Director, Information Security and Privacy Group/Chief Information Security Officer

Full Job Description

This position is located in the Office of Information Technology (OIT), Centers for Medicare and Medicaid Services (CMS).

As the Director, Information Security and Privacy Group/Chief Information Security Officer, you will direct CMS' Information Security and Privacy Programs, which fulfill CMS' responsibility to maintain and improve the security of its information and information systems.

Candidates should be committed to improving the efficiency of the Federal government, passionate about the ideals of our American republic, and committed to upholding the rule of law and the United States Constitution.

Candidates will not be hired based on their race, sex, color, religion, or national origin.

To meet the minimum qualification requirements for this position, you must show that you possess the Executive Core Qualifications (ECQ) and Technical Qualifications (TQ) related to this position within your resume - NOT TO EXCEED 2 PAGES.

Resumes over the 2-page limit, will not be reviewed beyond page 2 or may be disqualified.

Your resume should include examples of experience, education, and accomplishments applicable to the qualification(s).

If your resume does not reflect demonstrated evidence of these qualifications, you may not receive consideration for the position.

There is NO requirement to prepare a narrative statement specifically addressing the Executive Core Qualifications (ECQs) or the Technical Qualifications (TQs).

TECHNICAL QUALIFICATIONS (TQs): Your resume should demonstrate accomplishments that would satisfy the technical qualifications.

TQ 1: Demonstrated executive-level experience leading an enterprise cybersecurity and risk management program in a large, complex, and highly regulated organization.

Experience must include implementing and overseeing compliance with federal cybersecurity and privacy requirements, including the Federal Information Security Modernization Act (FISMA), Office of Management and Budget (OMB) policies, and National Institute of Standards and Technology (NIST) frameworks, to safeguard mission-critical systems.

Demonstrated experience directing risk management, system authorization, continuous monitoring, and external oversight activities, and providing strategic advice to senior leaders on cybersecurity risk and compliance decisions.

TQ 2: Demonstrated executive-level experience designing, implementing, and governing enterprise security and privacy controls for high-impact systems in a large, complex organization.

Experience must include leading zero trust and identity-centered security initiatives; integrating security and privacy requirements into system development lifecycles and cloud environments; and safeguarding sensitive data within a Health Insurance Portability and Accountability Act (HIPAA)-covered entity.

Demonstrated experience enforcing federal privacy and data protection laws and policies, including the Privacy Act, E-Government Act, and HIPAA; directing security operations and incident response programs; and ensuring the availability, integrity, confidentiality, and resilience of mission-critical systems and services.

EXECUTIVE CORE QUALIFICATIONS (ECQs): In addition to the Technical Qualification Requirements listed above, all new entrants into the Senior Executive Service (SES) under a career appointment will be assessed for executive competency against the following five mandatory ECQs.

If your 2-page resume does not reflect demonstrated evidence of the ECQs and TQs, you may not receive further consideration for the position.

There are five ECQs: ECQ 1: Commitment to the Rule of Law and the Principles of the American Founding - This core qualification requires a demonstrated knowledge of the American system of government, commitment to uphold the Constitution and the rule of law, and commitment to serve the American people.

ECQ 2: Driving Efficiency - This core qualification involves the demonstrated ability to strategically and efficiently manage resources, budget effectively, cut wasteful spending, and pursue efficiency through process and technological upgrades.

ECQ 3: Merit and Competence - This core qualification involves the demonstrated knowledge, ability and technical competence to effectively and reliably produce work that is of exceptional quality.

ECQ 4: Leading People - This core qualification involves the demonstrated ability to lead and inspire a group toward meeting the organization's vision, mission, and goals, and to drive a high-performance, high-accountability culture.

This includes, when necessary, the ability to lead people through change and to hold individuals accountable.

ECQ 5: Achieving Results - This core qualification involves the demonstrated ability to achieve both individual and organizational results, and to align results to stated goals from superiors.

Note: If you are a member of the SES or have been certified through successful participation in an OPM approved SES Candidate Development Program (SESCDP), or have SES reinstatement eligibility, you do not need to respond to the ECQs.

Instead, you should attach proof (e.g., SF-50, Certification by OPM's SES Qualifications Review Board (QRB)) of your eligibility for noncompetitive appointment to the SES. Major Duties:

• Plan, coordinate, and control information system security and privacy CMS-wide, including security and privacy measures across the full technology stack.
• Direct and mature a CMS-wide cybersecurity and privacy program ensuring risk-based protection commensurate with the magnitude of harm to beneficiaries, providers, and federal programs.
• Direct and enforce enterprise-wide compliance with federal cybersecurity and privacy statutes, regulations, and policies.
• Oversee Security Operations Center (SOC) operations, threat intelligence, detection, and response capabilities.
• Establish enterprise risk metrics and performance indicators tied to mission impact, operational resilience, and budget decisions.
• Represents CMS in engagements with HHS, OMB, interagency partners, and Congressional stakeholders.