United States onlyQualifications:
- Active Public Trust clearance
- M.S. degree in Computer Science, Information Technology, or a related field.
- 10 years of experience in cloud and cloud security solutions in federal government systems. Prior Department of Justice (DOJ) and/or Bureau of Prisons (BOP) experience and domain knowledge preferred.
- Networking Expertise: Strong knowledge of networking, with a focus on AWS native firewall, AWS Direct Connect, AWS Outposts network configuration, reverse proxy configurations, and related automation. This expertise will be valuable in assessing FedRAMP-specific responses against various controls.
- Continuous Monitoring (ConMon): Proven ability to design and implement continuous monitoring solutions for cloud systems and applications.
- AI-Enabled Compliance Automation: Capability to design AI-powered tools that can scan all cloud accounts and VPCs, collect FedRAMP-specific responses, store them in a centralized repository for ConMon, and analyze them to identify unmet requirements.
- Security Event Analysis: Strong experience in accessing, reviewing, and interpreting reports and alerts generated by SIEM tools such as Splunk.
- AWS Security Services: Proficient in reviewing and analyzing reports from AWS GuardDuty, Security Hub, and Amazon Inspector, including interpreting compliance and non-compliance metrics such as pie charts.
- Data Encryption: In-depth understanding of end-to-end data encryption in transit and at rest, including SSL/TLS implementation.
- Vulnerability Identification: Ability to identify potential vulnerabilities, particularly those related to data or configuration tampering.
- Serve as the cloud architecture subject matter expert supporting DOJ and BOP Rapid ATO activities.
- Design, evaluate, and validate secure cloud architectures supporting SaaS, PaaS, and IaaS environments.
- Ensure cloud architecture aligns with DOJ cybersecurity policies, NIST standards, FedRAMP requirements, and RMF processes.
- Provide technical guidance on cloud networking, segmentation, encryption, and access control strategies.
- Support integration of cloud environments into enterprise architectures and authorization boundaries.
- Support system preparation activities by defining cloud system architectures, hosting environments, and shared responsibility models.
- Identify and document cloud assets, services, and dependencies within authorization boundaries.
- Assist in identifying information types processed, stored, or transmitted within cloud environments, including PII.
- Support system security categorization by providing architectural input for confidentiality, integrity, and availability determinations.
- Assist with continuous cloud asset discovery using automated scanning tools to maintain accurate system boundaries.
- Support selection of cloud-specific security and privacy controls using DOJ Cybersecurity Standard 0904 and NIST SP 800-53.
- Map cloud services, components, and architectures to applicable NIST and FedRAMP control requirements.
- Support control tailoring decisions based on cloud service models, deployment patterns, and risk tolerance.
- Assist in defining control inheritance models from cloud service providers (CSPs) and shared responsibility matrices.
- Provide architectural input to the System Security and Privacy Plan (SSPP) and Requirements Traceability Matrix (RTM).
- Provide architectural guidance for implementation of security controls within cloud environments.
- Ensure secure design and implementation of:
- Network segmentation and firewalls (e.g., AWS native firewall services)
- Connectivity solutions (AWS Direct Connect, AWS Outposts)
- Reverse proxies and ingress/egress controls
- Support implementation of encryption in transit and at rest, including SSL/TLS and key management services.
- Assist with integration of DevSecOps pipelines and infrastructure-as-code to enforce and verify cloud security controls.
- Validate alignment between documented controls and “as-implemented” cloud configurations.
- Support security and privacy control assessments by providing architectural explanations and technical evidence.
- Assist in collection and analysis of cloud security evidence using:
- SIEM tools (e.g., Splunk)
- AWS GuardDuty, Security Hub, and Amazon Inspector
- Interpret compliance dashboards, alerts, and metrics to identify security gaps or misconfigurations.
- Support remediation planning for cloud-related findings and POA&M development.
- Support development of authorization packages by providing cloud architecture documentation and risk inputs.
- Assist in evaluating cloud-specific risks and residual risk impacts.
- Support AO briefings by explaining cloud architectures, inherited controls, and shared responsibility considerations.
- Provide technical input for risk response strategies related to cloud services and deployments.
- Design and support continuous monitoring architecture for cloud systems.
- Implement and maintain automated monitoring solutions to:
- Scan cloud accounts and VPCs
- Collect FedRAMP-specific control evidence
- Store artifacts in centralized repositories
- Support AI-enabled compliance automation to identify unmet FedRAMP and RMF requirements.
- Assist with ongoing assessments and security posture reporting for cloud systems.
- Support assessment of cloud service providers to ensure valid FedRAMP authorization (JAB or Agency-authorized).
- Review and validate FedRAMP security packages for SaaS, PaaS, and IaaS offerings.
- Assist in documenting control inheritance and CSP responsibilities.
- Support DOJ CIO approval processes for Agency-sponsored FedRAMP authorizations when required.
- Ensure all cloud architecture documentation complies with DOJ, NIST, FedRAMP, and FISMA requirements.
- Maintain accurate cloud architecture artifacts within JCAM.
- Collaborate with Lead and Senior ATO SMEs, Cloud Security Engineers, and system owners.
- Support audits, inspections, and government reviews by providing technical cloud architecture expertise
