Sr. DevSecOps Engineer (US)

About The Position

Requirements

• You have direct, hands-on FedRAMP ATO experience — you’ve been through the process, not just observed it.
• You have strong working knowledge of NIST 800-53 Rev. 5 controls and how to implement them technically, not just document them.
• You have deep hands-on experience securing AWS environments.
• You have direct experience with AWS GovCloud, including its constraints and operational differences from commercial AWS.
• You write advanced Terraform — modules, policy enforcement, and infrastructure that’s auditable by design.
• You’ve built or hardened CI/CD pipelines for secure, compliant deployments — integrating security scanning, secrets management, and access controls.
• You’ve worked directly with auditors and 3PAOs: preparing evidence packages, responding to findings, and supporting assessment activities.

Nice To Haves

• SOC 2 Type II experience, particularly in environments where mapped or extended to support FedRAMP or NIST frameworks.
• Experience securing data platforms such as Databricks, including data isolation and access control patterns.
• Familiarity with AI and LLM security concepts: prompt injection risks, model data isolation, inference boundary controls.
• Experience working in a startup or lean DevSecOps environment where you’ve had to build programs pragmatically with limited resources.

Responsibilities

• Lead Craft’s FedRAMP readiness program — defining the roadmap, owning the ATO timeline, and driving execution across engineering and security stakeholders.
• Design and implement AWS GovCloud architecture that meets FedRAMP Moderate and High requirements.
• Translate NIST 800-53 Rev. 5 controls into concrete, auditable, and continuously enforced technical implementations — not just documentation.
• Build and maintain compliance automation tooling to continuously validate control adherence across the environment, reducing manual audit burden.
• Develop and manage secure CI/CD pipelines with integrated security gates, secrets management, and deployment controls appropriate for FedRAMP environments.
• Author and maintain System Security Plans (SSPs), control implementation statements, and audit evidence packages; work directly with auditors and 3PAOs through assessment cycles.
• Perform threat modeling, risk assessments, and security architecture reviews across the platform.
• Define and drive how FedRAMP controls are embedded across the engineering lifecycle, partnering with full-stack, data, and machine learning teams to ensure consistent, scalable adoption.
• Serve as the internal subject matter expert on FedRAMP, NIST 800-53, and federal compliance — upleveling the broader team’s knowledge as the program matures.

Benefits

• Competitive salary starting at $170,000 USD/ year. This starting number can be increased based on levels of expertise, location, cost of living, taxes, market experience, etc.
• Equity at a well-funded, fast-growing startup
• Unlimited vacation time so you can take what you need, when you need it
• 99% covered Health + Dental + Vision insurance for employees and dependents
• 401K through Empower with options to invest how you want it