Job Requirements
McLean, VA
Top Secret Polygraph not specified
Senior Level Career (10+ yrs experience)
Salary not specified
Join Premium to unlock estimated salaries
Job Description
Job Title: Senior Cybersecurity Engineer
Type of Employment: Full Time + benefits
Location: McLean, VA (Onsite)
Clearance: Active Top Secret
Job Overview:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.
Required Clearance
• Top Secret minimum
Required Skills
• 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience
• IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines
• Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments.
• Deep understanding of CI/CD pipeline architectures, especially in disconnected networks.
• Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes.
• Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation.
• Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment.
• Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents.
• Extensive experience in cybersecurity design and architecture.
Required Work Experience
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)
• Designing a Disconnected Cluster
• Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave.
• Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments.
• Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing.
• Registry and Artifact Governance
• Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating.
• Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions.
• Admission Control & Policy Enforcement
• Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification.
• Cluster Multi-Tenancy in SCIFs
• Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility).
• Patching and CVE Response Offline
• Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates.
B) CI/CD & Security Test Automation (Disconnected)
• Pipeline Architecture for Classified Enclaves
• Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev ? Test ? Prod in closed networks.
• Familiarity with GitLab/Jenkins runners, artifact promotion, and “compliance as code” practices.
• Automated Security Testing Coverage
• Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines.
• Ensure pipeline failures persist if discrepancies are detected.
• Evidence Generation for RMF
• Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls.
• Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS.
• Promotion Gates & Provenance
• Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments.
• Testing for Platform + App Security Regressions
• Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.
C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)
• RMF Tailoring in Containerized Systems
• Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities.
• Work with shared responsibility matrices and control inheritance catalogs.
• DISA STIG Application to Kubernetes Workloads
• Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions.
• Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks.
• Continuous Monitoring (CONMON)
• Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco).
• Design and manage control dashboards and evidence snapshots.
• ATO Acceleration through Automation
• Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS.
• Policy Conflicts & Adjudication
• Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.
D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves
• Zero Trust in Kubernetes
• Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ.
• Offline PKI Operations
• Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies.
• East-West Segmentation Strategy
• Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments.
• Identity Propagation Across Layers
• Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking.
• Cross-Domain and Data Movement Patterns
• Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.
E) Operations, SRE & Incident Response in SCIFs
• Observability without SaaS
• Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo.
• Break Glass & Change Control
• Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs.
• Forensics & Container Runtime
• Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes.
• Resiliency & DR in Disconnected Sites
• Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills.
• Application Team & SOC Integration
• Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery.
• Define roles, telemetry requirements, and communication channels for effective response.
Type of Employment: Full Time + benefits
Location: McLean, VA (Onsite)
Clearance: Active Top Secret
Job Overview:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.
Required Clearance
• Top Secret minimum
Required Skills
• 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience
• IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines
• Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments.
• Deep understanding of CI/CD pipeline architectures, especially in disconnected networks.
• Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes.
• Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation.
• Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment.
• Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents.
• Extensive experience in cybersecurity design and architecture.
Required Work Experience
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)
• Designing a Disconnected Cluster
• Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave.
• Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments.
• Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing.
• Registry and Artifact Governance
• Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating.
• Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions.
• Admission Control & Policy Enforcement
• Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification.
• Cluster Multi-Tenancy in SCIFs
• Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility).
• Patching and CVE Response Offline
• Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates.
B) CI/CD & Security Test Automation (Disconnected)
• Pipeline Architecture for Classified Enclaves
• Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev ? Test ? Prod in closed networks.
• Familiarity with GitLab/Jenkins runners, artifact promotion, and “compliance as code” practices.
• Automated Security Testing Coverage
• Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines.
• Ensure pipeline failures persist if discrepancies are detected.
• Evidence Generation for RMF
• Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls.
• Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS.
• Promotion Gates & Provenance
• Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments.
• Testing for Platform + App Security Regressions
• Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.
C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)
• RMF Tailoring in Containerized Systems
• Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities.
• Work with shared responsibility matrices and control inheritance catalogs.
• DISA STIG Application to Kubernetes Workloads
• Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions.
• Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks.
• Continuous Monitoring (CONMON)
• Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco).
• Design and manage control dashboards and evidence snapshots.
• ATO Acceleration through Automation
• Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS.
• Policy Conflicts & Adjudication
• Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.
D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves
• Zero Trust in Kubernetes
• Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ.
• Offline PKI Operations
• Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies.
• East-West Segmentation Strategy
• Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments.
• Identity Propagation Across Layers
• Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking.
• Cross-Domain and Data Movement Patterns
• Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.
E) Operations, SRE & Incident Response in SCIFs
• Observability without SaaS
• Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo.
• Break Glass & Change Control
• Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs.
• Forensics & Container Runtime
• Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes.
• Resiliency & DR in Disconnected Sites
• Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills.
• Application Team & SOC Integration
• Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery.
• Define roles, telemetry requirements, and communication channels for effective response.
group id: 10299880