The Solutions Architect is a Key Personnel role on the FDIC Enterprise DevSecOps program, supporting the client's CIO organization (CIOO). The architect owns the target-state design of the FDIC DevSecOps platform - a hybrid estate spanning Azure/AKS, AWS, mainframe z/OS/Endevor, and enterprise middleware (WebLogic/WebSphere, Oracle, PeopleSoft, SAP, MuleSoft, Appian, Salesforce, Power Platform) across a large, complex enterprise DevSecOps environment at DevSecOps maturity Level 2 of 5. The architect translates FDIC Enterprise Architecture (EA) directives and enterprise architecture governance requirements into actionable, repeatable platform blueprints that enable development teams to ship securely with minimal client intervention. This role demands recent, hands-on design authority over the exact FDIC self-managed toolchain - GitHub Enterprise Server, GitHub Cloud/Actions, GitHub Advanced Security (GHAS), JFrog Artifactory/Xray, SonarQube, and Subject7 on Azure/AKS - and a demonstrated ability to harden that platform to FISMA-moderate, NIST 800-53/800-207, OMB M-22-09, and CISA Zero Trust Maturity Model 2.0 (target: Optimal) standards.
PRIMARY RESPONSIBILITIES
- Platform Architecture and Target-State Design
- Own the DevSecOps platform architecture across the FDIC hybrid estate (Azure primary - AKS, ACR, App Gateway, Key Vault; plus AWS, mainframe z/OS/Endevor, WebLogic/WebSphere, Oracle, PeopleSoft, SAP Data Services, MuleSoft, Appian, Salesforce, Power Platform); produce and maintain Architecture Decision Records (ADRs) aligned to FDIC target-state EA.
- Design self-managed platform deployments for JFrog Artifactory/Xray, SonarQube, GitHub Enterprise Server (GHES), GitHub Advanced Security (GHAS)/CodeQL, and Subject7 on AKS; define upgrade paths under the n/n-1 version strategy.
- Establish immutable-infrastructure and GitOps patterns (Flux, Helm) for the AKS platform; author Terraform IaC modules and Bicep templates for repeatable, policy-compliant provisioning across Azure and AWS landing zones.
- Design pipeline architecture for a large CI/CD pipeline estate (GitHub Actions; on-prem, cloud, hybrid, multicloud patterns), integrating blocking security gates: SAST/SCA on Critical/High, IaC scan on Critical, DAST on Critical, container scan on Critical/High, SonarQube quality gate on fail.
- Define architecture for GitHub Copilot (SaaS) integration and AI-assisted development workflows within FDIC compliance constraints.
- Security Architecture and Zero Trust
- Architect Zero Trust controls aligned to OMB M-22-09 and CISA ZTMM 2.0 at Optimal maturity; map identity (Entra/CyberArk), device, network, application, and data pillars to the DevSecOps toolchain.
- Design policy-as-code enforcement (OPA/Gatekeeper, Azure Policy) for Kubernetes admission control and IaC guardrails; ensure CyberArk and Azure Key Vault secrets management patterns meet FIPS 140-2/3 and PQC (FIPS 203/204/205) requirements.
- Define cATO (continuous ATO) architecture: continuous compliance monitoring via Splunk and DynaTrace, automated evidence collection, and alignment to NIST 800-37/800-53/800-88/800-207 control families for FISMA-moderate boundary.
- Establish container security architecture integrating Aqua, Trivy, Trufflehog, and GHAS/CodeQL scanning into build and release pipelines; ensure secrets + peer-review gates at Develop stage are architecturally enforced.
- Lead architecture reviews through enterprise architecture and change governance boards (EA fitness gate), CCB, ISSM/ISSO, and OCISO coordination bodies; produce fitness-gate artifacts that prevent rework.
- Hybrid and Mainframe Integration Architecture
- Design integration patterns connecting Azure/AKS cloud pipelines to mainframe z/OS/Endevor build and deploy workflows; ensure CI/CD coverage spans both cloud and mainframe application portfolios within the full enterprise application scope.
- Architect API and event-driven integration patterns for MuleSoft, Appian, Salesforce, and Power Platform workloads; define DevSecOps onboarding playbooks for each platform tier.
- Produce reference architectures for WebLogic/WebSphere, Oracle, PeopleSoft, and SAP Data Services application pipelines, covering build, scan, test (Selenium/Playwright/JMeter/Subject7), and release stages.
- SLA, Observability, and Reliability Architecture
- Architect the observability stack (Splunk, DynaTrace, Azure Monitor) to enforce >99.5% availability SLAs for the 83 Mission Essential/Critical applications and Critical/High security-finding remediation within <=30 days and Moderate within <=90 days.
- Design capacity and resilience patterns for AKS clusters and self-managed tool infrastructure to absorb high volumes of ServiceNow requests without degradation.
- Technical Leadership and Governance
- Serve as the technical authority and primary architect point of contact for FDIC, resolving architecture ambiguities autonomously to minimize client intervention.
- Lead architecture working sessions, produce decision briefs for enterprise architecture and change governance boards and OCISO, and ensure all platform changes pass EA fitness gates before implementation.
- Mentor senior engineers and DevSecOps leads on architecture patterns, IaC standards, and secure-by-default pipeline design.
- Author and maintain architecture runbooks, pattern libraries, and design standards that become the program's shared engineering baseline.
REQUIRED QUALIFICATIONS
- Bachelor's degree in Computer Science, Computer Engineering, Information Systems, Electrical Engineering, or a closely related technical discipline. In lieu of degree, additional years experience may be required.
- Must be able to obtain and maintain a Public Trust clearance.
- Minimum 12 years of progressive IT experience with at least 5 years in senior solution/enterprise architecture roles (or a Master's degree with 10 years).
- Demonstrated hands-on architecture ownership (current experience, typically within the past 1-2 years) of a self-managed GitHub Enterprise Server (GHES) and GitHub Cloud/Actions environment at enterprise scale (hundreds of repositories and active pipelines).
- Recent, hands-on experience designing and operating JFrog Artifactory/Xray, SonarQube, and GitHub Advanced Security (GHAS)/CodeQL as self-managed, AKS-hosted services - not SaaS consumption only.
- Proven, recent experience authoring production-grade Terraform IaC modules and Kubernetes/AKS manifests for a regulated federal or financial-sector environment; immutable infrastructure and policy-as-code patterns required.
- Experience leading architecture through formal EA governance bodies (equivalent to enterprise architecture fitness-gate boards, CCB, or ATO boards) in a FISMA-moderate or higher environment.
- Recent architecture experience integrating CI/CD pipelines across a hybrid estate that includes both cloud-native AKS workloads and mainframe or host-based build/deploy environments (z/OS, Endevor, or equivalent); candidate must demonstrate design authority over both sides of the hybrid boundary, not cloud-only coverage.
- GitHub Enterprise Server (self-managed), GitHub Cloud, GitHub Actions, GitHub Advanced Security (GHAS), CodeQL, GitHub Copilot
- JFrog Artifactory / Xray, SonarQube, Aqua, Trivy, Trufflehog (self-managed, AKS-hosted deployment and operations)
- Azure: AKS, ACR, App Gateway, Key Vault, Azure Policy, Azure Monitor; AWS: integration and landing-zone patterns
- Terraform IaC, Bicep, Packer; Helm, Flux (GitOps); Docker; Kubernetes (AKS)
- Policy-as-code: OPA/Gatekeeper, Azure Policy, admission controller patterns
- NIST 800-53 / 800-207, OMB M-22-09, CISA ZTMM 2.0, FISMA-moderate, FIPS 140-2/3
- CyberArk, Azure Key Vault secrets management; FIPS 140-2/3 cryptographic boundaries
- Splunk, DynaTrace, Azure Monitor for observability and compliance evidence collection
PREFERRED QUALIFICATIONS
- Certifications (strongly preferred)
- Microsoft Certified: Azure Solutions Architect Expert (AZ-305) - active
- AWS Certified Solutions Architect - Professional - active
- Certified Kubernetes Administrator (CKA) or Certified Kubernetes Application Developer (CKAD)
- CISSP (Certified Information Systems Security Professional) or CCSP (Certified Cloud Security Professional)
- HashiCorp Terraform Associate (003) or HashiCorp Infrastructure Automation Certification
- Experience Differentiators
- Architecture experience at enterprise scale across hybrid on-prem and multi-cloud environments.
- Hands-on design of CI/CD pipeline architectures covering mainframe (z/OS, Endevor) alongside cloud-native AKS workloads in the same DevSecOps platform.
- Experience designing Subject7 test automation platform deployment and integration within a DevSecOps pipeline (alongside Selenium, Playwright, JMeter).
- Architecture ownership for enterprise middleware platforms in a DevSecOps context: MuleSoft, WebLogic/WebSphere, Oracle, PeopleSoft, SAP Data Services.
- cATO architecture and continuous compliance automation in a FISMA-moderate boundary; experience producing evidence packages accepted by an ISSM/ISSO without rework.
- Experience with PQC migration planning (FIPS 203/204/205) and FIPS 140-3 cryptographic module selection.
- 12 CFR 366 (FDIC contractor conduct standards) or equivalent financial-regulator contractor compliance experience.
- Section 508 architecture patterns for enterprise web and portal applications.
Original Posting:June 17, 2026
For U.S. Positions: While subject to change based on business needs, Leidos reasonably anticipates that this job requisition will remain open for at least 3 days with an anticipated close date of no earlier than 3 days after the original posting date as listed above.
Pay Range:Pay Range $131,300.00 - $237,350.00
The Leidos pay range for this job level is a general guideline only and not a guarantee of compensation or salary. Additional factors considered in extending an offer include (but are not limited to) responsibilities of the job, education, experience, knowledge, skills, and abilities, as well as internal equity, alignment with market data, applicable bargaining agreement (if any), or other law.
