Jobs · Management

SECURITY & RISK ENGINEER (SRE)

Hiring Our Heroes · Arlington, VA · 2 wk ago
Management$233k/yrFull-time

About the role

The System Risk Engineer (SRE) supports system risk analysis and ensures federal information systems comply with Information Assurance and cybersecurity standards. The role directly contributes to mission assurance by identifying, validating, and reducing cybersecurity risk.

Responsibilities

  • Execute Security Assessments (SA), Risk Assessments (RA), and Ongoing Authorization (OA) activities by validating security controls in live environments, not solely through documentation review
  • Conduct technical verification and validation of security controls across operating systems, applications, databases, cloud platforms, and network infrastructure
  • Identify real-world security risks, including exploitable vulnerabilities, misconfigurations, weak trust boundaries, and control failures
  • Perform continuous risk analysis using outputs from vulnerability scans, penetration testing, logging platforms, and configuration assessments
  • Develop risk-based findings and POA&M matrices, prioritizing remediation based on exploitability, exposure, and mission impact
  • Produce executive-quality artifacts (SARs, risk memos, ATO packages, executive briefings) with validated, evidence-backed findings
  • Conduct impact analysis for Requests for Change (RFCs), identifying security implications of architectural, configuration, or system modifications
  • Validate Zero Trust implementation and alignment across system architectures and capabilities
  • Perform technical assessments of system architecture, data flows, and trust boundaries to identify control gaps
  • Ensure compliance validation for TIC, FISMA, and federal cybersecurity mandates through technical inspection and testing
  • Provide weekly status reporting and briefings with clear articulation of risks, risk mitigation progress, and technical findings

Subject Matter Expertise (SME)

  • SME Area #1 – Primary Expertise: Security Assessment & Technical Risk Validation
  • SME Area #2 – Secondary Expertise: Multi-Domain Technical Depth

Qualifications

  • Minimum Requirements:
    • 7+ years of cybersecurity experience supporting U.S. Government systems
    • 4+ years performing RMF, ISSO, Assessment, or GRC functions with direct technical validation responsibilities
    • Demonstrated hands-on experience in at least two technical domains (cloud, network, systems, or databases)
    • Proven ability to analyze:- System configurations, ATOs, and other supporting security documentation
    • Logs/telemetry
    • Architecture documentation and data flow diagrams
    • Proven ability to conduct technical assessments across multiple domains
  • Preferred Qualifications:
    • Experience with Zero Trust assessments and implementation validation
    • Experience with CDM, ISCM, and enterprise logging programs
    • Experience supporting DHS/FISMA environments
    • Familiarity with threat-informed defense and attack vector analysis
  • Competency:
    • Advanced technical risk analysis and prioritization
    • Independent problem-solving in ambiguous environments
    • Strong collaboration with system teams, federal leads
    • Ability to translate complex technical findings into actionable recommendations
    • Clear communication with both engineers and leadership
  • Education & Certifications:
    • Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 7 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role.
    • Without a B.S. in a relevant field - A minimum of 13 years of IT Cybersecurity experience, including direct support for the US Government, and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role.
    • At least one of the following security certifications is required:- Certified Authorization Professional (CAP)
    • Certified Information Security Auditor (CISA)
    • Certified Information Security Manager (CISM)
    • Certified Information Systems Security Professional (CISSP), or Certified Chief Information Security Officer (CCISO)
    • Governance Risk & Compliance Certification (CGRC)
    • Or alternatively approved certifications
  • Clearance Level:
    • Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability

    Work Location

    The position is primarily remote – Continental U.S only

    Hours of Operation

    • 8:00 am EST – 4:30 pm EST
    • Times may fluctuate based on client and business requirements

    Reporting Structure

    • Reports To: Security Risk Engineering Team Lead
    • Direct Reports: N/A

    Pay

    Estimated: $233,422 per year

Similar jobs

Sr Security Engineer

MeijerMichigan, United States· 1 wk ago
Information Technologyapply on meijer.wd5.myworkdayjobs.com

Sr. Security Engineer

JobgetherUnited States· 5 days ago
RemoteInformation Technologyapply on jobs.lever.co

Sr. Security Engineer

Early WarningScottsdale, AZ· 2 wk ago
Information Technology$132k–$165k/yrapply on earlywarning.wd5.myworkdayjobs.com