Application Compliance & Security Lead

Johns Hopkins Applied Physics Laboratory•Laurel, MD

3h•Onsite

About The Position

We are seeking an Application Security Leader to help us ensure our applications meet industry security standards while enabling our developers to work efficiently. You’ll be joining our enterprise applications team as the primary authority on application security and CMMC compliance, working at the intersection of compliance requirements, development practices, and security tooling. Our team builds and supports critically important applications across the laboratory, and you’ll play a key role in building a security-minded and developer-friendly culture. You’ll work with dedicated developers, information protection specialists, and compliance experts who are passionate about protecting sensitive information while delivering innovative solutions.

Requirements

Bachelor’s degree in Computer Science, Information Technology, or similar technical majors.
5+ years in cybersecurity, GRC, or compliance and DevSecOps
Solid knowledge of the CMMC framework, NIST SP 800-171, SSDF, and/or DFARS requirements, with proven ability to translate compliance frameworks into technical security controls.
Software development experience in .NET, Java, Python, or similar languages with a solid grasp of the software development lifecycle.
Experience implementing SAST, DAST, SCA, and SBOM tools such as SonarQube, Checkmarx, Veracode, Snyk, or OWASP ZAP.
Experience integrating security into CI/CD pipelines using tools like GitLab CI or Azure DevOps, with strong DevSecOps and shift-left security principles.
Ability to lead cross-team initiatives and influence without formal authority, with excellent communication skills for both technical and non-technical audiences.
Ability to obtain a Secret level security clearance. If selected, you will be subject to a government security clearance investigation and must meet the requirements for access to classified information. Eligibility requirements include U.S. citizenship.

Nice To Haves

DoD or federal contractor experience with active compliance programs.
Led technical teams in development or security roles.
Certifications such as CSSLP, CISSP, Security+, CMMC CCP/RP, CEH, or GIAC.
Cloud security experience with AWS, Azure, or GCP.

Responsibilities

Driving CMMC compliance strategy across our application portfolio, translating sophisticated requirements into actionable security controls that development teams can understand and implement.
Serving as the go-to resource for application teams on security and compliance matters, providing practical guidance on secure development practices and helping teams navigate CMMC, NIST 800-171, SSDF, and DFARS requirements.
Implementing and maintaining application security tooling including SAST, DAST, SBOM vulnerability analysis, container scanning, and dependency management, integrating these tools into CI/CD pipelines and DevSecOps workflows.
Guiding service and project managers through compliance requirements with concrete, SDLC-relevant examples, evaluating data security needs and establishing realistic security boundaries.
Integrating security reviews into agile sprints, removing process bottlenecks by collaborating with GRC and InfoSec teams, and maintaining compliance documentation for application security controls.
Training and mentoring developers on secure coding standards, conducting security assessments to identify vulnerabilities.