ZERO TRUST (ZT) APPLICATION DEVELOPMENT SECURITY SME (VIRTUALIZATION AND APPLICATION DEVELOPMENT SME)

About The Position

Requirements

• A minimum of 10 years in application security, cloud security architecture, or DevSecOps with demonstrated Zero Trust scope.
• Hands-on experience implementing ZT-aligned application access control in cloud environments (Azure, AWS, or GCP); must extend beyond administration to include ZT policy design and enforcement architecture.
• Expert knowledge of NIST SP 800-207, CISA ZTMM v2.0 Applications & Workloads pillar criteria, NIST SP 800-218, and federal secure software development standards.
• Experience with API security frameworks, authorization gateway design, and application-layer access control enforcement in a ZT context.
• Demonstrated familiarity with DevSecOps practices, CI/CD security integration, and software supply chain security under EO 14028 and OMB M-23-16.
• Experience assessing application security controls against NIST SP 800-53 Rev. 5 SA, SI, and CM control families.
• Demonstrated experience developing and implementing Zero Trust application security solutions operationally, not limited to framework mapping or documentation.
• Experience supporting ZT-related IG FISMA metrics reporting pertaining to applications and workloads.
• Strong written and oral communication skills; ability to translate complex application security concepts into CISO-ready recommendations.
• Demonstrated familiarity with AI-assisted analysis tools or prompt engineering; ability to apply AI capabilities ethically to accelerate advisory work and surface higher-value technical insights.
• Minimum of a Bachelor of Science (or higher) in Information Technology, Computer Science, Software Engineering, Cybersecurity, or a related field.
• Certified Information Systems Security Professional (CISSP) or Certified Cloud Security Professional (CCSP), or equivalent certification.
• Active Secret Clearance required.

Nice To Haves

• Five years of IT cybersecurity experience, including direct support to the U.S. Government. This experience can be concurrent with the minimum 10 years of application security experience.
• Prior direct involvement in a ZT Applications & Workloads pillar implementation or enterprise ZT-aligned deployment in a technical design or advisory capacity.
• Cloud security certification: AWS Security Specialty, Microsoft Azure Security Engineer Associate (AZ-500), or GCP Professional Cloud Security Engineer.
• Experience with Kubernetes security, container runtime protection, and image vulnerability management in a federal or enterprise environment.
• Experience with legacy application ZT advisory extending ZT controls to applications that cannot natively support modern authentication or authorization.
• Prior CISO-facing experience.
• Certified Information Security Manager (CISM) or equivalent senior security management certification.
• Cloud security certification. AWS Security Specialty, Microsoft Azure Security Engineer Associate (AZ-500), or GCP Professional Cloud Security Engineer.

Responsibilities

• Serve as the primary technical advisor for the CISA ZTMM v2.0 Applications & Workloads pillar across application security, cloud security, and secure software delivery domains.
• Continuously assess the agency's application portfolio posture against CISA ZTMM v2.0 Applications & Workloads criteria and NIST SP 800-207; proactively identify emerging application risk indicators, including access control drift, API exposure, and supply chain vulnerabilities, and deliver real-time advisory recommendations.
• Provide technical advisory guidance on application access control design options, API security strategies, and authorization gateway approaches, recommending solutions and implementation pathways for agency decision-making.
• Evaluate cloud-hosted and on-premises application environments for ZT compliance; develop recommended approaches for secure configuration, workload isolation, and least-privilege access enforcement for agency adoption.
• Advise on DevSecOps integration strategies, secure CI/CD pipeline practices, and software supply chain security aligned to OMB M-23-16 and EO 14028; develop recommended solutions for agency review.
• Assess container and virtualization environments for workload segmentation, access control, and ZT enforcement alignment; develop findings and recommended remediation approaches for agency concurrence.
• Provide advisory support for the development and maturation of Applications & Workloads pillar entries in the ZT Common Control Catalog (CCC), ensuring traceability to NIST SP 800-53 Rev. 5 control families.
• Develop recommended Applications & Workloads pillar inputs to the ZT Roadmap, IG CIGIE maturity reporting, and enterprise performance reporting for agency review and approval.
• Collaborate with Identity, Network, and Data SMEs to ensure application access control approaches integrate coherently across all ZTMM pillars.
• Review application-related policy documents and technical standards; identify gaps relative to ZT mandates and develop recommended updates for agency concurrence.
• Support all application and workload-related ZT data calls, audits, and compliance reporting by providing advisory analysis and recommended responses.
• Prepare and present application security findings, maturity assessments, and advisory recommendations to senior leadership and the CISO.
• Leverage AI-assisted analysis tools, automation platforms, and prompt engineering techniques to enhance advisory productivity, accelerate gap analysis and documentation tasks, and enable focus on higher-value technical advisory work; apply all AI capabilities in accordance with agency acceptable use policies and Zermount's ethical AI use guidelines.