• Complete a Security Impact Analysis as part of each sprint within an agile development organization
• Support implement maintain and monitor security and privacy controls in compliance with FISMA HIPAA FedRAMP and NIST RMF requirements and guidance; Knowledge of CMMC 2.0 requirements is a plus
• Plan document implement assess maintain and monitor security and privacy controls in accordance with requirements policies standards processes and procedures documented in the CMS BPSSM ARS 3. 1 TRA and RMH
• Ability to independently develop CFACTS/FISMA package-related deliverables including System Security Plans Information Security Risk Assessments Privacy Impact Assessments Contingency Plans Incident Response Plans and other security related plans policies and procedures
• Support audits assessments and penetration testing documentation requests and vulnerability remediation efforts
• Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses vulnerabilities and risks identified from assessments and security tools
• Recommend engineering best practices and exhibit knowledge of federal agencys security guidelines for secure architecture solutions
• Perform periodic internal audits vulnerability assessments and web application security testing
• Maintain knowledge of current and relevant security technology and privacy trends

• Bachelors degree and 15 years of overall Security-related work experience
• 5-10 years supporting security initiatives at HHS or other government agencies (CMS preferred) or related experience in security compliance utilizing NIST Risk Management Framework.
• 5 years of experience in at least one of the following areas: knowledge of current security tools hardware/software security implementation communication protocols and/or encryption techniques/tools
• CISSP certification required.
• Hands-on experience with implementing documenting maintaining and monitoring NIST HIPAA and FedRAMP security control requirements
• Hands-on experience leading project teams through Security Controls Assessment/Adaptive Control Testing Security Impact Assessments (SIA) TRB gate reviews and CMS ATO packaging with contracts at CMS or other agencies
• Working knowledge of DevSecOps principles (such as CI/CD test automation etc.) process automation and tools
• Experience evaluating DevSecOps tools such as AWS CI/CD NewRelic Splunk Git CloudBees Jenkins Docker/OpenShift SonarQube/Fortify/Nessus LaunchDarkly etc. for security risk and compliance
• Knowledge of CMS Acceptance Risk Safeguards (ARS) FISMA compliance CFACTS FedRAMP NIST Special Publication (SP 800) guidance HIPAA and related privacy and compliance regulations
• Hands-on experience with implementing documenting maintaining and monitoring CMS Acceptable Risk Safeguards security control requirements
• Experience in implementing and enforcing policies procedures and guidelines in a complex environment
• Experience assisting with the implementation of an automated CI/CD DevSecOps pipeline
• Experience driving ATOs including the security controls specified in NIST SP 800-53 rev 5
• Experience in the development implementation and operation of IT Security Strategy within AWS cloud environments
• Knowledge and experience with security best practices and relevant legislation
• Experience with IT security management access policy and management authentication/SSO authorization audit and logging secure communications network protection data protection and privacy and security administration
• Ability to communicate security and risk implications to technical and non-technical audiences
• Experience working as part of an agile scrum team assisting with security-related tasks and deliverables associated with bi-weekly sprints
• Experience using vulnerability scanners such as Nessus
• Experience running static analysis/static application security testing tools such as SonarQube Fortify or Veracode
• Experience running dynamic application security testing tools such as WebInspect AppScan Qualys Burp Suite Pro or OWASP ZAP
• Experience with GRC tools such as CSAM CFACTS TAF or Xacta
• Proficient in Microsoft Office (Word Excel PowerPoint etc.) Project and Visio
• Experience securing cloud-based environments such as AWS
• Excellent interpersonal verbal and written communication skills
• Ability to communicate fluently in English both verbally and in writing
• Extremely organized factual and data oriented.
• Able to meet deadlines with success
• Ability to work independently self-driven.
• Strong analytical organizational and project management skills
• Demonstrated ability to lead and work with cross-functional teams including senior level individuals
• Ability to thrive in a fast-paced rapidly evolving environment with varying priorities based on a team-building culture.

Attention Candidates

Were dedicated to ensuring a safe and transparent recruitment process for all candidates and have implemented robust measures to protect your personal information. Please be aware that all employment-related communications will originate from a secure portal () or a corporate email address (). If you have any concerns please dont hesitate to reach out to us at.

If you are selected for an interview please be advised that Index Analytics LLC reserves the right to prohibit the use of artificial intelligence (AI) tools including but not limited to AI-generated responses real-time transcription or automated assistance during the interview process. We value authentic interactions and the opportunity to engage directly with candidates. Any unauthorized use of AI may result in disqualification from consideration.

The salary range provided represents the estimated compensation for new hires in this position applicable across all locations. Actual offers may vary based on factors such as the candidates skills qualifications experience and market conditions. Index complements its base salary offering with a competitive package that includes health and retirement benefits discretionary bonuses and reimbursement for professional development opportunities.

Index Analytics provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race color religion age sex national origin disability status genetics protected veteran status sexual orientation gender identity or expression or any other characteristic protected by federal state or local policy applies to all terms and conditions of employment including recruiting hiring placement promotion termination layoff recall transfer leaves of absence compensation and training.