• Provide cybersecurity consultancy support to Federal agencies, performing security program analysis, identifying opportunities for program improvement to reduce risk and increase compliance
• Develop processes, procedures, templates, and training to support efforts aligned with the NIST Risk Management Framework (RMF)
• Provide documentation analysis and guidance for system security artifacts (e.g., Privacy Impact Assessment [PIA], Security Impact Analysis [SIA], System Security Plan [SSP], Contingency Plan [CP], Plans of Actions and Milestones [POA&M], and Authority to Operate [ATO] packages)
• Support oversight of systems’ Security Assessment and Authorization (SA&A) activities, including maintaining systems’ security inventory and related artifacts in the agency’s Governance Risk and Compliance (GRC) tool
• Responsible for working with the Program Director to ensure all security assessments, updates, recommendations, and implementations are completed as planned
• Document and delivers status reports, meeting agendas/minutes, presentations, IT security metrics, etc.
• Oversee, evaluate, and support the documentation, validation, and accreditation processes necessary to assure that systems meet the organization’s security requirements
• Ensure appropriate treatment of risk, compliance, and assurance from internal and external perspectives
• Provide security advice and recommendations to leadership and staff based on NIST and Federal Information Processing Standard (FIPS) guidelines as well as CMS and HHS policy and other approved guidance
• Analyze system security assessment reports and develop estimates of the security risks associated with deployment of new technologies and newly discovered threats
• Coordinate with the Data Guardian, Senior Information Security Officer (SISO), Business Owner, and Cyber Risk Advisor (CRA) to identify the types of information processed, assign the appropriate security categorizations to the information systems, determine the information security and privacy impacts, and manage information security and privacy risk
• Report compliance on secure protocol use in websites periodically as defined within the CMS ARS
• Submit recommendations to the CRA for system configuration deviations from the required security baseline
• Coordinate with the CIO, Chief Information Security Officer (CISO), Senior Official for Privacy, SISO, Data Guardian, and website or system Owner/Administrator to ensure compliance with control family requirements on website or system usage, web measurement and customization technologies, and third-party websites and applications
• Coordinate with the System Developers and Maintainers in identifying the information security and privacy controls provided by the applicable infrastructure that are common controls for information systems
• Document the controls in the information security and privacy plan (or equivalent document) to ensure implemented controls meet or exceed the minimal controls defined by CISO guidance
• Coordinate with the Data Guardian, SISO, Business Owner, and CRA to meet all collection, creation, use, dissemination, retention, and maintenance requirements for Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) in accordance with the Privacy Act, E-Government Act, and all applicable guidance
• Maintain current system information (e.g., points of contact [POC], and artifacts) in the CMS FISMA Controls Tracking System (CFACTS) to support organizational requirements, Information System Security and Privacy Policy (IS2P2), and prescribed processes (e.g., communication, contingency planning, training, and data calls)
• Coordinate with the Business Owner, SISO, and CISO to ensure that all requirements specified by the CMS ARS and the Risk Management Handbook (RMH) are implemented and enforced for applicable information and information systems
• Ensure that anomalies identified under the CMS Continuous Diagnostics and Mitigation (CDM) program and Information Security and Privacy Continuous Monitoring (ISCM) activities are addressed and remediated in a manner commensurate with the risks the anomalies pose to the system
• Evaluate the impact of network and system changes using RMH processes
• Develop and review security and privacy artifacts and required activities through all phases of the Target Life Cycle (TLC) in accordance with the CMS IS2P2 for ISSOs
• Provide the status of Exchange system security posture regarding the remediation of security and privacy findings and the progress of Authority to Operate (ATO) tasks

• At least one professional security certification (e.g., CISSP, CISA, CAP, GSEC)
• At least 4 years of experience in information security, with a concentration in RMF support
• Knowledgeable in FISMA, NIST RMF, NIST SP 800 Series, and industry leading Software Assurance, Vulnerability Analysis, and GRC tools
• Effective verbal and written communication skills. Should be able to adapt communication style to suit different audiences (e.g., technical/non-technical)
• Extensive experience in analyzing and implementing security requirements at all levels
• Highly detailed focused
• Excellent organization skills

EEO Employer:

RELI Group is an Equal Employment Opportunity / Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, ancestry, citizenship status, military status, protected veteran status, religion, creed, physical or mental disability, medical condition, marital status, sex, sexual orientation, gender, gender identity or expression, age, genetic information, or any other basis protected by law, ordinance, or regulation.

HUBZone:

RELI Group is an established SBA certified HUBZone and 8(a) small business. We encourage all candidates who live in a HUBZone to apply. You can check to see if your address is located in a HUBZone by accessing the SBA HUBZone Map.