Your Mission 

We are seeking a rare combination of disciplines: an experienced Sr. Compliance Engineer with deep AI Subject Matter Expertise (SME) and export compliance background to join our Governance, Risk, and Compliance (GRC) team. This role is responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks — with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3, EAR/ITAR cyber regulations, and — critically - the governance, risk management, and compliance controls surrounding AI/ML systems and large language models (LLMs) deployed across the enterprise. 

As AI becomes embedded in True Anomaly's operations, mission systems, and products, this role serves as the organizational authority on how AI capabilities are adopted, audited, and controlled responsibly. You will architect and operationalize compliance checkpoints and governance gates within LLM pipelines, evaluate AI vendors and platforms (including OpenAI, Anthropic Claude, and others) against classified and unclassified compliance requirements, and ensure AI-driven workflows satisfy both regulatory obligations and internal risk tolerance. 

The ideal candidate brings deep GRC knowledge, hands-on AI/LLM engineering fluency, and the ability to engage credibly with compliance assessors, government partners, and internal AI/ML engineering teams alike. 

Responsibilities 

Compliance Program Execution 

• Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF). 

• Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements. 

• Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation. 

• Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices — including AI/ML system boundaries and data flows. 

• Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams. 

• Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments. 

• Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements. 

AI Governance, Risk & Compliance (AI-GRC) 

• Serve as the organizational AI compliance SME — the primary authority on how AI/LLM systems (including OpenAI GPT models, Anthropic Claude, open-source models, and internally developed models) are evaluated, onboarded, and continuously governed within True Anomaly's compliance boundaries. 

• Design, implement, and maintain compliance checkpoints and enforcement gates within LLM pipelines, including:  

• Input/output filtering and content policy enforcement layers 

• Prompt injection detection and mitigation controls 

• Data classification guardrails to prevent CUI, ITAR-controlled, or classified data from flowing into non-authorized AI systems or endpoints 

• Automated audit logging of AI interactions for traceability and incident investigation 

• Model access control and role-based permissions within AI platforms 

• Conduct AI-specific risk assessments, including evaluation of AI vendor data handling practices, model training data provenance, and third-party AI API security postures against NIST AI RMF, NIST SP 800-53 AI overlays, and internal standards. 

• Develop and enforce an AI System Acceptable Use Policy and supporting standards that govern how employees and systems interact with LLMs, including permissible data inputs, output handling, human-in-the-loop requirements, and escalation procedures. 

• Evaluate proposed AI/ML use cases for regulatory risk (EAR/ITAR, CMMC, data privacy) and provide compliance go/no-go determinations with documented rationale. 

• Collaborate with AI/ML engineers and DevSecOps teams to integrate compliance gates into CI/CD pipelines and MLOps workflows, ensuring model changes and prompt changes undergo review before production deployment. 

• Maintain an AI system inventory, tracking all deployed models, APIs, integrations, and associated risk and compliance status. 

• Monitor emerging AI regulatory developments (e.g., EO 14110, NIST AI RMF, DoD AI Ethics Principles, EU AI Act implications for U.S. defense partners) and assess organizational impact. 

Cross-Functional Compliance Enablement 

• Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams. 

• Partner with IT and security operations teams to verify that technical controls — including access management, logging, configuration baselines, and incident response procedures — meet CMMC and NIST requirements at an organizational level. 

• Partner with AI/ML engineers, data scientists, and product teams to embed compliance thinking into AI system design, model selection, and deployment architecture. 

• Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings — including AI-specific risks — are reflected in the enterprise risk register and remediation priorities. 

• Support the development of compliance training and awareness materials, including AI-specific training that builds organizational understanding of responsible AI use, LLM risk, and CMMC obligations. 

• Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions. 

Qualifications 

• 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities. 

• Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits. 

• Extensive, hands-on experience with AI/LLM systems, including practical knowledge of platforms such as OpenAI (GPT-4/o-series), Anthropic Claude, Meta Llama, Microsoft Azure OpenAI Service, and/or comparable commercial and open-source LLM ecosystems. 

• Demonstrated ability to design, implement, and operationalize compliance controls within LLM pipelines, including guardrail layers, content filtering, audit logging hooks, and data classification enforcement. 

• Working knowledge of AI security risks, including prompt injection, jailbreaking, data exfiltration via LLM outputs, model inversion, and supply chain risks associated with third-party AI APIs. 

• Familiarity with NIST AI Risk Management Framework (AI RMF) and its application to enterprise and defense AI deployments. 

• Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context. 

• Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization. 

• Strong communication skills with the ability to explain compliance requirements — including AI risk concepts — clearly to both technical practitioners and non-technical business stakeholders. 

• Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment. 

• Active or ability to obtain SECRET or TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Strong EAR/ITAR background as it pertains to cybersecurity, AI-generated outputs, and policy development. 

• J.D. focusing on technology law, export compliance (EAR and ITAR), AI regulation, or cyber law. 

• Experience building MLOps or AI DevSecOps pipelines with integrated compliance gates, including automated policy enforcement, prompt review workflows, or model change management processes. 

• Hands-on experience with AI safety and alignment tooling (e.g., LangChain guardrails, NeMo Guardrails, Azure Content Safety, OpenAI Moderation API, Anthropic Constitutional AI/policy layer configurations). 

• Experience evaluating AI vendor agreements and data processing agreements against DoD/CMMC/ITAR data handling requirements. 

• Familiarity with DoD AI Ethics Principles, Responsible AI (RAI) frameworks, and emerging federal AI governance requirements (e.g., EO 14110, OMB AI guidance). 

• Industry certifications such as:  

• Certified Information Systems Auditor (CISA) 

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Security Professional (CISSP) 

• CMMC Registered Practitioner (RP) or Certified Professional (CP) 

• CompTIA Security+ or equivalent 

• AWS/Azure AI or Security certifications 

• Background in startup, aerospace, defense technology, or SaaS environments operating under DoD compliance obligations. 

• Familiarity with cloud environments — particularly Azure Government, AWS GovCloud, or Azure OpenAI Government deployments — as they relate to organizational control implementation and AI boundary scoping. 

• Experience coordinating with C/3PAOs or supporting CMMC assessments. 

• Working knowledge of DFARS 252.204-7012, ITAR, and supply chain compliance obligations. 

• Familiarity with Agile/Scrum environments and hybrid project delivery models. 

Compensation 

• Base Salary: Denver - $145,000 to $195,000, Long Beach - $150,000 to $205,000, Washington, DC - $150,000 to $205,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: Successful candidates will be located near Denver, CO, Long Beach, CA, or Washington D.C. While we observe a hybrid work environment, some work must be done on site. #LI-Onsite

• Work Environment: Standard office setting, working at a desk or in a production factory environment. 

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

Your Mission 

We are seeking a Senior Enterprise Risk Manager to build, lead, and mature two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). This is a foundational leadership role for a seasoned risk professional who thrives in fast-moving, mission-critical environments and understands the unique demands of operating at the intersection of defense, aerospace, and commercial SaaS. 

The ideal candidate brings deep experience navigating regulated government environments—including RMF, DoD IL5/IL6, and CMMC—and is fluent in industry-standard risk quantification and assessment methodologies such as FAIR (Factor Analysis of Information Risk) and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation). They pair that expertise with a startup mindset that enables them to build programs from the ground up, not just maintain inherited ones. You will work cross-functionally with engineering, security, legal, compliance, product, and executive leadership to identify, assess, communicate, and mitigate risk across the enterprise and its extended supply chain. 

Responsibilities: 

Enterprise Risk Management 

• Design, implement, and continuously mature a scalable enterprise risk management program aligned to NIST RMF, ISO 31000, and applicable DoD frameworks. 

• Apply FAIR methodology to quantify cyber and operational risk in financial terms, enabling data-driven prioritization and executive-level risk decision-making. 

• Leverage OCTAVE or similar threat-centric methodologies to lead structured risk assessments that identify critical assets, threat profiles, and organizational vulnerabilities. 

• Establish and maintain an enterprise risk register, risk appetite statements, and risk tolerance thresholds in collaboration with executive leadership and the Board (as applicable). 

• Lead recurring risk identification, assessment, and prioritization processes across business units, ensuring alignment between operational risk posture and strategic objectives. 

• Develop and maintain executive-ready risk dashboards, KPI/KRI reporting, and program metrics using tools such as Jira, Confluence, GRC platforms, and MS Project. 

• Conduct and coordinate internal audits and risk assessments to ensure adherence to DoD compliance standards, including NIST SP 800-53 Rev. 5, NIST SP 800-171, RMF (IL5 and IL6), and CMMC Level 3. 

• Support audit readiness activities including pre-assessment preparation, evidence collection, POA&M management, and post-audit remediation planning. 

• Develop, implement, and mature information security and enterprise risk policies, standards, and guidelines based on industry best practices. 

• Serve as a primary point of contact for internal stakeholders, executive leadership, and external assessors, certification bodies, and government partners. 

Third-Party Vendor Risk Management 

• Build and lead a formalized Third-Party Vendor Risk Management program, establishing vendor classification tiers, risk assessment methodologies, and ongoing monitoring cadences. 

• Define and operationalize vendor onboarding risk assessments, including security questionnaires, compliance validations, and contractual risk controls (e.g., SLAs, right-to-audit clauses, data handling requirements). 

• Maintain a vendor risk inventory and lifecycle management process covering initial due diligence through offboarding, ensuring continuous visibility into third-party risk exposure. 

• Collaborate with legal, procurement, and supply chain teams to embed risk criteria into vendor selection, contract negotiation, and renewal processes. 

• Monitor third-party vendors for changes in risk posture, including cybersecurity incidents, financial instability, regulatory actions, and ITAR/export control concerns. 

• Develop vendor risk reporting and executive-level dashboards to provide ongoing transparency into third-party exposure across critical suppliers and technology partners. 

• Ensure TPVRM program alignment with applicable regulatory requirements including CMMC supply chain requirements, DFARS clauses, and DoD IL environment authorization boundaries. 

Cross-Functional Leadership 

• Build, mentor, and provide technical guidance to junior risk team members and project contributors across both lines of effort. 

• Drive alignment across engineering, security operations, product compliance, IT operations, legal, and business operations teams on risk priorities and remediation timelines. 

• Track program milestones, identify dependencies and blockers, and drive timely course corrections with a bias toward action. 

• Continuously improve program workflows, reporting processes, and team coordination for scalable, repeatable, and consistent risk program execution. 

• Proactively track emerging regulatory, threat, and supply chain risk requirements and update program posture accordingly. 

Qualifications 

• 10+ years of experience in enterprise risk management, GRC, cybersecurity risk, or related disciplines, with demonstrated ownership of risk programs at a senior level. 

• Proven track record in startup or high-growth technology environments, with demonstrated ability to build risk programs from the ground up under resource and time constraints. 

• Experience applying FAIR for risk quantification and OCTAVE or similar frameworks for threat and asset-centric risk assessments. 

• Direct experience with U.S. government or defense sector programs, including working knowledge of DoD RMF (IL5 and IL6), NIST SP 800-53, NIST SP 800-171, and CMMC. 

• Hands-on experience leading or significantly contributing to Third-Party/Vendor Risk Management programs, including vendor tiering, due diligence workflows, and ongoing monitoring. 

• Strong proficiency in risk management and GRC documentation tools including Jira, Confluence (Atlassian suite), MS Project, enterprise GRC platforms, and MS Visio or Lucidchart. 

• Excellent communication and stakeholder management skills, with a strong ability to translate technical risk into business language for executives and board-level audiences. 

• Active or ability to obtain SECRET, TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Background in aerospace, defense technology, or SaaS companies operating in regulated government markets; experience with both commercial and government customer bases strongly preferred. 

• Proficient with creating risk programs in a startup environment, scaling, and adapting to changing organizational structure 

• Experience managing certification or authorization initiatives across one or more of: FedRAMP, SOC 2, DoDIN APL, ISO 27001, CMMC as it pertains to risk. 

• Industry certifications such as:  

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Auditor (CISA) 

• Certified Information Systems Security Professional (CISSP) 

• Certified in the Governance of Enterprise IT (CGEIT) 

• Certified ScrumMaster (CSM) or Agile PM certification 

• Experience with cloud environments, particularly Azure Government and/or AWS GovCloud, and understanding of authorization boundary design. 

• Working knowledge of ITAR, EAR, and export control considerations as they apply to vendor and supply chain risk. 

• Familiarity with Agile/Scrum and hybrid project delivery models. 

• Experience with DFARS, FAR, and government contracting compliance requirements. 

Compensation 

• Base Salary: Denver - $160,000 to $220,000, Long Beach - $165,000 to $230,000, Washington DC - $165,000 to $230,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: This role will be onsite at one of our facilities in Centennial, CO, Long Beach, California, or Washington, D.C. #LI-Onsite 

• Work Environment: Standard office setting, working at a desk or in a production factory environment  

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

Your Mission 

We are seeking a driven and detail-oriented Enterprise Risk Analyst to support two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). Reporting to the Senior Enterprise Risk Manager, you will play a hands-on role in executing risk assessments, maintaining program documentation, tracking remediation activities, and building the data foundation that powers executive-level risk decision-making. 

This role is ideal for a mid-career risk professional who is fluent in frameworks such as NIST RMF and CMMC, is developing practical experience with risk quantification methodologies like FAIR and OCTAVE, and is eager to grow within a fast-paced aerospace and defense SaaS environment. You will work closely with engineering, security, legal, compliance, and operations teams to help identify, document, and track risk across the enterprise and its third-party supply chain. 

Responsibilities:

Enterprise Risk Management 

• Support the design, execution, and continuous improvement of the enterprise risk management program under the direction of the Senior Enterprise Risk Manager. 

• Assist in conducting structured risk assessments using OCTAVE or similar threat-and-asset-centric methodologies, documenting findings, threat profiles, and recommended mitigations. 

• Support the application of FAIR methodology to help quantify risks in financial terms and contribute to risk prioritization analyses for leadership. 

• Maintain and update the enterprise risk register, ensuring accuracy of risk ratings, ownership assignments, remediation status, and residual risk tracking. 

• Build and maintain program dashboards, KPI/KRI reports, and status tracking using tools such as Jira, Confluence, enterprise GRC platforms, and MS Project. 

• Assist with audit readiness activities including evidence collection, pre-assessment preparation, control documentation, and post-audit remediation tracking. 

• Support POA&M management for IL5 and IL6 environments, tracking open items to closure and escalating blockers to the Enterprise Risk Manager. 

• Contribute to the development and maintenance of risk policies, standards, and guidelines aligned to NIST SP 800-53 Rev. 5, NIST SP 800-171, RMF, and CMMC Level 3. 

• Coordinate and track internal audit schedules, findings, and corrective action plans across business units. 

Third-Party Vendor Risk Management 

• Execute vendor risk assessments as part of the onboarding and periodic review lifecycle, including security questionnaire administration, documentation review, and risk scoring. 

• Maintain the vendor risk inventory and lifecycle tracking records, ensuring all vendors are appropriately tiered and assessed on schedule. 

• Monitor vendor risk signals including cybersecurity advisories, regulatory actions, and contractual compliance status, escalating material changes to the Enterprise Risk Manager. 

• Support contract and procurement teams by providing vendor risk assessment findings and recommended risk mitigation language. 

• Assist in ensuring TPVRM program alignment with CMMC supply chain requirements, DFARS clauses, and ITAR/export control considerations for critical suppliers. 

• Develop and maintain vendor risk reporting inputs and dashboard content to support executive-level visibility into third-party risk exposure. 

Cross-Functional Collaboration 

• Serve as a reliable day-to-day point of contact for risk-related inquiries from internal stakeholders across engineering, security, operations, and legal teams. 

• Track program milestones, action items, and deliverables, proactively communicating status and flagging risks or dependencies to the Enterprise Risk Manager. 

• Continuously improve risk program workflows, documentation templates, and reporting processes to support scalable and repeatable execution. 

• Support the preparation of materials for internal leadership briefings, external assessor interactions, and government partner reviews. 

Qualifications 

• 5+ years of experience in enterprise risk management, GRC, cybersecurity risk, compliance, or a closely related discipline. 

• Working knowledge of NIST SP 800-53, NIST SP 800-171, DoD RMF (IL5/IL6), and CMMC, with direct experience supporting assessments or audits under one or more of these frameworks. 

• Familiarity with risk assessment methodologies including FAIR and/or OCTAVE, with a desire to deepen applied expertise in risk quantification. 

• Experience supporting or executing third-party/vendor risk assessments, including questionnaire administration, documentation review, and risk tracking. 

• Hands-on experience with program management and GRC documentation tools including Jira, Confluence (Atlassian suite), MS Project, enterprise GRC platforms, and MS Visio or Lucidchart. 

• Strong written and verbal communication skills, with the ability to clearly document findings and translate risk concepts for both technical and non-technical audiences. 

• Highly organized, self-directed, and comfortable managing multiple workstreams simultaneously in a fast-paced, regulated environment. 

• Active or ability to obtain SECRET, TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Background in startup, aerospace, defense technology, or SaaS companies operating in regulated government markets. 

• Industry certifications such as:  

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Auditor (CISA) 

• Open FAIR Certification (The Open Group) 

• CompTIA Security+ or equivalent 

• Certified ScrumMaster (CSM) or similar Agile certification 

• Experience with cloud environments, particularly Azure Government and/or AWS GovCloud. 

• Familiarity with POA&M management, SSP documentation, and audit evidence collection in DoD authorization contexts. 

• Working knowledge of ITAR, EAR, DFARS, and export control considerations as they relate to vendor and supply chain risk. 

• Familiarity with Agile/Scrum and hybrid project delivery models. 

Compensation 

• Base Salary: Denver - $115,000 to $155,000, Long Beach - $120,000 to $165,000, Washington, DC - $120,000 to $165,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: This role will be onsite at one of our office locations: Centennial, CO, Long Beach, CA, or Washington, DC  #LI-Onsite 

• Work Environment: Standard office setting, working at a desk or in a production factory environment 

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

YOUR MISSION

We are seeking an experienced Principal Compliance Engineer to lead the design and implementation of secure, compliant architectures within highly regulated cloud environments. This role requires deep expertise in STIG development, encryption standards, and vulnerability remediation, alongside a strong foundation in DevOps and SecOps practices, particularly within the AWS and Azure Government platform. 

The ideal candidate brings at least 10 years of experience in security engineering or technical compliance and will work cross-functionally to align cloud infrastructure and operations with frameworks such as RMF (DoD IL5 and IL6), and CMMC. This is a hands-on technical role focused on enabling and sustaining system authorization through security automation, technical control implementation, and audit readiness. 

RESPONSIBILITIES

Security & Compliance Engineering 

• Architect, implement, and maintain secure, audit-ready systems and services in AWS and Azure Government environments. 
• Develop and maintain custom STIGs (Security Technical Implementation Guides) for cloud infrastructure, SaaS applications, and IaaS/PaaS configurations and customer-deployed applications. 
• Design and enforce secure configurations using encryption standards such as FIPS 140-2/FIPS 140-3, TLS 1.2+, and data-at-rest protections for regulated data. 

DevOps & SecOps Integration 

• Embed compliance and security checks into CI/CD pipelines, ensuring that infrastructure-as-code meets regulatory and organizational policies. 
• Integrate technical controls to support monitoring, logging, and alerting consistent with RMF and CMMC requirements. 
• Partner with cybersecurity operations teams to support incident response, log review, and system hardening efforts. 

Vulnerability Management & Remediation 

• Lead the technical remediation of vulnerabilities identified through internal scans, third-party testing, or external audits. 
• Work with engineering and DevOps teams to drive secure patch management, system baseline enforcement, and automated vulnerability response workflows. 
• Maintain and operationalize vulnerability metrics dashboards aligned with continuous monitoring plans (ConMon). 

Audit Readiness & Documentation 

• Able to support and manage detailed system documentation including SSPs, network diagrams, control implementations, and POA&Ms. 
• Serve as a technical point of contact during audits and assessments, capable of demonstrating compliance posture through hands-on walkthroughs and evidence collection. 
• Collaborate with DevOps, Cybersecurity teams to translate security requirements into enforceable technical controls and testable artifacts. 

Cross-Functional Collaboration & Leadership 

• Partner with product, engineering, and compliance teams to implement secure system boundaries and customer segmentation strategies for multi-tenant environments. 
• Provide technical mentorship and occasional leadership to junior compliance engineers or project contributors. 
• Track emerging requirements and proactively update system configurations to meet evolving DoD IL5, IL6, and CMMC mandates. 

QUALIFICATIONS

• 10+ years of experience in cybersecurity engineering, cloud compliance, or DevSecOps roles. 
• Proven experience designing STIG-compliant configurations, including custom STIG development and validation. 
• Deep understanding of FIPS-validated encryption, TLS configurations, and cryptographic module implementation for data protection. 
• Hands-on experience with vulnerability scanning, remediation planning, and automated patching workflows. 
• Familiarity with DoD RMF (IL5 and IL6), CMMC and related audit frameworks. 
• Proficiency with tools such as Terraform, Ansible, Azure Policy, GitHub Actions, and common SIEM/logging platforms. 
• Experience with authorization boundary design and customer isolation techniques in AWS and Azure Gov environments. 
• Position requires an active security clearance. While all clearance levels will be considered, TS/SCI clearance holders are preferred.

PREFERRED SKILLS AND EXPERIENCE

• Experience with DoD RMF (IL5 and IL6) cloud environments. 
• Working knowledge of container security, particularly in AKS or Kubernetes-based deployments. 
• Basic people leadership experience, including mentoring or technical guidance responsibilities. 
• Industry certifications such as CISSP, CCSP, Azure Security Engineer, or relevant compliance certs (e.g., CMMC RP). 

COMPENSATION

• Colorado Base Salary: $195,000-$270,000
• California Base Salary: $205,000-$285,000
• Washington D.C. Base Salary: $205,000-$285,000
• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

ADDITIONAL REQUIREMENTS

• Work Location—Successful candidates will be located near one of our office locations including Centennial, CO; Long Beach, CA; Colorado Springs, CO, or Washington D.C. 
• Work environment—the work environment; temperature, noise level, inside or outside, or other factors that will affect the person's working conditions while performing the job.
• Physical demands—the physical demands of the job, including bending, sitting, lifting and driving.

This position will be open until it is successfully filled. To submit your application, please follow the directions below.
#LI-Onsite