Chief Information Officer (CIO)

At Commence, we’re the start of a new age of data-centric transformation, elevating health outcomes and powering better, more efficient process to program and patient health. We combine quality data-driven solutions that fuel answers, technology that advances performance, and clinical expertise that builds trust to create a more efficient path to quality care.

With human-centered, healthcare-relevant, and value-based solutions, we create new possibilities with data. We provide proof beyond the concept and performance beyond the scope with a focus on efficiencies that transform the lives of those we serve. With a culture driven by purpose, straightforward communication and clinical domain expertise, Commence cuts straight to better care.

The Chief Information Officer (CIO) oversees the organization’s compliance with CMS information security requirements. The CIO serves as the primary point of accountability for the program’s information security program, ensuring that all federal and CMS-specific IT security policies are implemented, documented, and enforced across all contract operations. This role requires deep familiarity with federal information security frameworks and direct experience in the healthcare IT environment supporting government programs.

Requirements

• Learn, document, and implement Federal and CMS information security controls in compliance with CMS IS2P2, FISMA, FedRAMP, HIPAA, and all applicable CMS security policies and procedures.
• Disseminate and implement IT policy that aligns with CMS requirements; provide interpretation of current policies in response to inquiries or specific incidents.
• Oversee the Security Assessment and Authorization (SA&A) process, including development and maintenance of the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and related ATO documentation.
• Ensure all contractor personnel complete required CMS Information Security Awareness, Privacy, and Records Management training annually; maintain training records per CMS procedures.
• Manage compliance with CMS encryption standards, FIPS 140 requirements, asset inventory, configuration management, vulnerability scanning, and patch remediation timelines per CMS policy.
• Serve as primary liaison to CMS on all information security and privacy matters; respond to security incidents within required timeframes and coordinate with the CMS Incident Response Team (IRT) as directed.
• Oversee Data Use Agreement (DUA) processes and ensure compliance with CMS data access policies through the Enterprise Privacy Policy Engine (EPPE) system.
• Maintain a complete and current inventory of all IT assets and ensure devices meet CMS and HHS-specific encryption and configuration standards.
• Support CMS audits, security assessments, and annual performance reviews; allow government access to facilities, systems, and personnel as required.

Qualifications 

• Minimum 5 years of combined work experience, with at least 3 of those years in the healthcare industry supporting either Federal Government agencies or commercial healthcare market in a role such as CIO, Information Technology Manager, Chief Technology Officer, or Network Administrator.
• Knowledge of the Medicare Fee-for-Service (FFS) program and familiarity with CMS information security requirements, including FISMA, FedRAMP, HIPAA, CMS IS2P2, and the CMS Business Partner System Security Manual (BPSSM).
• Bachelor’s degree in Information Systems, Computer Science, or other related technology field required.  Relevant work experience in a related field may be considered in lieu of a bachelor’s degree.

Preferred Qualifications

• Prior CIO or IT security leadership experience on a CMS contract with demonstrated knowledge of CMS Security Assessment and Authorization (SA&A) processes.
• Relevant certification such as CISSP, CISM, CISA, or equivalent information security credential.
• Experience managing FedRAMP authorization packages and working with third-party assessment organizations (3PAOs) for moderate-impact federal systems.
• Familiarity with CMS esMD, RACDW, IDR, and other CMS-designated data systems used in Medicare medical review operations.