Information Privacy and Security Advisor

About The Position

Requirements

• Minimum of 8 years with BS/BA in Computer Science, Information Security, or related field; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD
• Experience in cybersecurity across engineering, compliance, and operations.
• 3+ years in security leadership/management on federal programs.
• Proven experience with NIST SP 800‑53, RMF (NIST SP 800‑37), FIPS 199/200, HIPAA Security Rule, OMB A‑130, and CMS policy frameworks (e.g., CMS ARS).
• Hands-on with SIEM/EDR, vulnerability management, cloud security architectures (AWS GovCloud/Azure Government), network segmentation, zero trust principles, and DevSecOps tooling.
• Strong documentation skills (SSP, IS RA, SAR, POA&M, Contingency Plans, runbooks, playbooks) and audit engagement.
• US Citizenship is required.
• Must have the ability to obtain and maintain a Public Trust clearance.

Nice To Haves

• Certifications: CISSP, CISM, CAP, CCSP, CASP+, Security+, or equivalent.
• Cloud security certs (e.g., AWS Security Specialty, Azure Security Engineer Associate).
• Experience with TIC 3.0, NIST SP 800‑63 (digital identity), NIST SP 800‑30 (risk assessment), configuration baselines (DISA STIGs/CIS), and FedRAMP-aligned controls.
• Background in large-scale healthcare/Medicare environments and PHI/PII safeguarding.
• Familiarity with continuous ATO, automated compliance (policy-as-code), and modern IaC pipelines.
• Must be US Citizen or Lawful Permanent Resident
• Must be able to obtain a Public Trust clearance
• Problem-solving mindset with the ability to take initiative and work independently.
• Comfortable in a fast-paced, iterative development environment.
• Experience working with the federal government. Particularly with Center for Medicare and Medicaid Services (CMS).

Responsibilities

• Own the security architecture and control implementation across application, infrastructure, and cloud layers, aligned with NIST SP 800‑53 control baselines, FIPS 199/200 categorization, and CMS security policies.
• Drive vulnerability management (scan triage, remediation SLAs, patch governance) and configuration baselines (e.g., DISA STIGs, CIS Benchmarks, SCAP).
• Lead end‑to-end Risk Management Framework (RMF) activities (NIST SP 800‑37), including security categorizations, control tailoring, System Security Plan (SSP), security assessment, POA&Ms, and continuous monitoring to sustain ATO.
• Ensure compliance with HIPAA Security Rule (45 CFR §164) for PHI, CMS Acceptable Risk Safeguards (ARS), OMB Circular A‑130, and HHS policies.
• Coordinate internal/external audits (IG, CMS, third-party assessors), evidence collection, and control testing; maintain impeccable documentation.
• Lead incident response lifecycle for PHI/PII incident reporting: triage, containment, eradication, recovery, forensics coordination, root cause analysis, and required notifications/reporting.
• Manage access control, identity, MFA, privileged access, security vulnerabilities and continuous monitoring dashboards; ensure reliable backup/restore and disaster recovery exercises.
• Enforce data classification, encryption (in transit/at rest), key management, and tokenization aligned with CMS/HHS requirements.
• Contribute to risk registers and monthly status reporting for program security status to present succinct updates to CMS stakeholders.
• Translate complex security concepts into clear, actionable guidance for technical and non‑technical audiences.
• Collaborate closely with Program Management, Engineering, QA, Operations, and CMS counterparts.
• Contribute to security requirements for contract renewals and new contract bids.