SECURITY & COMPLIANCE ENGINEER (SCE)

Zermount, Inc
Hybrid
Match Resume

About The Position

Zermount Inc. is seeking a System Compliance Engineer (SCE) to support system risk analysis and ensure that federal information systems comply with Information Assurance and cybersecurity standards. The SCE ensures that federal information systems are secure in operation, not merely compliant with documentation, directly contributing to mission assurance by identifying, validating, and mitigating real-world cybersecurity risks across enterprise environments. This role operates at the intersection of compliance, engineering, and mission operations, transforming federal mandates (e.g., NIST RMF, FISMA, EO 14028, OMB directives) into measurable, technically enforced security outcomes. It requires continuous evaluation of the system's security posture by directly analyzing configurations, logs, architectures, and control implementations, rather than relying solely on static assessments. The position is designed for individuals with foundational technical expertise across multiple domains, including cloud platforms, network architecture, operating systems, identity systems, and databases, who can independently assess systems, identify exploitable conditions, and validate control effectiveness. This role is a core component of Zermount's Modern GRC mindset, emphasizing continuous monitoring, real-time risk identification, direct integration with system teams for remediation, and the elimination of "check-the-box" compliance practices. The SCE will produce decision-quality outputs for system owners, ISSOs, and leadership to make informed, risk-based decisions, including identifying control failures, recommending technically sound remediation strategies, and validating corrective actions.

Requirements

  • 5+ years of cybersecurity experience supporting U.S. Government systems
  • 4+ years performing RMF, ISSO, Assessment, or GRC functions with direct technical validation responsibilities
  • Demonstrated hands-on experience in at least two technical domains (cloud, network, systems, or databases)
  • Proven ability to analyze: System configurations, ATOs, and other supporting security documentation
  • Proven ability to analyze: Logs/telemetry
  • Proven ability to analyze: Architecture documentation and data flow diagrams
  • Ability to independently assess systems using direct technical inspection techniques, leveraging logs, configs, architecture documents, etc.
  • Deep working knowledge of critical frameworks and directives such as: NIST RMF (800-37, 800-53, etc.)
  • Deep working knowledge of critical frameworks and directives such as: FISMA, EO 14028, OMB M-21-31 / M-22-09
  • Deep working knowledge of critical frameworks and directives suchs as: FIPS 199/200
  • Deep working knowledge of critical frameworks and directives such as: TIC 3.0 and Zero Trust principles (CISA ZT MM, NIST 800-207, etc.)
  • Ability to identify threat surfaces within specific systems, not just control gaps
  • Ability to convert compliance requirements into specific and actionable remediation actions that the system teams can be used to successfully remediate findings
  • Deep knowledge of one or more of the following technical domains: Cloud (AWS/Azure - IAM, logging, network security, misconfigurations)
  • Deep knowledge of one or more of the following technical domains: Network (Segmentation, firewalls, boundary protections, Zero Trust enforcement points)
  • Deep knowledge of one or more of the following technical domains: Systems (Windows/Linux hardening, identity systems - AD, MFA)
  • Deep knowledge of one or more of the following technical domains: Databases/Data (Access control, encryption, auditing)
  • Experience with vulnerability scanning tools such as: Tenable, Qualys, CrowdStrike, etc.
  • Experience with log analysis platforms such as: Splunk, Microsoft Sentinel, IBM QRadar, etc.
  • Experience with configuration and system inspection tools such as: Ansible, Terraform, Puppet etc.
  • Experience with GRC platforms such as: Archer, ServiceNow, etc.
  • Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 5 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role
  • Without a B.S. in a relevant field - A minimum of 10 years of IT Cybersecurity experience, including direct support for the US Government, and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role
  • At least one of the following security certifications is required: Certified Authorization Professional (CAP)
  • At least one of the following security certifications is required: Certified Information Security Auditor (CISA)
  • At least one of the following security certifications is required: Certified Information Security Manager (CISM)
  • At least one of the following security certifications is required: Certified Information Systems Security Professional (CISSP)
  • At least one of the following security certifications is required: Certified Chief Information Security Officer (CCISO)
  • At least one of the following security certifications is required: Governance Risk & Compliance Certification (CGRC)
  • Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability

Nice To Haves

  • Experience implementing or assessing Zero Trust architectures
  • Experience with CDM, ISCM, and enterprise logging programs
  • Familiarity with threat-informed defense concepts
  • Experience in hybrid cloud environments
  • Technical risk identification and prioritization
  • Independent problem-solving in ambiguous environments
  • Ability to translate policy into technical action
  • Clear communication with both engineers and leadership

Responsibilities

  • Execute RMF lifecycle (Prepare–Monitor) while validating controls directly in operational environments
  • Identify and document real-time risks through analysis of logs, telemetry, configurations, and architecture
  • Validate implementation of security controls (STIGs, MFA, encryption, access control) using system-level evidence
  • Identify exploitable misconfigurations, weak trust boundaries, and gaps across cloud, network, OS, and database layers
  • Drive POA&M actions by prioritizing risk based on exploitability and mission impact, ensuring closure within defined timelines
  • Perform continuous monitoring (ISCM/CDM) with emphasis on actual system behavior vs. reported compliance
  • Translate NIST, EO 14028, OMB, and TIC 3.0 requirements into specific technical remediation actions
  • Validate remediation actions with repeatable verification methods (not documentation review)
  • Produce executive-quality outputs (risk findings, remediation plans, executive summaries)
  • Maintain system artifacts and documentation only as a byproduct of validated technical work

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume

What This Job Offers

Job Type

Full-time

Career Level

Senior

Number of Employees

11-50 employees

Job Search Resources

Similar SECURITY & COMPLIANCE ENGINEER (SCE) job opportunities

Security Compliance Engineer
eBay
eBay • Austin, TX7d
Security Compliance Engineer
eBay
eBay • Austin, TX7d
Security Compliance Engineer
eBay
eBay • Austin, TX7d
Underwriting Technician SCE
ICW Group
ICW Group • Sacramento, CA2d • $17 - $27 • Hybrid
Underwriting Assistant
ICW Group
ICW Group • Orlando, FL2d • $23 - $36 • Hybrid
Underwriting Assistant
ICW Group
ICW Group • Orlando, FL11d • $23 - $36 • Hybrid
Explore More Jobs

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service