Information Systems Security Officer (ISSO)

About Nimbus:
Nimbus is a consulting firm and strategic information technology (IT) advisor with an objective approach to overcoming complex technical challenges and an understanding of unique challenges in working in the government space. Nimbus is focused on promoting efficient and cost-effective IT solutions for local, state, and federal governments that align with our core values, reduce risk, and result in a positive Return on Investment (ROI) for the constituents of our clients.

Position Description:
Nimbus is looking for an Information System Security Officer (ISSO) to augment our technical team at the Centers for Medicare and Medicaid Services (CMS). The candidate should be passionate about keeping up-to-date on the latest technologies, envisioning the potential benefits they can bring to CMS, and desire continuous learning and the application of that knowledge into practice.
ISSOs are responsible for overseeing the security and privacy posture of the system(s) entrusted to their care, coordinating all information system risk management and information privacy activities, and acting as the Business Owner’s “go-to person” for security questions and needs.

The ISSO role at CMS is to be responsible for both technical and business evaluations for securing information and systems. The role requires the skills necessary to evaluate technical solutions from an information security perspective and to determine the business risks in order to justify decisions to both the Business Owner and the technical support staff.

The CMS Information Systems Security and Privacy Policy (IS2P2) and the HHS Information Systems Security and Privacy Policy (IS2P) contain the duties and responsibilities of the ISSO role (IS2P section 19, IS2P2 section 3.4.7).

Your duties and responsibilities include:

• Maintaining an inventory of program critical assets and coordinating enterprise identification of each.
• Determining the relative importance of each asset in the inventory and assessing risks to the most important.
• Providing expert consultation and advice on the development and implementation of all security plans, including disaster recovery/contingency plans, risk analyses, certifications of application and operating system software, and certifications of contractor security provisions.
• Provides support to the Government ISSO Team. CMS utilizes National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, NIST 800-35, and the security requirements of the CMS Information Security Acceptable Risk Safeguards (ARS) and CMS Minimum Security Requirements (CMSR), as well as the procedures and standards of the Risk Management Handbook (RMH).
• CMS requires ISSO support to ensure ARS controls are appropriate to the system based on the FIPS 199 security categorization and assist the System Owner (SO), Information Owner/Business Owner (IO/BO), and CMS CISO in capturing all system weaknesses in the Plan of Action and Milestone (POA&M).
• ISSO support may include scheduling/coordinating Security Control Assessments (SCA) and/or supporting the assessment and interview processes.
• Develop Authority to Operate (ATO) packages and risk Acceptance documents and participate in the TRB representing a particular program from a security perspective. Maintain and/or update POA&M and be involved with incident handling procedures for PHI/PII and/or security breaches. Experience with Security in an Agile Development Life Cycle and Amazon Cloud Services (FEDRAMP) is beneficial. CISSP certification is beneficial but not required.
• Gain a deep understanding of each system supported, including Architecture, System components, Data flow, interfaces, users, and stakeholders and how it supports the
  customer’s mission.
• Schedule/Coordinate Security Control Assessments (SCA).
• Maintain a strong security and privacy posture for their assigned system(s).
• Serve as principal advisor to the System Owner (SO), Business Owner (BO), and the Chief Information Security Officer (CISO) on all system security and privacy matters.
• Complete the security categorization for the FISMA system using the CFACTS tool.
• Complete and maintain the System Security and Privacy Plan using the CFACTS tool.
• Develop, document, and maintain an inventory of hardware and software components within the FISMA system’s authorization boundary.
• Coordinate the development of a Contingency Plan and ensure the plan is tested and maintained accordingly.
• Coordinate with the Data Guardian, Senior Information Security Officer (SISO), Business Owner, and Cyber Risk Advisor (CRA) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the information security and privacy impacts, and manage information security and privacy risk.
• Experience with Security in an Agile Development Life Cycle and Amazon Cloud Services (FEDRAMP) beneficial.
• Maintain primary responsibility for the actions and activities associated with the FISMA system receiving and maintaining an Authority to Operate (ATO).
• Report and manage IT Security and Privacy Incidents in accordance with the Risk Management Handbook (RMH) and other applicable federal guidance
• Support the security assessment, develop ATO packages and risk Acceptance documents, and participate in Technical Review Boards (TRB) representing a particular program from a security perspective.
• Ensure appropriate treatment of risk, compliance, and assurance from internal and external perspectives.
• Oversee, evaluate, and support the documentation, validation, and accreditation processes necessary to ensure that Exchange systems meet the organization’s security requirements.
• Excellent written and verbal communication skills.

Experience
• Work experience in computer security or Attendance and completion of a computer security training course with certification or Work experience in a computer-related field
• Familiarization with the information systems of the component/office
• Familiarization with networking protocols and operating systems and an intermediate level of knowledge of security concepts with emphasis on data protection and integrity is preferred
• An understanding of or experience with incident response processes and their importance
• Developing and applying system access control

Education

This job requires a bachelor's degree and preferably a CISSP certification.

Benefits:

Great company with top-of-the-line benefits and opportunity to work directly with CMS Sr Technical Leaders
 Best-in-class compensation packages and employee benefits – many of them fully funded by Nimbus
 Nimbus offers three different HSA compatible Healthcare Plans at Bronze, Silver, and Gold Levels and contributes the majority of employees and their family's premiums.
 Fully funded Dental PPO and Vision Plans.
 Employees can enroll in a 401(k) plan, and Nimbus contributes 3% of the employee’s salary to the plan.
 Employees get paid holidays and generous Paid Time Off (PTO) from work for a variety of their needs.
 Fully funded Short-term and Long-term disability coverage
 Fully funded Term Life Insurance coverage
 Employees are eligible for Performance-based bonuses.
 Tuition assistance for completion of degrees, diplomas, and certificate courses.
 Variety of other fringe benefits.
 Fully funded “Stay Fit” program that pays for Gym memberships and fitness essentials.

Additional information

Nimbus is an equal opportunity employer. Selection for this position will be based solely on merit without regard to race, color, religion, age, gender, national origin, political affiliation, disability, sexual orientation, marital or family status, or other differences.

Security and Background Requirements: If not previously completed, a background security investigation will be required for all appointees. Appointment will be subject to the applicant's successful completion of a background security investigation and favorable adjudication. False representation may be grounds for non-consideration, non-selection, and/or appropriate disciplinary action.

E-Verify: Nimbus participates in the USCIS Electronic Employment Eligibility Verification Program (E-Verify). E-Verify helps employers determine new hires' employment eligibility and the validity of their social security numbers.