🛠 Tech Stack

💼 About This Role

You'll serve as the ISSO for two CMS teams (QMARS and HQR), implementing a value-based security approach. You'll work proactively with development teams to identify risks and embed security early in the process. This role focuses on security analysis and creating countermeasures for potential threats.

🎯 What You'll Do

• Perform Security Impact Analyses (SIA) on system changes for HQR and QMARS.
• Manage CFACTS governance as the source of truth for security posture.
• Lead audit season efforts by gathering evidence and documenting controls.
• Advise developers on CMS security standards during sprint ceremonies.
• Track security weaknesses through POA&M lifecycle within 30/60/90-day windows.

📋 Requirements

• At least 4 years experience establishing security controls as outlined.
• Experience with two or more: web development, Unix/Linux, distributed systems, or ML.
• Direct hands-on experience with CFACTS (CMS systems).
• Proven ability to author SIAs, SSPs, and PIAs under NIST 800-53 Rev 5 and CMS ARS 5.0.

✨ Nice to Have

• Experience with infrastructure scripting languages like Terraform or Ansible.
• Experience implementing cloud-based solutions (AWS-native services).
• Experience with Tenable/Nessus or WebInspect vulnerability scanning.

🎁 Benefits & Perks

• 🏠 Remote First, Remote Only Culture
• 🗓️ Four weeks paid time off yearly plus 10 paid floating holidays
• 💻 Work from home setup including a Macbook
• 🏥 Medical, dental, and company-paid vision insurance
• 💰 401K plan with 3% safe harbor contribution

🚩 Heads Up

• US Citizenship or Green Card required with 3-year residency and no medical marijuana use.
• Requires CFACTS experience specific to CMS, which may be highly niche.