Security Architect (FedRamp)

About The Position

Requirements

• 8+ years of experience in information security with 3+ years in cloud security architecture
• 3+ years of direct experience with FedRAMP authorization or FedRAMP continuous monitoring programs
• 3+ years of experience managing vulnerability remediation programs with Plan of Actions and Milestones (POA&M) tracking and closure
• 2+ years of hands-on experience with Google Kubernetes Engine (GKE), Cloud Logging/Monitoring, Customer Managed Encryption Keys (CMEK) on GCP, or equivalent cloud security services
• 2+ years of experience implementing and validating NIST 800-53 controls in production environments
• Bachelor's degree in information security, computer science, or related field
• Current security certification: CISSP, CISM
• Direct experience coordinating with Third Party Assessment Organizations (3PAO) and Public Sector Customers for FedRAMP assessments
• US-based with ability to work Eastern Standard Time core business hours.

Nice To Haves

• Experience with OSCAL frameworks and compliance automation platforms
• Knowledge of SSDF, SBOM/VEX generation, and supply chain security (NIST SP 800-161)
• Familiarity with Terraform, OPA, or infrastructure-as-code security tooling
• Background in SOC 2, ISO 27001, CMMC, or DoD IL4/5/Continuous Authority To Operate (cATO) programs
• Container security experience in Kubernetes environments

Responsibilities

• Drive vulnerability remediation to meet FedRAMP SLAs: Critical/High ≤30 days, Moderate ≤90 days, Low ≤180 days, KEV ≤14 days
• Own monthly privileged access reviews with identity removal attestations attached to Continuous Monitoring packages
• Certify asset inventory completeness and scan coverage before each Continuous Monitoring submission
• Review and validate technical evidence before submission to GRC vendor
• Act as final technical quality gate for control implementations and evidence collection
• Own FIPS 140-3 validation tracking for all cryptographic modules; maintain Appendix Q (Ports, Protocols, and Services)
• Ensure logs meet retention requirements: 12 months searchable online, 18 months archived; provide monthly attestation
• Plan and deliver annual penetration tests, red team exercises, DR/IR tests, and contingency exercises; track findings to POA&M closure
• Run SBOM/VEX generation and vendor SCRM reviews aligned to NIST SP 800-161 Rev 1
• Enforce End Of Life (EOL) software removal and trust store governance (root certificates, signing keys, Certificate Authorities [CA])
• Block FedRAMP releases lacking SCR impact analysis for boundary, crypto, logging, and control regressions
• Review all architecture changes touching FedRAMP Moderate boundary or GSS stack
• Lead technical discussions with FedRAMP PMO and Agency Sponsors
• Coordinate incident response for FedRAMP systems (one-hour reporting for high-impact incidents)
• Assist GRC and Security Operations functions in support of operational business needs.