SECURITY & RISK ENGINEER (SRE)

Zermount, Inc

21h•Hybrid

About The Position

Zermount Inc. is seeking a System Risk Engineer (SRE) to support system risk analysis and ensure that federal information systems comply with Information Assurance and cybersecurity standards. The SRE exists to ensure organizational systems are secure, resilient, and defensible in real-world operating conditions, not simply compliant with security documentation. This role directly contributes to mission assurance by identifying, validating, and reducing cybersecurity risk through direct technical assessment, control validation, and risk-based decision support across enterprise environments. Operating at the intersection of security engineering, risk assessment, and compliance, the SRE transforms federal mandates (e.g., NIST RMF, FISMA, EO 14028, OMB directives) into measurable security outcomes by validating the effectiveness of security controls within live systems. The role requires continuous evaluation of system posture through hands-on analysis of architectures, configurations, logs, vulnerability data, and control implementations across cloud, network, operating system, application, and database layers. This position demands foundational technical expertise across multiple domains, enabling the SRE to assess complex enterprise environments, identify exploitable conditions, and determine whether implemented security controls effectively reduce risk. The SRE is expected to go beyond documentation review and verify findings through system-level evidence, testing, and analysis, ensuring the findings reflect actual operational risk. The SRE is a core enabler of Zermount's Modern GRC mindset, which emphasizes: Continuous, real-time risk identification during compliance assessments, Risk prioritization based on exploitability, exposure, and mission impact, Direct integration with engineering and operations teams to drive remediation, Elimination of "check-the-box" compliance in favor of validated security outcomes. You will be directly responsible for supporting system authorization and mission assurance by producing objective, defensible, and technically accurate findings that enable Authorizing Officials, ISSOs, and system owners to make informed risk decisions. This includes conducting security control assessments, validating Zero Trust implementation, analyzing architectural and configuration changes, and ensuring that remediation actions are both effective and sustainable to reduce risk.

Requirements

7+ years of cybersecurity experience supporting U.S. Government systems
4+ years performing RMF, ISSO, Assessment, or GRC functions with direct technical validation responsibilities
Demonstrated hands-on experience in at least two technical domains (cloud, network, systems, or databases)
Proven ability to analyze: System configurations, ATOs, and other supporting security documentation
Proven ability to analyze: Logs/telemetry
Proven ability to analyze: Architecture documentation and data flow diagrams
Proven ability to conduct technical assessments across multiple domains
Deep knowledge of NIST RMF (800-37, 800-53, etc.)
Deep knowledge of FISMA, EO 14028, OMB M-21-31 / M-22-09
Deep knowledge of FIPS 199/200
Deep knowledge of TIC, Zero Trust principles (CISA ZT MM, NIST 800-207, etc.)
Ability to independently conduct Security Control Assessments (SCA)
Ability to independently conduct Risk Assessments (RA)
Ability to independently conduct ATO/OA activities
Capability to validate controls using System configurations
Capability to validate controls using Logs and telemetry
Capability to validate controls using Vulnerability scanning outputs
Capability to validate controls by Conducting system interviews and demos
Ability to identify real-world attack vectors and control failures, and develop actionable remediation actions that the system teams can use to successfully remediate findings
Experience with Vulnerability scanning tools such as: Tenable, Qualys, CrowdStrike, etc.
Experience with Log analysis platforms such as: Splunk, Microsoft Sentinel, IBM QRadar, etc.
Experience with Configuration and system inspection tools such as: Ansible, Terraform, Puppet, etc.
Experience with GRC platforms such as: Archer, ServiceNow, etc.
Deep knowledge of one or more of the following technical domains: Cloud (AWS/Azure IAM, logging, network security, misconfigurations), Network (Segmentation, firewalls, boundary protections, Zero Trust enforcement points), Systems (Windows/Linux hardening, identity systems AD, MFA), Databases/Data (Access control, encryption, auditing)
Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 7 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role
Without a B.S. in a relevant field - A minimum of 13 years of IT Cybersecurity experience, including direct support for the US Government, and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role
At least one of the following security certifications is required: Certified Authorization Professional (CAP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), or Certified Chief Information Security Officer (CCISO)
Governance Risk & Compliance Certification (CGRC)
Alternatively approved certifications
Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability
Advanced technical risk analysis and prioritization
Independent problem-solving in ambiguous environments
Strong collaboration with system teams, federal leads
Ability to translate complex technical findings into actionable recommendations
Clear communication with both engineers and leadership

Nice To Haves

Experience with Zero Trust assessments and implementation validation
Experience with CDM, ISCM, and enterprise logging programs
Experience supporting DHS/FISMA environments
Familiarity with threat-informed defense and attack vector analysis

Responsibilities

Execute Security Assessments (SA), Risk Assessments (RA), and Ongoing Authorization (OA) activities by validating security controls in live environments, not solely through documentation review
Conduct technical verification and validation of security controls across operating systems, applications, databases, cloud platforms, and network infrastructure
Identify real-world security risks, including exploitable vulnerabilities, misconfigurations, weak trust boundaries, and control failures
Perform continuous risk analysis using outputs from vulnerability scans, penetration testing, logging platforms, and configuration assessments
Develop risk-based findings and POA&M matrices, prioritizing remediation based on exploitability, exposure, and mission impact
Produce executive-quality artifacts (SARs, risk memos, ATO packages, executive briefings) with validated, evidence-backed findings
Conduct impact analysis for Requests for Change (RFCs), identifying security implications of architectural, configuration, or system modifications
Validate Zero Trust implementation and alignment across system architectures and capabilities
Perform technical assessments of system architecture, data flows, and trust boundaries to identify control gaps
Conduct compliance validation for TIC, FISMA, and federal cybersecurity mandates through technical inspection and testing
Ensure all deliverables meet accuracy standards with zero rework required and are aligned to program and client expectations
Provide weekly status reporting and briefings with clear articulation of risks, risk mitigation progress, and technical findings