Chief Security Architect, Developer Experience

Leidos

About The Position

Chief Security Architect, Developer Experience "Wanted: The architect who sees that the ATO process isn't a compliance problem—it's an engineering problem—and knows how to build the solution." Large-scale software delivery in regulated, defense-focused environments runs into the same wall everywhere you look. The compliance process was designed to create an audit trail. It wasn't designed to enforce security. SSPs capture intent. ATOs authorize environments at a point in time. And by the time the ink is dry, the system has already moved. The developers building mission-critical software know this pattern. The security organizations know it too. The question has never been whether this model needs to change—it's whether anyone has the engineering depth and the security credibility to build something that actually replaces it. That's why this role exists. We're building the platform that is transforming how thousands of Leidos engineers build and deliver software. At the center of that platform is a fundamental re-architecture of how compliance works: not as a gate you pass through, but as code woven into the infrastructure itself. Policy-as-code. Continuous compliance evidence. A platform ATO that programs inherit rather than pursue on their own. The goal is a platform that the enterprise security organization looks at and says: this is the thing we've been trying to build for years. These people aren't going around us. They're handing us superpowers. You're the person who builds it. And you're the person who makes that realization inevitable. Why This Role Matters Security and compliance in defense-sector software delivery have long lived in a structural paradox: the processes designed to protect mission software are the same processes that slow it down. Manual authorization cycles. Point-in-time snapshots. Documentation that proves intent but not execution. Every program team re-solves the same compliance problems. Every platform that wants to help them has to run the gauntlet first. What you'll build isn't a workaround. It's a better architecture: policy-as-code that enforces compliance at the moment of deployment, continuous evidence that gives auditors real-time proof instead of point-in-time packages, and a platform-level ATO that program teams can inherit rather than pursue. The result is a security posture that's demonstrably stronger than manual review—stricter, more consistent, and infinitely more scalable. Leidos is one of the largest engineering organizations supporting national security, with thousands of developers building mission-critical software across hundreds of programs. What you build here will shape how that software is delivered—and whether the security guaranteeing it is a paper promise or an enforced fact. If you've spent your career knowing this was possible and waiting for an organization big enough to matter and willing enough to move—this is it. What You’ll Face A compliance process built for steady-state operations being applied to a build phase that requires a fundamentally different engagement model. A corporate security organization that understands the problem and wants velocity—and needs a technical partner who can help turn that stated value into structural change. Agentic AI tooling that is arriving faster than enterprise security controls can be designed for it. You'll be building the plane while flying it. The bootstrapping paradox: you're using the manual compliance process to build the tool that automates the manual compliance process. Every week in review is a week you're not building what eliminates the need for review. Programs that need platform ATOs now and a platform that isn't mature enough yet to grant them. And still—you'll make progress. Because you've navigated this before. You know what's possible, you know what takes time, and you know how to keep moving when both are true simultaneously.

Requirements

Masters degree in Computer Science, Information Security, Software Engineering, or related technical field.
15+ years of experience in security architecture, DevSecOps, platform security, or related disciplines—with significant hands-on work, not just advisory roles.
Deep expertise in policy-as-code tooling: Open Policy Agent (OPA), Kyverno, Rego, Sentinel, or equivalent. You've written policies in production, not just evaluated the category.
Strong working knowledge of compliance frameworks: NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, DoD IL4/IL5/6, RMF, CMMC. You understand the controls, what satisfies them, and how to build automated evidence.
Hands-on experience with container and Kubernetes security: admission controllers, image scanning, network policies, runtime security, and hardened base images.
Experience with CI/CD pipeline security: SAST/DAST, SCA, container scanning, IaC scanning, secrets management, hardened images/libraries, and how to integrate these into developer workflows without crushing velocity.
Familiarity with software supply chain security: supply chain integrity frameworks (SLSA, in-toto), SBOM standards (CycloneDX, SPDX), signed commits, and provenance tooling.
Experience designing security for AI-assisted development environments, including agent tooling, MCP server governance, LLM-integrated development pipelines, or equivalent emerging threat surfaces (or demonstrated ability to reason credibly about novel security architectures).
Proven ability to engage effectively with security and compliance stakeholders—not just technically, but organizationally. You've worked with ISSOs/ISSMs, auditors, and compliance teams. You know how to move them.
Excellent communication skills—you can explain a Kubernetes admission webhook to a CISO and a FedRAMP control to a platform engineer, and make both conversations productive.
U.S. citizenship required; ability to obtain and maintain a security clearance.

Nice To Haves

Direct experience with USAF Platform One, DISA Repo One, or equivalent DoD DevSecOps programs—you've seen what continuous ATO looks like in practice.
Background working with 3PAOs, DCMA, or other external auditors in the context of FedRAMP, DoD IL authorization, or RMF.
Hands-on experience with Wiz, Prisma Cloud, Orca, or equivalent cloud security posture management platforms.
Familiarity with RegScale, Telos Xacta, or equivalent GRC tooling and how to automate evidence flows into them.
Experience building or operating an Internal Developer Portal (Backstage, Cortex, or custom) with security capabilities integrated.
CISSP, CCSP, or equivalent security certifications (valued but not required if the work speaks for itself).

Responsibilities

Architect the compliance engine.
Own the platform ATO strategy.
Be the enterprise security team's most important technical partner.
Build the agentic AI security model.
Own security architecture across the developer platform.
Lead the supply chain security effort.
Drive ATO process re-architecture.

Benefits

Pay and benefits are fundamental to any career decision. That's why we craft compensation packages that reflect the importance of the work we do for our customers.
Employment benefits include competitive compensation, Health and Wellness programs, Income Protection, Paid Leave and Retirement.

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume