Description

The Medicare Shared Savings Program is an important innovation for moving the Centers for Medicare & Medicaid Services' (CMS') payment system away from volume and toward value and outcomes. It is an alternative payment model that: Promotes accountability for a patient population, coordinates items and services for Medicare FFS beneficiaries, and encourages investment in high quality and efficient services. The MSSPSS project provides cyber security support to this program.

Responsibilities:

• Provide cybersecurity consultancy support to Federal agencies, performing security program analysis, identifying opportunities for program improvement to reduce risk and increase compliance
• Develop processes, procedures, templates, and training to support efforts aligned with the NIST Risk Management Framework (RMF)
• Provide documentation analysis and guidance for system security artifacts (e.g., Privacy Impact Assessment [PIA], Security Impact Analysis [SIA], System Security Plan [SSP], Contingency Plan [CP], Plans of Actions and Milestones [POA&M], and Authority to Operate [ATO] packages)
• Support oversight of systems’ Security Assessment and Authorization (SA&A) activities, including maintaining systems’ security inventory and related artifacts in the agency’s Governance Risk and Compliance (GRC) tool
• Responsible for working with the Program Director to ensure all security assessments, updates, recommendations, and implementations are completed as planned
• Document and delivers status reports, meeting agendas/minutes, presentations, IT security metrics, etc.
• Oversee, evaluate, and support the documentation, validation, and accreditation processes necessary to assure that systems meet the organization’s security requirements
• Ensure appropriate treatment of risk, compliance, and assurance from internal and external perspectives
• Provide security advice and recommendations to leadership and staff based on NIST and Federal Information Processing Standard (FIPS) guidelines as well as CMS and HHS policy and other approved guidance
• Analyze system security assessment reports and develop estimates of the security risks associated with deployment of new technologies and newly discovered threats
• Coordinate with the Data Guardian, Senior Information Security Officer (SISO), Business Owner, and Cyber Risk Advisor (CRA) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the information security and privacy impacts, and manage information security and privacy risk
• Report compliance on secure protocol use in websites periodically as defined within the CMS ARS
• Submit recommendations to the CRA for system configuration deviations from the required security baseline
• Coordinate with the CIO, Chief Information Security Officer (CISO), Senior Official for Privacy, SISO, Data Guardian, and website or system Owner/Administrator to ensure compliance with control family requirements on website or system usage, web measurement and customization technologies, and third-party websites and applications
• Coordinate with the System Developers and Maintainers in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems
• Document the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance
• Coordinate with the Data Guardian, SISO, Business Owner, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) in accordance with the Privacy Act, E-Government Act, and all applicable guidance
• Maintain current system information (e.g., points of contact [POC], and artifacts) in the CMS FISMA Controls Tracking System (CFACTS) to support organizational requirements, Information System Security and Privacy Policy (IS2P2), and prescribed processes (e.g., communication, contingency planning, training, and data calls)
• Coordinate with the Business Owner, SISO, and CISO to ensure that all requirements specified by the CMS ARS and the Risk Management Handbook (RMH) are implemented and enforced for applicable information and information systems
• Ensure that anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and Information Security and Privacy Continuous Monitoring (ISCM) activities are addressed and remediated in a manner commensurate with the risks the anomalies pose to the system
• Evaluate the impact of network and system changes using RMH processes
• Develop and review security and privacy artifacts and required activities through all phases of the Target Life Cycle (TLC) in accordance with the CMS IS2P2 for ISSOs
• Provide the status of Exchange system security posture regarding the remediation of security and privacy findings and the progress of Authority to Operate (ATO) tasks

Qualifications

Requirements:

• At least one professional security certification (e.g., CISSP, CISA, CAP, GSEC) (Required)
• At least 4 years of experience in information security, with a concentration in RMF support
• Knowledgeable in FISMA, NIST RMF, NIST SP 800 Series, and industry leading Software Assurance, Vulnerability Analysis, and GRC tools
• Must have experience in supporting the CMS in an ISSO type role or other security support (Highly preferred)
• Effective verbal and written communication skills. Should be able to adapt communication style to suit different audiences (e.g., technical/non-technical)
• Extensive experience in analyzing and implementing security requirements at all levels
• Strong Research and problem solving skills
• Proficient in Word, Excel, Visio and other MS office apps
• Planning and organizational skills
• Ability to effectively document and communicate technical concepts and requirements to both nontechnical
  and technical audiences
• Prioritize effectively
• Ability to self-educate on unfamiliar and emerging technology
• Ability to work independently and collaboratively, balancing multiple projects and priorities
• Able to operate as a highly independent worker and as part of a strong
  team/collaborative approach
• Detail-oriented, able to accurately document information security-related data and deliver high
  quality work products, free of inaccurate data or grammar mistakes
• Flexible with regards to schedule, as it may be required to work evening/weekend hours to address
  incidents or meet deliverable dates

EEO Employer:

RELI Group is an Equal Employment Opportunity / Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, ancestry, citizenship status, military status, protected veteran status, religion, creed, physical or mental disability, medical condition, marital status, sex, sexual orientation, gender, gender identity or expression, age, genetic information, or any other basis protected by law, ordinance, or regulation.

HUBZone:

RELI Group is an established SBA certified HUBZone and 8(a) small business. We encourage all candidates who live in a HUBZone to apply. You can check to see if your address is located in a HUBZone by accessing the SBA HUBZone Map.

The annual salary range for this position is $130,000 to $142,000.00. Actual compensation will depend on a range of factors, including but not limited to the individual’s skills, experience, qualifications, certifications, location, other business and organizational needs, and applicable employment laws. The estimate displayed represents the typical salary range for this position and is just one component of the total compensation package for employees. RELI Group provides a variety of additional benefits to its employees. For additional details on the benefits that RELI Group offers click here.