ZERO TRUST (ZT) NETWORK ARCHITECTURE SME

About The Position

Requirements

• Expert-level mastery of network security architecture including ZTNA design, micro-segmentation strategy, and software-defined networking demonstrated through production deployment or senior advisory engagement.
• Authoritative knowledge of CISA ZTMM v2.0 Networks pillar criteria, NIST SP 800-207 network access tenets, TIC 3.0 use cases and security capabilities, and NIST SP 800-53 Rev. 5 control families.
• Expert-level proficiency with ZTNA platforms such as Zscaler and/or Palo Alto Prisma at architecture design, configuration, and deployment depth for federal environments.
• Expert-level capability in network segmentation design including macro-segmentation, micro-segmentation, lateral movement risk assessment, and east-west traffic enforcement strategy.
• Independent decision-making authority on Networks pillar advisory scope, architecture assessment methodology, and recommended ZTNA and segmentation approach. Bring solutions for concurrence.
• Problem-solving at the intersection of network enforcement and cross-pillar ZT integration. Able to identify how network segmentation deficiencies create risk in Identity enforcement decisions and Applications access control.
• Deep foundational expertise in enterprise network architecture including routing and switching (BGP, OSPF, VLAN design), firewall policy management, VPN technologies, and load balancing at architecture or senior engineering level.
• Hands-on experience with enterprise network infrastructure platforms (Cisco, Palo Alto Networks, Fortinet, or equivalent) including firewall rule design, segmentation architecture, and traffic inspection configuration.
• Strong working knowledge of cloud networking constructs, including VPC/VNet design, cloud-native security groups, transit gateways, and cloud-based SD-WAN, Infrastructure-as-Code (IaC), and hybrid connectivity patterns relevant to ZT network enforcement.
• Foundational understanding of database network access patterns, systems administration network dependencies, and application-layer traffic flows as they relate to segmentation design and ZT enforcement policy.
• Supports Network pillar advisory by enabling technically credible engagement with agency network engineers, firewall administrators, and cloud infrastructure teams.
• Interacts directly with other Zero Trust SMEs.
• A minimum of 10 years of experience in network security architecture, ZTNA design, or enterprise network engineering with demonstrated Zero Trust scope.
• Demonstrated hands-on experience designing or implementing ZTNA architectures in federal or large enterprise environments, reflecting operational design and deployment, not vendor evaluation or documentation.
• Hands-on experience with ZTNA platforms (e.g., Zscaler, Palo Alto Prisma, Cisco) including architecture design, configuration, and deployment.
• Expert knowledge of NIST SP 800-207, CISA ZTMM v2.0 Networks pillar criteria, and TIC 3.0 requirements.
• Experience with micro-segmentation design, SDN, and lateral movement risk assessment in a ZT context.
• Ability to assess network security controls against NIST SP 800-53 Rev. 5 control families.
• Demonstrated experience designing and implementing Zero Trust network architectures operationally, not limited to assessments or gap analyses.
• Experience supporting ZT-related IG FISMA metrics reporting pertaining to network security and TIC 3.0.
• Strong written and oral communication skills; ability to translate complex network architecture concepts into CISO-ready findings.
• Demonstrated familiarity with AI-assisted analysis tools or prompt engineering; ability to apply AI capabilities ethically to accelerate advisory work and surface higher-value technical insights.
• Minimum of a Bachelor of Science (or higher) in Information Technology, Computer Science, Network Engineering, Cybersecurity, or related field.
• Certified Information Systems Security Professional (CISSP) or Cisco Certified Network Professional Security (CCNP Security), or equivalent certification.

Nice To Haves

• Five years of IT cybersecurity experience, including direct support to the U.S. Government. This experience can be concurrent with the minimum 10 years of network architecture experience.
• Prior direct involvement in a ZT Networks pillar implementation or enterprise ZTNA deployment in a technical architecture or advisory capacity.
• ZTNA vendor certification: Zscaler Zero Trust Certified Associate (ZTCA) or Palo Alto Networks PCNSE.
• Experience with encrypted traffic management (SSL/TLS inspection) and east-west traffic visibility in a ZT network environment.
• Experience with cloud-native networking security (Azure Virtual WAN, AWS Transit Gateway, GCP Cloud Armor, or Infrastructure-as-Code) in a federal hybrid environment.
• Certified Information Security Manager (CISM) or equivalent senior security management certification.
• ZTNA vendor certification. Zscaler ZTCA, Palo Alto Networks PCNSE, or equivalent.

Responsibilities

• Serve as the primary technical advisor for the CISA ZTMM v2.0 Networks pillar across network security architecture, segmentation, and ZTNA domains.
• Continuously assess the agency's network architecture against CISA ZTMM v2.0 Networks pillar criteria and NIST SP 800-207; proactively identify emerging network risk indicators, including lateral movement exposure, traffic encryption and visibility deficiencies, and TIC 3.0 compliance drift, and deliver real-time advisory recommendations.
• Provide technical advisory guidance on ZTNA architecture design options, micro-segmentation strategies, and SDN approaches, recommending solutions and implementation pathways for agency decision-making.
• Evaluate ZTNA platform capabilities (e.g., Zscaler, Palo Alto Prisma) and develop configuration and deployment recommendations aligned to federal ZT requirements for agency adoption.
• Advise TIC 3.0 compliance strategies, cloud network access patterns, and secure remote access approaches in a hybrid federal environment; develop recommended solutions for agency review.
• Assess network access control mechanisms, lateral movement risk, and east-west traffic enforcement against ZT principles; develop findings and recommended remediation approaches for agency concurrence.
• Provide advisory support for the development and maturation of Networks pillar entries in the Common Control Catalog (CCC), ensuring traceability to NIST SP 800-53 Rev. 5 control families.
• Develop recommended Networks pillar inputs to the ZT Roadmap, IG FISMA maturity reporting, and enterprise performance reporting for agency review and approval.
• Collaborate with Identity, Device, Data, and Applications SMEs to ensure network enforcement approaches integrate coherently across all ZTMM pillars.
• Review network-related policy documents and technical standards; identify gaps relative to ZT mandates and develop recommended updates for agency concurrence.
• Support all network-related ZT data calls, audits, and compliance reporting by providing advisory analysis and recommended responses.
• Prepare and present network architecture findings, maturity assessments, and advisory recommendations to senior leadership and the CISO.
• Leverage AI-assisted analysis tools, automation platforms, and prompt engineering techniques to enhance advisory productivity, accelerate gap analysis and documentation tasks, and enable focus on higher-value technical advisory work; apply all AI capabilities in accordance with agency acceptable use policies and Zermount's ethical AI use guidelines.