4345 Senior Cybersecurity Engineer

OVERVIEW:

We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.

A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)

Designing a Disconnected Cluster

• Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave.
• Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments.
• Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing.

Registry and Artifact Governance

• Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating.
• Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions.

Admission Control & Policy Enforcement

• Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification.

Cluster Multi-Tenancy in SCIFs

• Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility).

Patching and CVE Response Offline

• Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates.

B) CI/CD & Security Test Automation (Disconnected)

Pipeline Architecture for Classified Enclaves

• Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev → Test → Prod in closed networks.
• Familiarity with GitLab/Jenkins runners, artifact promotion, and "compliance as code" practices.

Automated Security Testing Coverage

• Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines.
• Ensure pipeline failures persist if discrepancies are detected.

Evidence Generation for RMF

• Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls.
• Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS.

Promotion Gates & Provenance

• Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments.

Testing for Platform + App Security Regressions

• Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.

C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)

RMF Tailoring in Containerized Systems

• Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities.
• Work with shared responsibility matrices and control inheritance catalogs.

DISA STIG Application to Kubernetes Workloads

• Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions.
• Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks.

Continuous Monitoring (CONMON)

• Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco).
• Design and manage control dashboards and evidence snapshots.

ATO Acceleration through Automation

• Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS.

Policy Conflicts & Adjudication

• Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.

D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves

Zero Trust in Kubernetes

• Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ.

Offline PKI Operations

• Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies.

East-West Segmentation Strategy

• Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments.

Identity Propagation Across Layers

• Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking.

Cross-Domain and Data Movement Patterns

• Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.

E) Operations, SRE & Incident Response in SCIFs

Observability without SaaS

• Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo.

Break Glass & Change Control

• Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs.

Forensics & Container Runtime

• Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes.

Resiliency & DR in Disconnected Sites

• Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills.

Application Team & SOC Integration

• Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery.
• Define roles, telemetry requirements, and communication channels for effective response.

REQUIRED QUALIFICATIONS:

• 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience
• IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines
• Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments.
• Deep understanding of CI/CD pipeline architectures, especially in disconnected networks.
• Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes.
• Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation.
• Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment.
• Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents.
• Extensive experience in cybersecurity design and architecture.

CLEARANCE:

• Top Secret minimum