Skip to main content

Information System Security Officer

Job Details

Experienced
7265 WINDSOR BLVD SUITE 106 - Windsor Mill, MD
Fully Remote
4 Year Degree
$118,800.68 - $180,000.00 Salary/year

Description

Index Analytics, LLC, is a rapidly growing, Baltimore-based small business providing health-related consulting services to the federal government. At the center of our company culture is a commitment to instilling a dynamic and employee-friendly place to work. We place a priority on promoting a supportive and collegial team environment and enhancing staff experience through career development and educational opportunities.

 

The Information System Security Officer (ISSO) is assigned responsibility for maintaining the appropriate operational security posture for Contract Supported IT Systems that support federal programs. The ISSO will provide security subject matter expertise and compliance for contract-supported federally owned information technology infrastructure. The ISSO will participate in the security community of practice within the organization. The ISSO will also mentor resources and provide input to policies and processes across associated Federal Agencies.

Responsibilities

  • Provide direction and guidance for security posture of systems that are contract-supported federally owned to include management of initiatives involving policy creation, security training, and processes that impact or improve security
  • Aid project teams on compiling documentation for SCA/ACT, SIA, and ATO prior to project implementation and support the recurring and ongoing security requirements
  • Work with Federal Agency ISSOs to monitor and track progress of remediations to security findings
  • Provide security guidance to project teams on solution implementation and assess CMS TRA or similar readiness and compliance
  • Work with developers to support secure coding practices, explain application-related security findings and how to avoid reproducing them, and make sure information security risks are managed throughout all the phases of the SDLC
  • Use automated tools to perform static source code and dynamic security testing to identify vulnerabilities and attack vectors in web applications
  • Provide support for contract-supported programs, organizations, systems, or enclaves' information assurance program.
  • Provide support for proposing, coordinating, implementing, and enforcing information systems security policies, standards, and methodologies
  • Maintain operational security posture for information systems or programs to ensure information systems security policies, standards, and procedures are established and followed
  • Assist with the management of security aspects of the information system and perform day-to-day security operations of the system
  • Evaluate security solutions to ensure they meet security requirements for processing classified information
  • Perform vulnerability/risk assessment analyses as needed to support certification and accreditation of contract-supported federally owned IT systems
  • Provide configuration management (CM) for information system security software, hardware, and firmware
  • Manage changes to the system and assess the security impact of those changes
  • Prepare and review documentation to include Systems Security Plans (SSPs), Risk Assessment Reports, Certification and Accreditation (C&A) packages, and System Requirements Traceability Matrices (SRTMs) for contract-supported federally owned IT systems
  • Support security authorization activities in compliance with U.S. Department of Health & Human Services (HHS) for the Centers for Medicaid and Medicare services (CMS) and Food and Drug administration (FDA)
  • Complete a Security Impact Analysis as part of each sprint within an agile development organization
  • Support, implement, maintain, and monitor security and privacy controls in compliance with FISMA, HIPAA, FedRAMP, and NIST RMF requirements and guidance; Knowledge of CMMC requirements is a plus
  • Plan, document, implement, assess, maintain, and monitor security and privacy controls in accordance with requirements, policies, standards, processes, and procedures documented in the CMS BPSSM, ARS 3. 1, TRA, and RMH
  • Independently develop a variety of security authorization package-related deliverables including System Security Plans, Information Security Risk Assessments, Privacy Impact Assessments, Contingency Plans, Incident Response Plans, and other security and privacy plans, processes, and procedures
  • Support audits, assessments, and penetration test-related documentation requests and vulnerability remediation efforts
  • Document and maintain a Plan of Action and Milestones (POA&M) for weaknesses identified in security tests and/or audits
  • Recommend best business practices, knowledge of federal agency’s security guidelines expertise to system architecture solutions
  • Perform periodic internal audits, vulnerability assessments, and web application security testing
  • Maintain current knowledge of relevant security and privacy trends and technology

Qualifications

  • US citizen or Authorized to Work and lived in the US for 3 of the last 5 years. Must be able to obtain a U.S. Federal government client badge and pass a government Public Trust.
  • Bachelor’s degree and 15 years of overall Security-related work experience
  • 3–5 years supporting security initiatives at HHS or other government agencies (CMS preferred) or related experience in security compliance using NIST Risk Management Framework.
  • 5 years of experience in at least one of the following areas: knowledge of current security tools, hardware/software security implementation, communication protocols, and/or encryption techniques/tools
  • CISSP certification required. 
  • Hands-on experience with implementing, documenting, maintaining, and monitoring NIST, HIPAA, and FedRAMP control requirements
  • Hands-on experience leading project teams through Security Controls Assessment/Adaptive Control Testing, Security Impact Assessments (SIA), TRB gate reviews and CMS ATO packaging with contracts at CMS/or other agencies
  • Working knowledge of DevSecOps principles (such as CI/CD, test automation etc.), process automation and tools
  • Experience evaluating DevSecOps tools such as AWS CI/CD, NewRelic, Splunk, Git, CloudBees Jenkins, Docker/OpenShift, SonarQube/Fortify/Nessus, LaunchDarkly, etc., for security risk and compliance
  • Knowledge of CMS Acceptance Risk Safeguards (ARS), FISMA compliance (and CFACTS), FedRAMP and NIST security guidance and publications, HIPAA, and related privacy and compliance regulations
  • Hands-on experience with implementing, documenting, maintaining, and monitoring CMS Acceptable Risk Safeguards control requirements
  • Experience in implementing and enforcing policies, procedures, and guidelines in a complex environment
  • Experience assisting with the implementation of an automated CI/CD DevSecOps pipeline
  • Experience driving ATOs including the privacy controls specified in NIST SP 800-53 rev 5
  • Experience in the development, implementation, and operation of IT Security Strategy within cloud environments
  • Knowledge and experience with security best practices and relevant legislation
  • Experience with IT security management, access policy and management, authentication and SSO, authorization, audit, secure communications and network protection, data protection and privacy, and security administration
  • Understanding of and ability to communicate security and risk implications to technical and non-technical audiences
  • Experience working as part of an agile scrum team, assisting with security-related tasks and deliverables associated with bi-weekly sprints
  • Experience using vulnerability scanners such as Nessus
  • Experience running static analysis/static application security testing tools such as SonarQube, Fortify or Veracode
  • Experience running dynamic application security testing tools such as WebInspect, AppScan, Qualys, Burp Suite Pro or OWASP ZAP
  • Experience with GRC tools, such as CSAM, CFACTS, TAF, or Xacta
  • Proficient in Microsoft Office (Word, Excel, PowerPoint, etc.), Project and Visio
  • Experience securing cloud-based environments such as AWS and Azure Cloud environments
  • Excellent interpersonal, verbal, and written communication, and organizational skills
  • Ability to communicate fluently in English both verbally and in writing
  • Extremely factual and data oriented.
  • Able to meet deadlines with success
  • Strong persuasion, facilitation and influencing skills
  • Self-driven.
  • Strong analytical, organizational, and project management skills
  • Demonstrated ability to lead and work with cross-functional teams including senior level individuals
  • Ability to thrive in a fast-paced, rapidly evolving environment with varying priorities, based on a team-building culture.

The salary range provided represents the estimated compensation for new hires in this position, applicable across all locations. Actual offers may vary based on factors such as the candidate's skills, qualifications, experience, and market conditions. Index complements its base salary offering with a competitive package that includes health and retirement benefits, discretionary bonuses, and reimbursement for professional development opportunities.

 

Index Analytics provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.


Attention Candidates

We're dedicated to ensuring a safe and transparent recruitment process for all candidates and have implemented robust measures to protect your personal information. Please be aware that all employment-related communications will originate from a secure portal (NAME@msg.paycomonline.com) or a corporate email address (NAME@index-analytics.com). If you have any concerns, please don't hesitate to reach out to us at recruiting@index-analytics.com

Apply