Role Description The Information Security Officer (ISO) will work closely with Project and Technical management to plan, design and implement Dynamic Application Security Testing (DAST) and/or Static Application Security Testing (SAST) security methodologies into the technical solution of a program within the Centers for Medicare and Medicaid Services (CMS). The ISO will be responsible for assuring all CMS security and privacy considerations and requirements are assessed, addressed and documented for the given application, designing the solution so that it passes the required Annual Security Assessment Testing (within CMS referred to ACT or Adaptive Capabilities Testing) and maintains the system Authority to Operate (ATO). - Promote a professional work ethic with the ability to meet commitments, scheduled timelines and take ownership of problems. - Lead, support and document all security incident response activities. - Perform annual security assessment audits (such as ACT, PenTest, etc.). - Perform Web Application Penetration and Continuous Diagnostic Monitoring (CDM) testing. - Mitigate and/or address the security specific vulnerabilities and document via Plan of Action and Milestones (POA&M). - Support ad hoc security requests from the customer and program management. - Conduct security impact assessments for new or existing architecture changes. Qualifications - 3+ years of experience with NIST and Federal security documentation. - Active CISSP or equivalent security related certification. - Capable of obtaining Level Five: Public Trust security clearance. - Proven experience with FISCAM and FedRAMP requirements. - Experience writing and maintaining security related documents, including the System Security Plan (SSP), Contingency Plan and Test (CP), Information System Risk Assessment (ISRA), Security Assessment Plan/Report (SAP/SAR) and the Privacy Impact Assessment (PIA). - Ability to resolve complex support issues by leveraging user forums, support forums, or opening support cases with vendors and following them to closure. Strong ability to find mitigation and alternative approaches. - Knowledge of current as well as emerging security threats. - Understanding of and experience with Agile Development and DevSecOps/DevOps. - Proven experience with Cloud Technologies (AWS). - Proven experience with Microsoft Office Tools (Outlook, Word, Excel, PowerPoint). Requirements - Working experience within CMS including with CMS Information Systems Security and Privacy Policy (IS2P2), NIST 800-53, NIST 800-63, CMS Acceptable Risk Safeguards (ARS), CMS Risk Management Handbook (RMH) and CMS Federal Information Security Management Act (FISMA) Controls Tracking System (CFACTS). - Proven experience with Security tools such as Burp, SonarQube, AWS Security Tools. - Proven experience with networking concepts, such as, DHCP, DNS, VLANs, Routing and VPNs. Benefits - The actual salary offer will carefully consider a wide range of factors, including your skills, qualifications, experience, and location. - C-HIT offers Healthcare Benefits, Remote Working Options, Paid Time Off, PTO cash-out, Training/Certification opportunities, Healthcare Savings Account & Flexible Savings Account, Paid Life Insurance, Short-term & Long-term Disability, 401K Match, Employee Assistance Program, Paid Holidays, and much more perks and Voluntary benefits! - Employees of C-HIT shall, as an enduring obligation throughout their term of employment, adhere to all information security requirements as documented in company policies and procedures. Company Description C-HIT, a CMMI Maturity Level 5 company, focuses on delivering information technology and professional services to Federal and State agencies. “C-HIT is an EOE, including disability and veterans.”