Systems Security Officer

 

Description:

The Systems Security Officer (SSO) manages the Medicare information security program and ensures implementation of necessary safeguards. The SSO assists the CIO in fulfilling compliance with CMS information security requirements and operates independently of IT operations. This position requires deep familiarity with federal information security frameworks, healthcare privacy requirements, and CMS-specific security standards.

Requirements
 

  • Comply with CMS system security policies, procedures, and practices as outlined in CMS IS2P2, IOM Pub. 100-17, and the CMS Business Partner System Security Manual (BPSSM).
  • Respond to security breaches and provide CMS with security system updates; report any identified security vulnerabilities and risks in accordance with CMS incident response requirements (within 1 hour of discovery).
  • Designate appropriate levels of security clearance to employees; manage personnel security responsibilities including onboarding documentation and off-boarding procedures per CMS requirements.
  • Conduct or coordinate vulnerability scanning, configuration management, and patch remediation activities in accordance with CMS timelines (critical: 15 days; high: 30 days; medium: 90 days; low: 365 days).
  • Maintain and update the POA&M in CFACTS at least quarterly; support Security Assessment and Authorization (SA&A) activities including SSP, SAR, contingency plan, and ATO maintenance.
  • Ensure all staff complete required CMS training annually; maintain signed Rules of Behavior (ROB) for all employees per CMS policy.
  • Coordinate with the CMS Incident Response Team (IRT) on all information security incidents and breaches; implement incident response and breach notification procedures in accordance with CMS, OMB M-17-12, and US-CERT requirements.
  • Operate independently of IT operations; the SSO cannot hold responsibility for the operation, maintenance, or development of IT systems.
  • Earn a minimum of 40 hours of continuing professional education credits annually from a recognized national information systems security organization; CSCOUT sessions may count toward this requirement.
     

Qualifications
 

  • Minimum 5 years of combined work experience, with at least 3 of those years in the healthcare industry supporting either Federal Government agencies or commercial healthcare market in a role such as SSO, Information Technology Specialist, Security Engineer, Information Security Analyst, or Information Systems Technician.
  • Knowledge of the Medicare program and demonstrated familiarity with CMS information security requirements including FISMA, FedRAMP, HIPAA, CMS IS2P2, and IOM Pub. 100-17 (CMS BPSSM).
  • Bachelor’s degree in Information Systems, Computer Science, or other related technology field required. Relevant work experience in a related field may be considered in lieu of a bachelor’s degree.
  • This position is fully dedicated to the contract, operates independently of IT operations, and may not hold responsibility for the operation, maintenance, or development of IT systems.
  • Preferred Qualifications
  • Prior SSO or Information Security Officer experience on a CMS contract with demonstrated knowledge of CMS SA&A processes and CFACTS.
  • Active information security certification such as CISSP, CISM, CISA, Security+, or equivalent recognized by a national information systems security organization.
  • Experience conducting or supporting SCAP-compliant vulnerability scanning, POA&M management in CFACTS, and annual security assessments/penetration testing for federal contractor systems at the FIPS 199 Moderate impact level.
  • Familiarity with CMS esMD, RACDW, and other CMS-designated systems used in Medicare medical review operations; experience managing data protection for PHI/PII under HIPAA and CMS DUA requirements.

Organization Commence
Industry IT / Telecom / Software Jobs
Occupational Category Systems Security Officer
Job Location Virginia Beach,USA
Shift Type Morning
Job Type Full Time
Gender No Preference
Career Level Experienced Professional
Experience 5 Years
Posted at 2026-07-15 5:51 pm
Expires on 2026-08-29