Systems Security Specialist

At Commence, we’re the start of a new age of data-centric transformation, elevating health outcomes and powering better, more efficient process to program and patient health. We combine quality data-driven solutions that fuel answers, technology that advances performance, and clinical expertise that builds trust to create a more efficient path to quality care.

With human-centered, healthcare-relevant, and value-based solutions, we create new possibilities with data. We provide proof beyond the concept and performance beyond the scope with a focus on efficiencies that transform the lives of those we serve. With a culture driven by purpose, straightforward communication and clinical domain expertise, Commence cuts straight to better care.

The Systems Security Officer (SSO) manages the Medicare information security program and ensures implementation of necessary safeguards. The SSO assists the CIO in fulfilling compliance with CMS information security requirements and operates independently of IT operations. This position requires deep familiarity with federal information security frameworks, healthcare privacy requirements, and CMS-specific security standards.

Requirements

• Comply with CMS system security policies, procedures, and practices as outlined in CMS IS2P2, IOM Pub. 100-17, and the CMS Business Partner System Security Manual (BPSSM).
• Respond to security breaches and provide CMS with security system updates; report any identified security vulnerabilities and risks in accordance with CMS incident response requirements (within 1 hour of discovery).
• Designate appropriate levels of security clearance to employees; manage personnel security responsibilities including onboarding documentation and off-boarding procedures per CMS requirements.
• Conduct or coordinate vulnerability scanning, configuration management, and patch remediation activities in accordance with CMS timelines (critical: 15 days; high: 30 days; medium: 90 days; low: 365 days).
• Maintain and update the POA&M in CFACTS at least quarterly; support Security Assessment and Authorization (SA&A) activities including SSP, SAR, contingency plan, and ATO maintenance.
• Ensure all staff complete required CMS training annually; maintain signed Rules of Behavior (ROB) for all employees per CMS policy.
• Coordinate with the CMS Incident Response Team (IRT) on all information security incidents and breaches; implement incident response and breach notification procedures in accordance with CMS, OMB M-17-12, and US-CERT requirements.
• Operate independently of IT operations; the SSO cannot hold responsibility for the operation, maintenance, or development of IT systems.
• Earn a minimum of 40 hours of continuing professional education credits annually from a recognized national information systems security organization; CSCOUT sessions may count toward this requirement.

Qualifications

• Minimum 5 years of combined work experience, with at least 3 of those years in the healthcare industry supporting either Federal Government agencies or commercial healthcare market in a role such as SSO, Information Technology Specialist, Security Engineer, Information Security Analyst, or Information Systems Technician.
• Knowledge of the Medicare program and demonstrated familiarity with CMS information security requirements including FISMA, FedRAMP, HIPAA, CMS IS2P2, and IOM Pub. 100-17 (CMS BPSSM).
• Bachelor’s degree in Information Systems, Computer Science, or other related technology field required. Relevant work experience in a related field may be considered in lieu of a bachelor’s degree.
• This position is fully dedicated to the contract, operates independently of IT operations, and may not hold responsibility for the operation, maintenance, or development of IT systems.
• Preferred Qualifications
• Prior SSO or Information Security Officer experience on a CMS contract with demonstrated knowledge of CMS SA&A processes and CFACTS.
• Active information security certification such as CISSP, CISM, CISA, Security+, or equivalent recognized by a national information systems security organization.
• Experience conducting or supporting SCAP-compliant vulnerability scanning, POA&M management in CFACTS, and annual security assessments/penetration testing for federal contractor systems at the FIPS 199 Moderate impact level.
• Familiarity with CMS esMD, RACDW, and other CMS-designated systems used in Medicare medical review operations; experience managing data protection for PHI/PII under HIPAA and CMS DUA requirements.

Work Environment/Physical Demands

The work environment and physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

This is a remote position. Candidates must be able to sit, read, work on a computer, and watch a computer screen for extended periods of time. Occasionally required to stand, walk, use hands and fingers, kneel or crouch.

Commence is an equal employment opportunity employer. All personnel processes are merit-based and applied without discrimination on the basis of race, color, religion, sex, sexual orientation, gender identity, marital status, age, disability, national or ethnic origin, military and veteran status or any other characteristic protected by applicable law.

Commence.AI is committed to providing equal employment opportunities to all applicants, including individuals with disabilities. If you require reasonable accommodation to participate in the application process due to a disability, please contact Human Resources at (757) 306-4920 or hr@commence.ai. Please note that unless you are requesting an accommodation, all applications must be submitted through our online application system.