Senior DevSecOps Engineer, Government Systems Security & Compliance
Position Summary
Apium Swarm Robotics (ASR) is revolutionizing swarm autonomy software for air, surface, undersea, and ground vehicles operating across dual-use commercial and defense environments. Our systems are deployed on real platforms, tested in the field, and delivered to customers operating in complex, uncertain, and safety-critical conditions. We do not build research prototypes or slideware. Our software is integrated into real vehicles, tested in the field, and delivered to customers who depend on operational reliability, speed of execution, and mission relevance. We prioritize performance over hype.
Essential Duties And Responsibilities
Design and implement CI/CD security gates (SAST, dependency scanning, secrets detection, SBOM generation) across ASR’s version control organization (GitHub, GitLab, or equivalent)
Establish structured artifact management with semantic versioning, signed releases, and audit-traceable build provenance; manage release pipelines across incrementally constrained compliance tiers (commercial, CMMC-controlled, SIPRNet-classified)
Own CMMC Level 2 compliance posture; develop and maintain SSP, POA&M, and ATO/IATT support documentation for government program deliveries
Apply NIST SP 800-82 OT security controls to embedded flight software, GCS services, and swarm communications protocols
Implement technical controls for CUI handling, export-controlled repository access, and ITAR/EAR compliance in development workflows
Define threat modeling and SSDF (NIST SP 800-218) practices; maintain SBOM generation per EO 14028 and DoD supply chain requirements
Ensure source control organization meets required security standards: MFA applied as required, least-privilege access controls maintained, audit logging confirmed, and third-party application permissions managed
Support corporate IT integration: align ASR’s development environment with broader CMMC and CUI enclave requirements as the company scales
Required Qualifications
Active Secret clearance or demonstrated ability and willingness to obtain one
5+ years of DevSecOps, security engineering, or information assurance experience, with at least 2 years in a DoD or defense contractor environment
Practical experience with GitHub Actions, GitLab CI, or equivalent CI/CD platforms, including writing custom pipeline configurations for security automation
Understanding of OT/embedded system security distinctions from enterprise IT; ability to apply NIST 800-82 to firmware and autopilot-layer software
Experience with SBOM generation tooling (e.g., Syft, CycloneDX, SPDX) and DoD supply chain security requirements
Familiarity with ITAR/EAR technical controls: CUI handling, export-controlled repository access, and developer access management
Comfort working independently with limited oversight; ability to remain calm and effective under operational pressure
Additional Desired Qualifications
BS in Computer Science or related field preferred
Experience authoring NIST SP 800-171 SSP and POA&M documentation in a DoD or defense contractor environment
Experience managing release pipelines across incrementally constrained compliance environments (e.g., commercial release, CMMC-controlled distribution, SIPRNet-classified behaviors)
CMMC Registered Practitioner (RP) or Certified Professional (CP); DoD 8570/8140 compliant certification (CISSP, Security+, or equivalent)
Familiarity with RMF and DISA STIG applicability for Linux-based embedded systems
Experience with Android application security including APK signing and MDM for government tablet deployments
Prior work on UAS, robotics, or autonomous systems; familiarity with PX4/ArduPilot is a differentiator
Experience with ATAK/WinTAK plugin security and TAK server CUI handling
Physical Requirements And Working Conditions
Must be able to walk, stand, and navigate large indoor and outdoor facilities for extended periods of time
Ability to lift, carry, and move materials and equipment weighing up to 25 lbs on a regular basis
Use of personal protective equipment (PPE) may be required in designated areas or when performing specific tasks, in accordance with safety protocols and company policy
Regular exposure to facility operations including noise, dust, temperature fluctuations, and industrial equipment
Occasional off-hours or weekend work required for emergency facility responses or projects as needed
Requires frequent use of a computer and other standard office equipment for documentation, communication, and coordination tasks
EEO and ITAR/EAR Work Authorization Disclosure
This position will require successfully completing a post-offer background check. Qualified candidates with a criminal history will be considered and are not automatically disqualified, consistent with federal and state law. EEO and ITAR/EAR Work Authorization Disclosure Red Cat Holdings provides equal employment opportunities (EEO) to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This position requires direct or indirect access to hardware, software, technology or technical data controlled under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Successful candidates for positions subject to ITAR/EAR restrictions must provide proof of U.S. Citizenship or Permanent Residence and must not require sponsorship for export-restricted work authorization.
Compensation
Base pay $90-124K, plus generous annual equity package and potential bonuses.