United States onlyThe Team you will be joining:
You will be the ISSO for two Teams, QMARS & HQR
QMARS
Our team is charged with maintaining and improving the software at the Centers for Medicare and Medicaid Services (CMS) that supports the Quality Management and Review Systems (QMARS) program. QMARS online case management system supports the CMS Beneficiary and Family-Centered Care (BFCC) Quality Improvement Organization (QIO) program. The QIO program is one of the largest federal programs dedicated to improving healthcare quality for Medicare beneficiaries across the country. Our teams will continuously strive to modernize these systems while improving them in ways that reduce provider burden and minimize costs to CMS. We do this through HCD and Service design practices, product thinking, and skilled engineering. At Bellese, we’re relentlessly focused on enabling and empowering providers to focus on improving the quality and safety of patient care.
HQR
Our team is charged with maintaining and improving the software at the Centers for Medicare and Medicaid Services (CMS) that supports the Hospital Quality Reporting program. Thousands of hospitals across the country depend on these systems to submit quality measure data that reflects the care beneficiaries receive in their facility. Our teams will continuously strive to modernize these systems, while improving them in ways that reduce provider burden and minimize costs to CMS. We do this through HCD and Service design practices, product thinking, and skilled engineering. At Bellese, we’re relentlessly focused on enabling and empowering providers to focus on improving the quality and safety of patient care.
The Information Systems Security Officer (ISSO) is responsible for implementing a value-based approach to security, versus the traditional focus on audits and compliance. The ISSO will work with infrastructure and feature development teams to introduce security early and throughout development processes, taking a proactive and active security analysis approach to identify potential risks and threats, and creating tests and countermeasures in procedures, code, and infrastructure to respond to potential threats.Security Clearance Requirements
- US Citizenship or documented proof of eligibility to work in the US without Sponsorship
- US Residency for at least the past 3 years
- Able to meet the requirements to hold a position of Public Trust, including successful completion of a US Government background investigation
- Disclaimer: Medical or recreational marijuana use is considered illegal at the federal level, regardless of state laws allowing such, and may affect your ability to obtain Public Trust. See article
Work that matters, with perks that deliver. Discover how Bellese Technologies invests in you through a benefits suite that makes every day better
- Remote First, Remote Only Culture
- Four weeks paid time off yearly (prorated based on start date for the first year)
- 10 paid floatingcompany holidays
- Flexible schedule
- Work from home setup including a Macbook
- Collaborative, learning environment
- Medical, dental, and company-paid vision insurance
- Optional HSA account with some medical plans and a company contribution
- Company paid basic life and AD&D insurance coverages
- Company paid short and long term life insurance
- Optional critical illness and accident insurance
- 401K plan with 3% safe harbor contribution
- Wellness resources and virtual care
- Perks Plus employee discounts
You will like it here if
- You foster a collaborative ethos, driven by the mission to deliver exceptional customer service to clients. You are passionate about Healthcare and changing the healthcare landscape. You’re an out of the box thinker, always striving to know the “why” when it comes to building solutions. You excel in a team-oriented, remote-first environment characterized by mutual respect and open communication. Your adaptability and ability to navigate challenges ensure your success in any situation.
What you will be doing:
- (1) SIA Maintenance (Primary Focus): You will proactively identify system changes in HQR and QMARS and document them in a Security Impact Analysis (SIA) to ensure the ATO remains valid.
- CFACTS Governance: You will serve as the "Source of Truth" for the system's security posture in CFACTS, managing control implementation statements and evidence.
- Audit Defense & Evidence Gathering: You will lead the "Audit Season" efforts, gathering screenshots, logs, and process documentation to prove to CMS auditors that controls are "Effective."
- Risk Advising: You will attend sprint ceremonies for HQR (50%) and QMARS (50%) to advise developers on CMS security standards before they build, preventing "security rework" later.
- POA&M Life-cycle: You will track security weaknesses from discovery to remediation, ensuring the program meets CMS's strict 30/60/90-day patching windows.
- Policy Stewardship: You will ensure all program documentation (Contingency Plans, Incident Response Plans) is reviewed and signed off annually per FISMA requirements.
Technical Qualifications
- At least 4 years of experience establishing security controls as outlined in the responsibilities section above.
- Experience working with two or more from the following: web application development, unix/linux environments, distributed systems, machine learning, developing large scale systems and API services, security software development
- Experience with one or more infrastructure scripting languages: Terraform, CloudFormation, Ansible, Chef or Puppet, Kubernetes
- Experience implementing two or more cloud-based solutions: global infrastructure, virtual clouds, virtual computing, serverless computing, load balancing and networking, data storage and data streaming, hadoop, map reduce, secured REST-based API endpoints, security
- Direct, hands-on experience with CFACTS. (This experience is only available if you hve worked with CMS (Centers for medicare & medicaid)
- Proven ability to author Security Impact Analyses (SIA), System Security Plans (SSP), and Privacy Impact Assessments (PIA) specifically under NIST 800-53 Rev 5 and CMS ARS 5.0.
- A&A Lifecycle: Experience taking a system through the Assessment & Authorization (A&A) process to achieve or maintain an ATO (Authority to Operate).
- Vulnerability Management: Ability to interpret Tenable/Nessus or WebInspect scans to translate technical vulnerabilities into POA&Ms (Plan of Action and Milestones) that developers can understand.
- Cloud-Native Compliance: Understanding of how to document security controls for AWS-native services
