Senior Compliance Automation Engineer

About The Position

Requirements

• 7+ years of experience in security engineering, compliance engineering, DevSecOps, or a closely related discipline, with a demonstrated emphasis on building automation rather than operating tools.
• Proven ability to design and build production-quality software systems, including APIs, data pipelines, and integration services.
• Proficiency in one or more of: Python, Go, TypeScript/Node.js, or equivalent.
• Deep, hands-on expertise with NIST SP 800-53 Rev. 5 and NIST SP 800-171 Rev. 2/Rev. 3, including the ability to translate control language into specific, automatable technical implementations rather than policy documents alone.
• Demonstrated experience designing and implementing webhook-driven and API-based integrations across heterogeneous security and IT toolsets, including cloud-native services, SIEMs, vulnerability management platforms, and ITSM systems.
• Hands-on experience with policy-as-code frameworks including Open Policy Agent (OPA), Terraform Sentinel, AWS Config, or Azure Policy.
• Proficiency with infrastructure-as-code tools including Terraform, Ansible, Pulumi, or equivalent, with experience enforcing compliance controls through IaC templates and pipelines.
• Experience with CI/CD platforms (GitHub Actions, GitLab CI, Jenkins) and the ability to build and maintain compliance gates as native pipeline components.
• Working experience with STIG validation tooling including InSpec, OpenSCAP, SCC, or equivalent, including custom profile development.
• Familiarity with cloud security services across AWS GovCloud and/or Azure Government, including AWS Security Hub, AWS Config, Azure Security Center, Microsoft Defender for Cloud, and related services.
• Demonstrated experience working within hybrid architectures that include both cloud and on-premises infrastructure, including an understanding of network segmentation, data classification boundaries, and compliance scope delineation.
• Active or ability to obtain SECRET security clearance; TS/SCI strongly preferred.
• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)).

Nice To Haves

• Experience with CMMC Level 2 or Level 3 compliance activities, including gap analysis, assessment preparation, and technical control validation.
• Hands-on experience with RMF Authorization processes at DoD IL5 or IL6, including SSP development, ConMon program implementation, and ATO sustainment.
• Familiarity with SIEM and log management platforms and the ability to build compliance-relevant detection rules and dashboards.
• Experience with container and Kubernetes security tooling including Falco, Trivy, kube-bench, or OPA Gatekeeper.
• Familiarity with vulnerability management platforms and experience automating finding ingestion and POA&M workflows from scan outputs.
• Exposure to EAR/ITAR cyber regulations and their implications for system design, data handling, and compliance tooling.
• Experience with database design sufficient to architect a compliance data store, including schema design, indexing for audit query performance, and data retention considerations.
• Familiarity with message queue and event streaming technologies (Kafka, RabbitMQ, AWS SQS/SNS, Azure Service Bus) as applied to real-time compliance telemetry pipelines.
• Industry certifications such as: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), CMMC Registered Practitioner (RP) or Certified Professional (CP), AWS Certified Security – Specialty, Microsoft Certified: Azure Security Engineer Associate, or CompTIA Security+.
• Background in startup, defense technology, aerospace, or SaaS environments operating under DoD compliance obligations.
• Familiarity with Agile/Scrum delivery models and experience managing compliance automation work in sprint-based development cycles.

Responsibilities

• Architect and build a greenfield Continuous Compliance Monitoring (CCM) platform from first principles, designed to aggregate, correlate, and report on security control status across hybrid on-premises and cloud environments in near real time.
• Design and implement a modular, API-first platform architecture with well-documented internal APIs and extensible data models that support rapid onboarding of new control families, systems, and data sources.
• Develop webhook-driven integration pipelines that ingest telemetry and compliance signals from diverse source systems, including cloud-native security services, SIEM platforms, vulnerability scanners, configuration management tools, and identity providers, without reliance on manual data collection or polling.
• Build control validation microservices that programmatically test the implementation state of NIST SP 800-53 and 800-171 controls, generate machine-readable evidence artifacts, and surface control gaps with contextual remediation guidance.
• Implement an evidence collection and artifact management framework that automatically captures, timestamps, and indexes compliance evidence mapped to specific control requirements, enabling audit-ready artifact packages to be assembled on demand.
• Develop platform capabilities to support continuous authorization workflows, replacing point-in-time assessment cycles with living, automated control validation that feeds directly into ATO decision support.
• Embed compliance enforcement gates into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) to intercept non-compliant infrastructure-as-code (IaC) changes, insecure configurations, and policy violations before they reach production.
• Develop and maintain policy-as-code libraries using tools such as Open Policy Agent (OPA), Terraform Sentinel, AWS Config Rules, and Azure Policy, translating control requirements into machine-enforceable rulesets.
• Integrate compliance telemetry with infrastructure provisioning workflows using Terraform, Ansible, and Pulumi, ensuring that system authorization boundaries are maintained as infrastructure evolves.
• Build automated STIG validation workflows that apply and verify DISA STIG benchmarks across Linux, Windows, container, and cloud resource configurations using tools such as InSpec, OpenSCAP, and custom-built validation scripts.
• Partner with DevOps and platform engineering teams to implement secure baseline enforcement automation, including automated drift detection and remediation triggering for configuration deviations.
• Design integration patterns and secure data collection agents for on-premises and air-gapped or limited-connectivity environments, enabling compliance telemetry to flow into the central platform without violating network segmentation or classification boundaries.
• Build bidirectional sync mechanisms between on-premises systems and cloud compliance services where permitted by authorization boundaries, ensuring hybrid posture visibility without creating unauthorized data flows.
• Develop solutions for classified environment compliance monitoring that operate within applicable network and data handling constraints, including support for IL5 and IL6 system boundaries.
• Architect the platform's data pipeline and storage layer with an explicit understanding of CUI, ITAR-controlled data, and classified data handling requirements, ensuring the platform itself does not become a compliance liability.
• Serve as the technical authority on programmatic implementation of NIST SP 800-53 Rev. 5 control families, translating AC, AU, CM, IA, IR, RA, SC, SI, and other control families into automatable checks, evidence generators, and remediation workflows.
• Build automation coverage for NIST SP 800-171 Rev. 3 requirements across the full 110-control set, with particular depth in Access Control, Audit and Accountability, Configuration Management, and System and Communications Protection.
• Develop automated SSP population and maintenance workflows, enabling system security plans to be updated dynamically as control implementations change rather than through manual quarterly refresh cycles.
• Implement POA&M lifecycle automation, including automated finding ingestion from scan results and audit outputs, deduplication, severity scoring, and status tracking integrated with ticketing systems such as Jira or ServiceNow.
• Build CMMC Level 3 readiness automation tooling that maps assessment objectives to automated test cases, evidence artifacts, and gap reporting outputs.
• Design and implement a compliance posture dashboard and reporting layer, built in-house, that provides real-time visibility into control implementation status, open findings, POA&M health, and assessment readiness across all scoped systems.
• Build automated compliance scoring and trend analysis capabilities, surfacing control degradation, coverage gaps, and risk concentration patterns to GRC leadership and system owners.
• Develop alerting and escalation workflows that notify responsible parties of control failures, configuration drift, scan findings, or expiring artifacts with appropriate urgency and context.
• Implement structured audit log generation across all platform components, ensuring the compliance platform itself is fully auditable and operates within the control boundaries it enforces.

Benefits

• Health, Dental, Vision
• HRA/HSA options
• PTO and paid holidays
• 401K
• Parental Leave
• Equity