Cyber PKI Administrator

About The Position

Requirements

• U.S. Citizenship and a minimum active Secret security clearance are required for this position. Certain task orders or work locations may require a Top Secret (TS) or TS/SCI clearance. All personnel must be able to obtain and maintain the required clearance level and must possess a valid DoD Common Access Card (CAC). Personnel may be required to access systems across multiple classification domains, including Unclassified (NIPR), Secret (SIPR), and Top Secret/Collateral networks.
• Bachelor's degree in Computer Science, Computer Engineering, Information Technology, Information Systems, Cybersecurity, or a closely related technical field; OR Associate's degree in a related technical field plus additional qualifying experience; OR Equivalent combination of education, training, and directly relevant DoD IT experience.
• Hands-on experience administering enterprise PKI in a Windows Active Directory environment, including Certificate Authorities, OCSP, and CRL distribution.
• Working knowledge of Hardware Security Modules (HSMs) and FIPS 140-2/140-3 operational requirements.
• Experience with cryptographic key lifecycle management: generation, backup, cloning, restoration, escrow, and destruction.
• Working knowledge of Windows Server operating systems (2016/2019/2022), Active Directory, Group Policy, and PowerShell scripting.
• Understanding of cryptographic concepts: asymmetric and symmetric algorithms, hashing, digital signatures, X.509 certificate structure, and certificate chain validation.
• Ability to apply DoD STIGs and IAVAs to maintain system compliance.
• Ability to operate under strict two-person integrity, separation-of-duties, and audit controls.
• Ability to create and maintain technical documentation, SOPs, and key ceremony scripts.
• Ability to work shift hours, weekends, or on-call rotations as required by task order.
• Strong oral and written communication skills; ability to brief technical topics to non-technical stakeholders.
• DoD Directive 8570.01-M / DoD 8140 baseline certification requirements applicable to their assigned Cyber IT/Cybersecurity role. The following certifications satisfy the minimum IAT Level II requirement: CompTIA Security+ CE, Cisco CCNA Security, CySA+ (CompTIA Cybersecurity Analyst), GIAC Security Essentials (GSEC), Systems Security Certified Practitioner (SSCP).
• Additional computing environment (CE) certifications may be required depending on the specific technologies managed (e.g., Microsoft, VMware, Red Hat, Cisco). Certifications must be current and maintained throughout the period of performance.

Nice To Haves

• Experience in a DoD, Intelligence Community, or Federal Government IT environment.
• Direct hands-on experience with Thales Luna Network HSM or Luna PCIe HSM appliances and associated administrative tooling.
• Experience operating Microsoft Active Directory Certificate Services (AD CS) at enterprise scale.
• Experience with OCSP responders, CRL signing, and Certificate Transparency.
• Experience supporting DoD PKI, NSS PKI, or External Certification Authority (ECA) programs.
• Familiarity with HSM integration with VMware, Microsoft IIS, F5, and other PKI-consuming platforms.
• Familiarity with DoD RMF processes, eMASS, and A&A documentation.
• Knowledge of DoD Identity, Credential, and Access Management (ICAM) frameworks.
• PowerShell, Python, or Bash scripting for PKI and HSM automation.
• The Thales Luna HSM Professional Engineer certification is strongly desired. As an alternative pathway, a candidate who possesses the credentials and demonstrated experience to be granted Domain Administrator privileges may be considered, provided the candidate commits to achieving the Thales Luna HSM Professional Engineer certification within six (6) months of hire.

Responsibilities

• Install, configure, and maintain enterprise-class Hardware Security Module (HSM) appliances in accordance with vendor best practices, DoD security configuration baselines, and approved standard operating procedures (SOPs).
• Monitor HSM health, performance, and availability; identify, troubleshoot, and resolve hardware, firmware, and client-side issues in a timely manner.
• Perform HSM firmware updates, software patches, and supporting client software upgrades in compliance with DoD Information Assurance Vulnerability Management (IAVM) requirements and Government-directed maintenance windows.
• Maintain HSM configuration documentation, baseline records, and change logs in accordance with configuration management processes.
• Partition and Role Management: Create and manage HSM partitions, assign cryptographic officer and user roles, and enforce quorum (M of N) authentication controls so that no single individual can perform sensitive operations.
• Key Lifecycle Management: Oversee the full lifecycle of cryptographic key material — generation, distribution, rotation, backup, escrow, restoration, and destruction — and maintain chain-of-custody documentation for all key operations.
• Key Ceremony Execution: Plan and execute formal key ceremonies for Root and Issuing Certificate Authority events; develop and maintain ceremony scripts and witness logs.
• Tamper Integrity: Maintain tamper-evident packaging, seal logs, and physical inspection records consistent with FIPS 140-2/140-3 operational guidance.
• Operate and maintain enterprise Certificate Authorities, Online Certificate Status Protocol (OCSP) responders, and Certificate Revocation List (CRL) distribution services across multiple classification domains.
• Issue, renew, revoke, and replace DoD and National Security System (NSS) PKI certificates for web servers, domain controllers, Domain Name System (DNS) servers, and other infrastructure components.
• Expiration Tracking: Build and maintain a comprehensive certificate expiration tracker; coordinate proactive renewal with affected system owners to prevent service disruption and report status to Government leadership on a recurring cadence.
• Root and Policy CA Operations: Support Root and Policy Certificate Authority lifecycle events, including offline operations, approved key ceremonies, and Government-directed updates.
• Smart Card and CAC Integration: Manage Common Access Card (CAC) and PKI integration for Government and contractor personnel, including user authentication, certificate mapping, and smart-card-based access controls.
• PKI Consumer Coordination: Partner with Domain Services, application, database, and platform teams to ensure dependent systems consume PKI services correctly and remain compliant with cryptographic standards.
• Enforce physical and logical access controls to HSM appliances; maintain access rosters and coordinate facility access with Government POCs.
• Execute two-person rule procedures for sensitive cryptographic operations in partnership with designated backup administrators.
• Train and qualify designated backup administrators from the broader operations team to maintain emergency access to the cryptographic environment, ensuring continuity of operations without compromising separation of duties.
• Audit privileged access to the cryptographic environment on a recurring basis and report findings to Government leadership.
• Ensure all PKI and HSM systems maintain compliance with DoD Security Technical Implementation Guides (STIGs), Information Assurance Vulnerability Alerts (IAVAs), and applicable Command Cyber Tasking Orders (CCTOs).
• Conduct and analyze vulnerability scans (e.g., ACAS/Nessus) of HSM management interfaces and PKI infrastructure; apply remediations including security patches, configuration changes, and STIG settings within Government-required timelines.
• Support Risk Management Framework (RMF) activities including the development and maintenance of system security documentation, Plan of Action and Milestones (POA&Ms), and Assessment and Authorization (A&A) artifacts for the cryptographic environment.
• Log Auditing: Review HSM and Certificate Authority audit logs on a recurring schedule, investigate anomalies, and coordinate with the defensive cyber operations team on any indicators of compromise.
• Adhere to DoD 8570.01-M / DoD 8140 Information Assurance workforce requirements applicable to the assigned role.
• Develop, update, and maintain SOPs, Work Instructions (WIs), key ceremony scripts, and technical documentation for all supported cryptographic services.
• Provide status updates, incident reports, and After Action Reports (AARs) as required by Government leadership.
• Participate in configuration change control board (CCB) processes; coordinate all PKI and HSM changes through approved change management procedures.
• Collaborate with network, cybersecurity, server operations, and application teams to resolve cross-functional issues.
• Provide technical support and training to end users and junior staff as needed.

Benefits

• Competitive salary based on experience
• Comprehensive benefits package including health, dental, vision, and retirement plans
• Paid time off and holidays