Information System Security Officer

Index Analytics, LLC, is a rapidly growing, Baltimore-based small business providing health-related consulting services to the federal government. At the center of our company culture is a commitment to instilling a dynamic and employee-friendly place to work. We place a priority on promoting a supportive and collegial team environment and enhancing staff experience through career development and educational opportunities.

Position Overview

The Information System Security Officer (ISSO) is assigned responsibility for maintaining the appropriate operational security posture for Contract Supported IT Systems that support federal programs. The ISSO will provide security subject matter expertise and compliance for contract-supported federally owned information technology infrastructure. The ISSO will participate in the security community of practice within the organization. The ISSO will also mentor resources and provide input to policies and processes across associated Federal Agencies.

Responsibilities

• Provide cybersecurity support for contract-supported organizations, programs, systems, or enclaves
• Provide direction and guidance for security posture of systems that are contract-supported federally owned to include management of initiatives involving policy creation, security training, and processes that impact or improve security
• Aid project teams on compiling documentation for CSRAP, SCA/ACT, SIA, and ATO prior to project implementation and support the recurring and ongoing security requirements
• Work with Federal Agency ISSOs to monitor and track security operations in CFACTS progress of remediations to security findings
• Provide security guidance to project team(s) on solution implementation and assess CMS TRA or NIST documentation for best practices and compliance standards
• Work with developers to support secure coding practices, research application-related security findings, and manage information security risks throughout all the phases of the SDLC
• Use automated tools to perform static and dynamic security testing of source code to identify vulnerabilities and attack vectors in web applications
• Provide support for proposing, coordinating, implementing, and enforcing information systems security policies, standards, and methodologies
• Maintain operational security posture of information systems or programs to ensure information systems security policies, standards, and procedures are established and documented
• Assist program and project managers with day-to-day security operations for secure development and engineering of information systems
• Evaluate security solutions to ensure they meet security requirements for processing sensitive and or protected information
• Perform vulnerability and risk assessment analyses as needed to support validation and accreditation activities of contract-supported federally owned IT systems
• Maintain configuration management (CM) for information system security software, hardware, and firmware
• Document changes to the information system and assess the security impact of those changes
• Prepare and review documentation to include Systems Security Plans (SSPs), Risk Assessment Reports, Assess and Authorize (A&A) packages, and System Requirements Traceability Matrices (SRTMs) for contract-supported federally owned IT systems
• Support security authorization activities in compliance with U.S. Department of Health & Human Services (HHS) for the Centers for Medicaid and Medicare services (CMS) and Food and Drug administration (FDA)
• Complete a Security Impact Analysis as part of each sprint within an agile development organization
• Support, implement, maintain, and monitor security and privacy controls in compliance with FISMA, HIPAA, FedRAMP, and NIST RMF requirements and guidance; Knowledge of CMMC 2.0 requirements is a plus
• Plan, document, implement, assess, maintain, and monitor security and privacy controls in accordance with requirements, policies, standards, processes, and procedures documented in the CMS BPSSM, ARS 3. 1, TRA, and RMH
• Ability to independently develop CFACTS/FISMA package-related deliverables including System Security Plans, Information Security Risk Assessments, Privacy Impact Assessments, Contingency Plans, Incident Response Plans, and other security related plans, policies, and procedures
• Support audits, assessments, and penetration testing documentation requests and vulnerability remediation efforts
• Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses, vulnerabilities, and risks identified from assessments and security tools
• Recommend engineering best practices and exhibit knowledge of federal agency’s security guidelines for secure architecture solutions
• Perform periodic internal audits, vulnerability assessments, and web application security testing
• Maintain knowledge of current and relevant security, technology, and privacy trends

• Bachelor’s degree and 15 years of overall Security-related work experience
• 5-10 years supporting security initiatives at HHS or other government agencies (CMS preferred) or related experience in security compliance utilizing NIST Risk Management Framework.
• 5 years of experience in at least one of the following areas: knowledge of current security tools, hardware/software security implementation, communication protocols, and/or encryption techniques/tools
• CISSP certification required. 
• Hands-on experience with implementing, documenting, maintaining, and monitoring NIST, HIPAA, and FedRAMP security control requirements
• Hands-on experience leading project teams through Security Controls Assessment/Adaptive Control Testing, Security Impact Assessments (SIA), TRB gate reviews and CMS ATO packaging with contracts at CMS or other agencies
• Working knowledge of DevSecOps principles (such as CI/CD, test automation etc.), process automation and tools
• Experience evaluating DevSecOps tools such as AWS CI/CD, NewRelic, Splunk, Git, CloudBees Jenkins, Docker/OpenShift, SonarQube/Fortify/Nessus, LaunchDarkly, etc., for security risk and compliance
• Knowledge of CMS Acceptance Risk Safeguards (ARS), FISMA compliance, CFACTS, FedRAMP, NIST Special Publication (SP 800) guidance, HIPAA, and related privacy and compliance regulations
• Hands-on experience with implementing, documenting, maintaining, and monitoring CMS Acceptable Risk Safeguards security control requirements
• Experience in implementing and enforcing policies, procedures, and guidelines in a complex environment
• Experience assisting with the implementation of an automated CI/CD DevSecOps pipeline
• Experience driving ATOs including the security controls specified in NIST SP 800-53 rev 5
• Experience in the development, implementation, and operation of IT Security Strategy within AWS cloud environments
• Knowledge and experience with security best practices and relevant legislation
• Experience with IT security management, access policy and management, authentication/SSO, authorization, audit and logging, secure communications, network protection, data protection and privacy, and security administration
• Ability to communicate security and risk implications to technical and non-technical audiences
• Experience working as part of an agile scrum team, assisting with security-related tasks and deliverables associated with bi-weekly sprints
• Experience using vulnerability scanners such as Nessus
• Experience running static analysis/static application security testing tools such as SonarQube, Fortify, or Veracode
• Experience running dynamic application security testing tools such as WebInspect, AppScan, Qualys, Burp Suite Pro or OWASP ZAP
• Experience with GRC tools, such as CSAM, CFACTS, TAF, or Xacta
• Proficient in Microsoft Office (Word, Excel, PowerPoint, etc.), Project, and Visio
• Experience securing cloud-based environments such as AWS
• Excellent interpersonal, verbal, and written communication skills
• Ability to communicate fluently in English both verbally and in writing
• Extremely organized, factual, and data oriented.
• Able to meet deadlines with success
• Ability to work independently, self-driven.
• Strong analytical, organizational, and project management skills
• Demonstrated ability to lead and work with cross-functional teams including senior level individuals
• Ability to thrive in a fast-paced, rapidly evolving environment with varying priorities, based on a team-building culture.

Attention Candidates

We're dedicated to ensuring a safe and transparent recruitment process for all candidates and have implemented robust measures to protect your personal information. Please be aware that all employment-related communications will originate from a secure portal (NAME@msg.paycomonline.com) or a corporate email address (NAME@index-analytics.com). If you have any concerns, please don't hesitate to reach out to us at recruiting@index-analytics.com.

If you are selected for an interview, please be advised that Index Analytics LLC reserves the right to prohibit the use of artificial intelligence (AI) tools, including but not limited to AI-generated responses, real-time transcription, or automated assistance during the interview process. We value authentic interactions and the opportunity to engage directly with candidates. Any unauthorized use of AI may result in disqualification from consideration.

The salary range provided represents the estimated compensation for new hires in this position, applicable across all locations. Actual offers may vary based on factors such as the candidate's skills, qualifications, experience, and market conditions. Index complements its base salary offering with a competitive package that includes health and retirement benefits, discretionary bonuses, and reimbursement for professional development opportunities.

Index Analytics provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.