SECURITY & COMPLIANCE ENGINEER (SCE)
Hiring Our Heroes · Arlington, VA · 3 wk ago
Management$68k/yrFull-time
About the role
Zermount Inc. is seeking a System Compliance Engineering (SCE) to support system risk analysis and ensure compliance with Information Assurance and cybersecurity standards. The role involves continuous evaluation of system security postures, identifying exploitable conditions, and validating implemented controls.
Responsibilities
- Execute RMF lifecycle (Prepare–Monitor) while validating controls directly in operational environments
- Identify and document real-time risks through analysis of logs, telemetry, configurations, and architecture
- Validate implementation of security controls (STIGs, MFA, encryption, access control) using system-level evidence
- Identify exploitable misconfigurations, weak trust boundaries, and gaps across cloud, network, OS, and database layers
- Drive POA&M actions by prioritizing risk based on exploitability and mission impact, ensuring closure within defined timelines
- Perform continuous monitoring (ISCM/CDM) with emphasis on actual system behavior vs. reported compliance
- Translate NIST, EO 14028, OMB, and TIC 3.0 requirements into specific technical remediation actions
- Validate remediation actions with repeatable verification methods (not documentation review)
- Produce executive-quality outputs (risk findings, remediation plans, executive summaries)
- Maintain system artifacts and documentation only as a byproduct of validated technical work
Subject Matter Expertise (SME)
- SME Area #1 – Technical Risk Validation (Modern GRC Execution): Expert-level means include ability to independently assess systems using direct technical inspection techniques, deep working knowledge of critical frameworks and directives, and ability to identify threat surfaces within specific systems and convert compliance requirements into specific and actionable remediation actions.
- SME Area #2 – Multi-Domain Technical Depth: Must have deep knowledge of one or more of cloud, network, systems, or databases, and ability to leverage this experience to inform and complete compliance-related tasks.
Qualifications
- Minimum Requirements: 5+ years of cybersecurity experience supporting U.S. Government systems, 4+ years performing RMF, ISSO, Assessment, or GRC functions, demonstrated hands-on experience in at least two technical domains, proven ability to analyze system configurations, ATOs, and other supporting security documentation, logs/telemetry, architecture documentation and data flow diagrams.
- Preferred Qualifications: Experience implementing or assessing Zero Trust architectures, experience with CDM, ISCM, and enterprise logging programs, familiarity with threat-informed defense concepts, experience in hybrid cloud environments.
Competencies
- Technical risk identification and prioritization
- Independent problem-solving in ambiguous environments
- Ability to translate policy into technical action
- Clear communication with both engineers and leadership
Education & Certifications
- Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 5 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role.
- One of the following security certifications is required: Certified Authorization Professional (CAP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), or Certified Chief Information Security Officer (CCISO), or Governance Risk & Compliance Certification (CGRC).
Clearance Level
Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability.
Work Location
The position is primarily remote – Continental U.S only. Primary location when on site: Arlington, VA, and Springfield, VA. Must be willing to travel - Not to exceed 10% of the time.
Hours of Operation
8:00 am EST – 4:30 pm EST. Times may fluctuate based on client and business requirements.