Senior Compliance Engineer

About The Position

Requirements

• 3+ years of professional experience in Cloud Security, DevSecOps, Site Reliability Engineering (SRE), or a related security engineering role.
• Background in one or more of the following disciplines: Systems Security Engineering, Cybersecurity, Systems Engineering, Software Engineering, Computer Engineering, or Computer Science.
• Proven experience building and securing complex cloud environments at scale.
• 3+ years of hands-on experience working with compliance frameworks such as CMMC, NIST SP 800-171 and/or 800-53, and FedRAMP.
• Hands-on experience executing against recurring operational regulatory requirements (e.g., continuous monitoring, periodic assessments, audit cycles).
• Deep proficiency in at least one major cloud provider (AWS, Azure, or GCP), with a strong understanding of cloud infrastructure and security concepts.
• Strong hands-on experience with Infrastructure as Code tools, particularly Terraform; experience with CloudFormation or Bicep is a plus.
• Demonstrated ability to build, deploy, and manage Terraform modules and infrastructure templates in production environments.
• Solid programming and scripting ability in one or more languages (e.g., Python, Go, Rust).
• Firm understanding of public cloud networking principles, including VPCs, subnets, routing, security groups, and network segmentation.
• Proficiency with core security concepts including encryption, authentication, identity and access management, and Zero-Trust Architecture (ZTA).
• Experience with continuous monitoring and security tooling such as Tenable, Splunk, Elasticsearch, or equivalent platforms.
• Ability to communicate compliance requirements clearly and effectively to engineering teams, development teams, and non-technical stakeholders.
• Strong understanding of the "why" behind product, systems, and security design decisions — not just the "what."
• Comfort working at the interface of compliance and infrastructure engineering, with the ability to context-switch between policy interpretation and hands-on technical work.
• Self-directed, with the ability to prioritize across multiple concurrent compliance and engineering initiatives.
• Must be eligible to obtain and maintain a U.S. Secret security clearance.

Nice To Haves

• Previous work on security engineering and architecture for defense/national security systems and/or complex embedded commercial systems is strongly preferred.
• Experience hardening and monitoring Kubernetes clusters (EKS, GKE, AKS).
• Experience with Cloud Security Posture Management (CSPM) or cloud-native threat detection tooling.
• Familiarity with CI/CD pipelines and experience securing the software supply chain.
• Experience with security assessment methodologies and vulnerability management programs.
• Relevant certifications such as AWS Solutions Architect, Certified Kubernetes Administrator (CKA), CISSP, CISM, or CompTIA Security+.

Responsibilities

• Design, develop, and maintain Infrastructure as Code (IaC) and Policy as Code (PaC) that enforce compliance with NIST SP 800-171 and 800-53, CMMC, and other applicable frameworks, enabling developers to deploy CMMC-certified applications using pre-packaged, compliant infrastructure templates.
• Architect, build, and deploy robust, scalable security controls across Anduril's corporate, development, and production cloud environments (AWS, Azure, GCP) and on-premise environments.
• Develop and automate IaC pipelines for managing and scaling cloud deployments securely and efficiently, including automated pipelines for deploying infrastructure, applications, and updates.
• Build automation for procedural compliance controls, generating compliance and audit artifacts at scale without manual intervention.
• Develop security models that integrate Continuous Monitoring (ConMon), DISA STIG scanning, and compliance reporting into a unified, automated workflow.
• Ensure that compliance requirements for rapid, secure deployments translate into robust, repeatable tool chains.
• Analyze, interpret, and operationalize federal and industry cybersecurity regulations, including NIST SP 800-171 and 800-53, CMMC, FedRAMP, and SOC 2, translating regulatory language into actionable engineering guidance and enforceable technical controls.
• Evaluate system architectures and configurations to ensure alignment with required security controls for moderate-impact information systems.
• Interface directly with infrastructure teams to verify and enforce compliance across existing on-premise and cloud stacks, identifying gaps and driving remediation.
• Collect, review, and where necessary modify system architecture to meet evolving compliance requirements, ensuring that security is embedded into the design phase rather than bolted on after the fact.
• Conduct compliance testing, studies, and assessments of Anduril's products and integrated components to uncover potential weaknesses and validate control effectiveness.
• Develop, update, and maintain cybersecurity policies, standards, procedures, and playbooks in coordination with the Information Security Team.
• Stay current on changes to federal and industry cybersecurity regulations and proactively communicate their impact to engineering and leadership teams.
• Partner with engineers, the DevSecOps Team, and the Automation Team to implement and verify security controls in both corporate and product software environments.
• Act as a force multiplier by embedding security best practices into the workflows of infrastructure, application, and product teams, particularly for environments holding mission-critical data.
• Support and expedite the new software onboarding process by evaluating the technical requirements of new software for CMMC compliance and guiding developers through the path to compliant deployment.
• Coordinate and deliver briefings to ensure Anduril's technical teams understand their compliance obligations, translating complex security concepts for diverse technical and non-technical audiences.
• Brief security architectures and approaches to program leadership, providing clear recommendations and risk-informed guidance.
• Work closely with Information Systems leadership, project managers, and stakeholders to integrate compliance requirements into active projects and update or modify compliant systems as organizational needs evolve.
• Collaborate with other principals and subject matter experts to ensure end-to-end automation across the compliance lifecycle.
• Act as SME for security and automation topics during internal reviews, audits, and cross-team planning sessions.
• Develop strategies and implementation plans for compliance-related matters, advising management on risk posture, regulatory changes, and investment priorities.
• Institute best-practice procedures for compliance and risk mitigation across the organization.
• Guide technical and operational decision-making towards future product offerings and efficient organizational processes.
• Ensure the company's ongoing technical compliance with all applicable laws, regulations, and contractual obligations.
• Produce clear documentation and reporting on compliance testing outcomes, process improvements, and emerging risks.

Benefits

• Comprehensive medical, dental, and vision plans at little to no cost to you.
• We cover full cost of medical insurance premiums for you and your dependents.
• We offer an annual contribution toward your private health insurance for you and your dependents.
• Anduril covers life and disability insurance for all employees.
• Highly competitive PTO plans with a holiday hiatus in December.
• Caregiver & Wellness Leave is available to care for family members, bond with a new baby, or address your own medical needs.
• Coverage for fertility treatments (e.g., IVF, preservation), adoption, and gestational carriers, along with resources to support you and your partner from planning to parenting.
• Access free mental health resources 24/7, including therapy and life coaching.
• Additional work-life services, such as legal and financial support, are also available.
• Annual reimbursement for professional development
• Company-funded commuter benefits based on your region.
• Available depending on role eligibility.
• Traditional 401(k), Roth, and after-tax (mega backdoor Roth) options.
• Pension plan with employer match.
• Superannuation plan.