SECURITY ARCHITECTURE & ENGINEERING SME
Zermount, Inc. · Arlington, VA · 3 wk ago
RemoteRemoteEngineeringFull-time
About the role
Zermount Inc. is seeking a Cybersecurity Architect & Engineer SME to support a federal client's enterprise cybersecurity and Continuous Authorization to Operate (cATO) initiative(s).
Responsibilities
- Develop, maintain, and evolve the Enterprise Security Reference Architecture (ESRA).
- Provide architectural input to the organization's Cybersecurity Roadmap and Strategy, addressing:
- Continuous ATO (cATO) and automated control testing maturity.
- Cloud security standards, compliance, and improvements to ATO timelines.
- Cloud monitoring, detection, response, and security operations.
- Privacy, continuous monitoring, and vulnerability assessment modernization.
- Integration of security scanning into cloud pipelines.
- Implementation of EO 14028 (ZTA) and SCRM requirements.
- Architect and implement continuous monitoring pipelines for automated evidence collection (SIEM, XDR, scanners, cloud APIs, CI/CD).
- Develop and manage OSCAL profiles, inheritance models, and evidence data contracts.
- Integrate telemetry and evidence into AO-grade dashboards.
- Support ATO intake, assessment workflows, and vulnerability scanning processes.
- Develop security architectural patterns that expedite ATO by pre-meeting control requirements.
- Collaborate with the Cybersecurity Authorizations & Compliance Branch to design systems supporting cATO, reduce ATO processing times, provide data-call responses, and participate in working groups.
- Design and deploy native cloud security services across AWS, Azure, and Google Cloud.
- Lead the development of enterprise cloud security blueprints, including security in Infrastructure-as-Code (IaC) templates.
- Conduct proofs-of-value for cloud-native, COTS, third-party, or open-source security tools.
- Provide security architecture input for DevSecOps strategy, including vulnerability scanning, automated assessments, and implementation of security controls.
- Conduct requirements-gathering sessions and cATO current-state assessments.
- Recommend security requirements, architectural direction, and support testing for enterprise initiatives such as: cATO, automated assessments, ZTA, SASE, CASB, SWG, TIC 3.0, ICAM, CMDB, etc.
- Collaborate with operational teams to improve cloud security monitoring, including ingestion and analysis of API, application, database, and flow logs into SIEM platforms.
- Support development of cloud event analysis and alert tuning to increase detection fidelity.
- Identify vulnerabilities across the SDLC and help contain, minimize, and remediate associated risks.
- Provide system engineering and architectural design support, including:
- Studies and analyses of operational changes;
- End-to-end architecture trade-off assessments;
- Development of strategic and tactical plans;
- Evaluation of new program requirements;
- Research and assessment of new technologies for operational enhancement.
- Ensure teams deliver high-value increments meeting the Definition of Done.
- Facilitate stakeholder collaboration as needed.
Requirements
- High level of attention to detail, needs minimal guidance, effective verbal, and written communications.
- Adept at both the strategic and operational/technical level.
- Able to adapt to new and changing requirements / priorities and manage work accordingly.
- At least 5 years (preferred 10 years) of network, systems, applications experience, in areas such as: LAN/WAN, WAF/CDN/DDOS, Network Firewalls, IDS/IPS, Virtualization, hypervisor security, container security, Application development, serverless security, microservices, CICD.
- At least 5 years of designing and/or implementing security in Cloud environments (AWS and Azure; GCP is also preferred but not required).
- Operational experience with the following is preferred:
- Multi-Cloud, Hybrid Cloud, IaaS, PaaS, SaaS, shared responsibility model.
- AWS Security Hub, Audit Manager, Config., Guard Duty, CloudTrail, CloudWatch, Lambda.
- Azure E3/E5, AD, Blob, Azure Security Center, Key Vault, SSE, Monitor, Log Analytics, Policy.
- Experience with DevSecOps strategy and implementation and designing architecture in accordance to RMF, CSF, FISMA, and Fedramp.
- Knowledge of ZTA and SASE Framework, ICAM (OKTA), CWPP, SOC Operations, Vulnerability Threat Management, and Compliance.
- The candidate must have a: Certified Information Systems Security Professional (CISSP), and At least one of the following, or equivalent: Certified Cloud Security Professional (CCSP), AWS Certified Solutions Architect Associate, AWS Certified Security Specialist, Microsoft Azure Solutions Architect,Google Professional Cloud Architect.
- Minimum Background Investigation.
Location
Hybrid - Primary location is Alexandria, VA. Remote work is authorized. Occasional travel to the primary location may be required.