Software Engineer V - Security Engineer

Mighty Acorn Digital

2d•Remote

About The Position

At Mighty Acorn, we build digital services that real people depend on to access government benefits and programs. The data flowing through those services — health records, social security numbers, income information — demands a higher standard of security than most software environments. We're not looking for someone to run periodic audits; we're looking for someone to embed directly with our product teams, build a culture of security-by-default, and ensure we can handle sensitive data with confidence. As a Software Engineer V - Security Engineer, you'll work as an embedded security expert across one or more product teams, translating complex government compliance requirements into practical, actionable engineering guidance. You'll combine hands-on implementation work — hardening infrastructure, integrating security into CI/CD pipelines, reviewing code — with the strategic work of developing security roadmaps, leading gap remediation efforts, and working directly with government stakeholders and client security teams. At this level, you own the security posture for the engagements you're on. That means earning trust with engineers and government program staff alike. This is a fully remote position. Candidates must be based in and work from the contiguous United States, with at least a 5-hour overlap with 9am–5pm ET, Monday through Friday.

Requirements

10+ years of engineering experience, with significant depth in application security and/or DevSecOps practices.
Cloud security expertise on AWS — securing compute, storage, networking, and identity at the infrastructure level.
Hands-on experience with DevSecOps tooling: CI/CD security integration, secrets management, container security, and automated scanning (SAST, DAST, dependency scanning).
Experience with government compliance frameworks (NIST, FISMA, FedRAMP, HIPAA, or similar) and a demonstrated ability to translate regulatory language into concrete technical requirements.
Scripting and automation skills sufficient to build and maintain security tooling — Python, TypeScript/JavaScript, or shell.
Experience operating systems that process PII, SSNs, health data, or other sensitive information — with sound judgment about what that entails.
Demonstrated ability to read dense regulatory documents and translate them into clear, prioritized, actionable guidance for an engineering team.
Experience with formal security assessment processes — ATOs, SARs, or comparable frameworks — and the documentation they require.
Strong written and verbal communication skills, including the ability to explain risk and security posture to non-technical program staff and government stakeholders.
Experience developing security roadmaps and leading gap remediation efforts from initial assessment through implementation.
Comfort operating in ambiguous environments, building programs from scratch without a predefined playbook.
Sound judgment about prioritization — the ability to differentiate high-impact security changes from improvements that can wait.
A Bachelor's degree (or equivalent experience) is contractually required for this role.
An ability to work efficiently, sometimes under tight deadlines.
A preference for transparency and an ability to be direct and transparent in your own communication.
An ability to adapt quickly and cope with temporarily ambiguous situations as requirements change.
This role requires work be performed from within the contiguous United States.
Candidates must either hold active US citizenship or a green card, and should possess work authorization that does not require any present or future visa sponsorship by Mighty Acorn Digital.
Candidates selected for the role must pass a criminal background check prior to their start date.
Candidates must have a fast (>100Mbps) and reliable internet connection and have a dedicated workspace with background noise at an appropriate level for audio calls.

Nice To Haves

Experience with healthcare data security, CMS compliance requirements (including ARC-AMPE), or state health IT systems.
Familiarity with OWASP SAMM or similar software assurance maturity models.
Experience working in or alongside government agencies, with an understanding of their organizational constraints and stakeholder dynamics.
Experience working in professional services or government digital services consulting.

Responsibilities

Acting as the embedded security lead for product teams handling sensitive data, including PII, health information, and other regulated data — providing guidance on architecture decisions, data handling, and storage in real time.
Proactively implementing security hardening measures across AWS infrastructure, CI/CD pipelines, and application code — not waiting for a compliance process to tell you what needs to change.
Translating government compliance frameworks (NIST, HIPAA, FedRAMP, CMS ARC-AMPE, and others) into practical, prioritized guidance the engineering team can act on.
Developing and maintaining a security roadmap from compliance gap findings — writing concrete implementation tickets and helping teams understand the threshold at which different types of production data can be safely handled.
Participating in code review of infrastructure, DevOps, and security-relevant pull requests, and pairing with engineers on implementation.
Establishing automated and manual processes for ongoing compliance: security gates in CI/CD pipelines, secrets management, automated repository scanning, deployment checklists, and similar.
Documenting current data handling practices to support legal review, ATO processes, and security assessment reporting (SAR and similar).
Working closely with client agency security teams to align practices, share context, and support compliance across organizational boundaries.
Facilitating threat modeling sessions with product teams to establish a shared understanding of actual risk — helping the team distinguish high-impact changes from nice-to-haves.