Lead Security Engineer, #1073Security Requirement: U.S. Citizenship required
Work Location: Suitland, MD
We are seeking a Subject Matter Expert (SME)-level
Lead Security Engineer to lead application security across a large-scale, cloud-native federal modernization program. This role provides technical and management leadership on major security tasks, embedding security into every phase of the System Development Life Cycle (SDLC) using a
DevSecOps methodology. The ideal candidate will architect and enforce
Zero Trust principles, drive
Authorization to Operate (ATO) activities, and direct application security testing, threat modeling, and vulnerability remediation across a System of Systems (SoS). This position interfaces with senior Government stakeholders and the Office of Information Security (OIS), and decision-making and domain knowledge may have a critical impact on overall program implementation. May supervise others.
What You'll be Doing:- Lead the design and implementation of application security solutions, frameworks, and processes across all phases of the SDLC
- Implement Zero Trust (ZT) principles for applications, workloads, and data, aligned with EO 14028, OMB M-22-09, and NIST SP 800-207 (Zero Trust Architecture)
- Integrate security into DevSecOps CI/CD pipelines, establishing security gates, automated code inspection, and supply-chain controls, including Software Bill of Materials (SBOM) generation
- Direct Static and Dynamic Application Security Testing (SAST/DAST), vulnerability assessments, and penetration testing to identify, triage, and remediate security weaknesses
- Lead threat modeling exercises to analyze application architecture, identify attack vectors, and document mitigation strategies throughout design, development, testing, and deployment
- Support the Authorization to Operate (ATO) process, including security control assessment, artifact and evidence collection, Privacy Threshold Analysis/Privacy Impact Assessment support, and Plan of Action and Milestones (POA&M) management
- Implement security controls in accordance with the NIST Cybersecurity Framework and NIST SP 800-53, and remediate identified vulnerabilities and compliance findings
- Design and implement secure architecture patterns - secure API design, authentication/authorization, input validation, encryption, secure logging and monitoring (SIEM), and secure error/session/configuration management
- Develop and maintain metrics, dashboards, and reporting to track application security posture, threat trends, and remediation progress over time
- Support the development and management of Interagency Security Agreements (ISA), security playbooks, and incident response in accordance with current cybersecurity policies
- Collaborate with application developers, data engineers, systems engineers, and OIS to identify and mitigate vulnerabilities, and provide expert security consultation to development teams
- Assist in FedRAMP certification activities and the assessment/remediation of independent penetration testing results, as applicable
Required Education, Experience, and Skills:- Bachelor's degree in Information Technology, Computer Science, Cybersecurity, or a related field
- 15+ years of relevant IT/cybersecurity experience, providing technical and management leadership on major tasks or technology assignments (SME level)
- Certified Information Systems Security Professional (CISSP)
- Certified Cloud Security Professional (CCSP)
- Demonstrated expertise in integrating security into a DevSecOps SDLC, including CI/CD security gates and automated security testing
- Hands-on experience implementing Zero Trust Architecture and applying NIST SP 800-53 controls and the NIST Cybersecurity Framework
- Proven experience leading vulnerability assessments, penetration testing, and threat modeling for enterprise applications
- Experience supporting the ATO lifecycle and managing POA&Ms, security artifacts, and evidence collection
- U.S. Citizenship required
Preferred Skills and Experience: - Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Experience generating Software Bill of Materials (SBOMs) and implementing software supply-chain security controls
- Familiarity with SIEM deployment, container/image hardening, and secure baseline configuration
- Experience in large-scale, multi-cloud federal environments and FedRAMP processes
- Strong analytical, problem-solving, written, and verbal communication skills, including the ability to brief senior Government stakeholders
Our estimated salary range for this position is $120,000 - $190,000; this presented salary range is not a guarantee of compensation or salary. Offered salary is based on experience, geographic location, and possibly contractual requirements as appropriate to the role. *Salary could fall outside of this range.