4345 Senior Cybersecurity Engineer
Procession Systems, Reston, VA, United States
4345 Senior Cybersecurity Engineer
4345 | Top Secret
Job Description:
OVERVIEW:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)
Designing a Disconnected Cluster Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave. Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments. Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing. Registry and Artifact Governance Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating. Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions. Admission Control & Policy Enforcement Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification. Cluster Multi-Tenancy in SCIFs Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility). Patching and CVE Response Offline Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates. B) CI/CD & Security Test Automation (Disconnected)
Pipeline Architecture for Classified Enclaves Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev → Test → Prod in closed networks. Familiarity with GitLab/Jenkins runners, artifact promotion, and "compliance as code" practices. Automated Security Testing Coverage Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines. Ensure pipeline failures persist if discrepancies are detected. Evidence Generation for RMF Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls. Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS. Promotion Gates & Provenance Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments. Testing for Platform + App Security Regressions Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.
C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)
RMF Tailoring in Containerized Systems Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities. Work with shared responsibility matrices and control inheritance catalogs. DISA STIG Application to Kubernetes Workloads Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions. Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks. Continuous Monitoring (CONMON) Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco). Design and manage control dashboards and evidence snapshots. ATO Acceleration through Automation Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS. Policy Conflicts & Adjudication Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.
D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves
Zero Trust in Kubernetes Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ. Offline PKI Operations Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies. East-West Segmentation Strategy Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments. Identity Propagation Across Layers Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking. Cross-Domain and Data Movement Patterns Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.
E) Operations, SRE & Incident Response in SCIFs
Observability without SaaS Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo. Break Glass & Change Control Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs. Forensics & Container Runtime Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes. Resiliency & DR in Disconnected Sites Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills. Application Team & SOC Integration Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery. Define roles, telemetry requirements, and communication channels for effective response.
REQUIRED QUALIFICATIONS:
12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments. Deep understanding of CI/CD pipeline architectures, especially in disconnected networks. Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes. Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation. Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment. Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents. Extensive experience in cybersecurity design and architecture. CLEARANCE:
Top Secret minimum
Job Details
City :
Tysons, Reston, JBAB, College Park
State :
Virginia
Job Description:
OVERVIEW:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)
Designing a Disconnected Cluster Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave. Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments. Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing. Registry and Artifact Governance Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating. Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions. Admission Control & Policy Enforcement Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification. Cluster Multi-Tenancy in SCIFs Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility). Patching and CVE Response Offline Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates. B) CI/CD & Security Test Automation (Disconnected)
Pipeline Architecture for Classified Enclaves Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev → Test → Prod in closed networks. Familiarity with GitLab/Jenkins runners, artifact promotion, and "compliance as code" practices. Automated Security Testing Coverage Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines. Ensure pipeline failures persist if discrepancies are detected. Evidence Generation for RMF Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls. Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS. Promotion Gates & Provenance Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments. Testing for Platform + App Security Regressions Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.
C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)
RMF Tailoring in Containerized Systems Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities. Work with shared responsibility matrices and control inheritance catalogs. DISA STIG Application to Kubernetes Workloads Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions. Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks. Continuous Monitoring (CONMON) Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco). Design and manage control dashboards and evidence snapshots. ATO Acceleration through Automation Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS. Policy Conflicts & Adjudication Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.
D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves
Zero Trust in Kubernetes Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ. Offline PKI Operations Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies. East-West Segmentation Strategy Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments. Identity Propagation Across Layers Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking. Cross-Domain and Data Movement Patterns Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.
E) Operations, SRE & Incident Response in SCIFs
Observability without SaaS Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo. Break Glass & Change Control Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs. Forensics & Container Runtime Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes. Resiliency & DR in Disconnected Sites Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills. Application Team & SOC Integration Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery. Define roles, telemetry requirements, and communication channels for effective response.
REQUIRED QUALIFICATIONS:
12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments. Deep understanding of CI/CD pipeline architectures, especially in disconnected networks. Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes. Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation. Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment. Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents. Extensive experience in cybersecurity design and architecture. CLEARANCE:
Top Secret minimum
Job Details
City :
Tysons, Reston, JBAB, College Park
State :
Virginia