Information Systems Security Officer I

Job Description

Bellese is a mission-driven Digital Services Company committed to pioneering innovative technology solutions in civic healthcare. Our dedication lies in making a meaningful impact on public health outcomes.

Driven by service design, we strive to know the “Why” to understand the healthcare journey for patients, caregivers, providers, payers, and policymakers. Our goal is to design and build solutions that reduce confusion, provide clarity, support decision making, and streamline the process so that we and our partners can focus on providing better health outcomes by improving patient care and reducing costs and burden.

The Team you will be joining:

You will be the ISSO for two Teams, QMARS & HQR

QMARS

Our team is charged with maintaining and improving the software at the Centers for Medicare and Medicaid Services (CMS) that supports the Quality Management and Review Systems (QMARS) program. QMARS online case management system supports the CMS Beneficiary and Family-Centered Care (BFCC) Quality Improvement Organization (QIO) program.  The QIO program is one of the largest federal programs dedicated to improving healthcare quality for Medicare beneficiaries across the country.  Our teams will continuously strive to modernize these systems while improving them in ways that reduce provider burden and minimize costs to CMS.  We do this through HCD and Service design practices, product thinking, and skilled engineering.  At Bellese, we’re relentlessly focused on enabling and empowering providers to focus on improving the quality and safety of patient care.

HQR

Our team is charged with maintaining and improving the software at the Centers for Medicare and Medicaid Services (CMS) that supports the Hospital Quality Reporting program. Thousands of hospitals across the country depend on these systems to submit quality measure data that reflects the care beneficiaries receive in their facility.  Our teams will continuously strive to modernize these systems, while improving them in ways that reduce provider burden and minimize costs to CMS.  We do this through HCD and Service design practices, product thinking, and skilled engineering.  At Bellese, we’re relentlessly focused on enabling and empowering providers to focus on improving the quality and safety of patient care.

The  Information Systems Security Officer (ISSO) is responsible for implementing a value-based approach to security, versus the traditional focus on audits and compliance. The ISSO will work with infrastructure and feature development teams to introduce security early and throughout development processes, taking a proactive and active security analysis approach to identify potential risks and threats, and creating tests and countermeasures in procedures, code, and infrastructure to respond to potential threats.

Security Clearance Requirements

• US Citizenship or documented proof of eligibility to work in the US without Sponsorship
• US Residency for at least the past 3 years
• Able to meet the requirements to hold a position of Public Trust, including successful completion of a US Government background investigation
• Disclaimer: Medical or recreational marijuana use is considered illegal at the federal level, regardless of state laws allowing such, and may affect your ability to obtain Public Trust. See article

Work that matters, with perks that deliver. Discover how Bellese Technologies invests in you through a benefits suite that makes every day better

• Remote First, Remote Only Culture
• Four weeks paid time off yearly (prorated based on start date for the first year)
• 10 paid floating company holidays
• Flexible schedule
• Work from home setup including a Macbook
• Collaborative, learning environment
• Medical, dental, and company-paid vision insurance
• Optional HSA account with some medical plans and a company contribution
• Company paid basic life and AD&D insurance coverages
• Company paid short and long term life insurance
• Optional critical illness and accident insurance
• 401K plan with 3% safe harbor contribution
• Wellness resources and virtual care
• Perks Plus employee discounts

You will like it here if

• You foster a collaborative ethos, driven by the mission to deliver exceptional customer service to clients. You are passionate about Healthcare and changing the healthcare landscape. You’re an out of the box thinker, always striving to know the “why” when it comes to building solutions. You excel in a team-oriented, remote-first environment characterized by mutual respect and open communication. Your adaptability and ability to navigate challenges ensure your success in any situation.

What you will be doing:

• (1) SIA Maintenance (Primary Focus): You will proactively identify system changes in HQR and QMARS and document them in a Security Impact Analysis (SIA) to ensure the ATO remains valid.
• CFACTS Governance: You will serve as the “Source of Truth” for the system’s security posture in CFACTS, managing control implementation statements and evidence.
• Audit Defense & Evidence Gathering: You will lead the “Audit Season” efforts, gathering screenshots, logs, and process documentation to prove to CMS auditors that controls are “Effective.”
• Risk Advising: You will attend sprint ceremonies for HQR (50%) and QMARS (50%) to advise developers on CMS security standards before they build, preventing “security rework” later.
• POA&M Life-cycle: You will track security weaknesses from discovery to remediation, ensuring the program meets CMS’s strict 30/60/90-day patching windows.
• Policy Stewardship: You will ensure all program documentation (Contingency Plans, Incident Response Plans) is reviewed and signed off annually per FISMA requirements.

Technical Qualifications

• At least 4 years of experience establishing security controls as outlined in the responsibilities section above.
• Experience working with two or more from the following: web application development, unix/linux environments, distributed systems, machine learning, developing large scale systems and API services, security software development
• Experience with one or more infrastructure scripting languages: Terraform, CloudFormation, Ansible, Chef or Puppet, Kubernetes
• Experience implementing two or more cloud-based solutions: global infrastructure, virtual clouds, virtual computing, serverless computing, load balancing and networking, data storage and data streaming, hadoop, map reduce, secured REST-based API endpoints, security
• Direct, hands-on experience with CFACTS.(This experience is only available if you hve worked with CMS (Centers for medicare & medicaid)
• Proven ability to author Security Impact Analyses (SIA), System Security Plans (SSP), and Privacy Impact Assessments (PIA) specifically under NIST 800-53 Rev 5 and CMS ARS 5.0.
• A&A Lifecycle: Experience taking a system through the Assessment & Authorization (A&A) process to achieve or maintain an ATO (Authority to Operate).
• Vulnerability Management: Ability to interpret Tenable/Nessus or WebInspect scans to translate technical vulnerabilities into POA&Ms (Plan of Action and Milestones) that developers can understand.
• Cloud-Native Compliance: Understanding of how to document security controls for AWS-native services

$111,800 - $134,200 a year

The Salary range for ISSO-1 is 111,800-$134,200

The Salary range for ISSO-1 is 111,800-$134,200

U.S. citizen or legal right to work in the United States without sponsorship

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.