IT Security Governance Officer
Commence · Virginia Beach, VA · 2 wk ago
EngineeringFull-time
Requirements
- Learn, document, and implement Federal and CMS information security controls in compliance with CMS IS2P2, FISMA, FedRAMP, HIPAA, and all applicable CMS security policies and procedures.
- Disseminate and implement IT policy that aligns with CMS requirements; provide interpretation of current policies in response to inquiries or specific incidents.
- Oversee the Security Assessment and Authorization (SA&A) process, including development and maintenance of the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and related ATO documentation.
- Ensure all contractor personnel complete required CMS Information Security Awareness, Privacy, and Records Management training annually; maintain training records per CMS procedures.
- Manage compliance with CMS encryption standards, FIPS 140 requirements, asset inventory, configuration management, vulnerability scanning, and patch remediation timelines per CMS policy.
- Serve as primary liaison to CMS on all information security and privacy matters; respond to security incidents within required timeframes and coordinate with the CMS Incident Response Team (IRT) as directed.
- Oversee Data Use Agreement (DUA) processes and ensure compliance with CMS data access policies through the Enterprise Privacy Policy Engine (EPPE) system.
- Maintain a complete and current inventory of all IT assets and ensure devices meet CMS and HHS-specific encryption and configuration standards.
- Support CMS audits, security assessments, and annual performance reviews; allow government access to facilities, systems, and personnel as required.
Qualifications
- Minimum 5 years of combined work experience, with at least 3 of those years in the healthcare industry supporting either Federal Government agencies or commercial healthcare market in a role such as CIO, Information Technology Manager, Chief Technology Officer, or Network Administrator.
- Knowledge of the Medicare Fee-for-Service (FFS) program and familiarity with CMS information security requirements, including FISMA, FedRAMP, HIPAA, CMS IS2P2, and the CMS Business Partner System Security Manual (BPSSM).
- Bachelor's degree in Information Systems, Computer Science, or other related technology field required. Relevant work experience in a related field may be considered in lieu of a bachelor's degree.
Preferred Qualifications
- Prior IT security governance or CIO-equivalent leadership experience on a CMS contract with demonstrated knowledge of CMS Security Assessment and Authorization (SA&A) processes.
- Relevant certification such as CISSP, CISM, CISA, or equivalent information security credential.
- Experience managing FedRAMP authorization packages and working with third-party assessment organizations (3PAOs) for moderate-impact federal systems.
- Familiarity with CMS esMD, RACDW, IDR, and other CMS-designated data systems used in Medicare medical review operations.