Senior Security Engineer

Oddball believes that the best products are built when companies understand and value the things they are working on. We value learning and growth and the ability to make a big impact at a small company. We believe that we can make big changes happen and improve the daily lives of millions of people by bringing quality software to the federal space.

The My HealtheVet (MHV) Senior Security Engineer leads and coordinates security, privacy, risk management, and compliance activities for the My HealtheVet platform — a FISMA High federal system designated as a High Value Asset. This role partners closely with engineering, program leadership, and government stakeholders to ensure the platform maintains a strong, audit-ready security posture while supporting ongoing authorization and continuous monitoring activities.

This is a hands-on, senior security role operating in a high-impact healthcare environment where security, privacy, and mission delivery are tightly coupled.

What You’ll Be Doing:

Security Governance & Program Leadership

• Serve as the system Security Manager / ISSO for My HealtheVet and act as the primary security point of contact for internal leadership and VA stakeholders
• Establish and maintain a comprehensive security program aligned with FISMA, NIST RMF, NIST SP 800-53 Rev. 5 (High baseline), HVA guidance, and VA cybersecurity policy (VA 6500 series)
• Lead ATO, reauthorization, and Continuous Monitoring (ConMon) activities, including assessment planning, evidence management, and package quality control
• Coordinate audits, assessments, and required security testing activities, including control assessments and penetration testing

Risk Management & Compliance

• Drive a risk-based security approach appropriate for a FISMA High / HVA system
• Identify, document, prioritize, and track security and privacy risks through POA&Ms, ensuring remediation actions are measurable and tracked to closure
• Perform and document system risk assessments, security impact analyses, and privacy-related assessments
• Ensure system security documentation remains current, accurate, and defensible for audits and oversight reviews

Vulnerability Management & Continuous Diagnostics

• Oversee vulnerability management activities including triage, prioritization, remediation coordination, validation, and reporting
• Integrate enterprise security initiatives (e.g., CDM-related reporting where applicable) into system risk tracking and POA&Ms
• Support secure configuration, hardening, and ongoing control effectiveness monitoring

Incident Response & Security Operations

• Coordinate incident response activities, including investigation support, escalation, documentation, and communication with VA security operations and CISO teams
• Ensure incident response playbooks, reporting thresholds, and escalation paths are documented and exercised
• Support after-action reviews and ensure lessons learned are translated into corrective actions

Identity, Credential, and Access Management (ICAM)

• Oversee privileged and non-privileged access governance, enforcing least privilege, role-based access, and need-to-know principles
• Ensure onboarding/offboarding controls, periodic access reviews, and MFA requirements are implemented and monitored
• Support governance and monitoring of privileged access activity consistent with high-impact system expectations

Documentation, Reporting & Stakeholder Communication

• Prepare and maintain security and authorization artifacts, including SSPs, assessment evidence, POA&Ms, risk acceptance documentation, and ConMon deliverables
• Provide regular reporting to leadership on authorization status, risk posture, open findings, and remediation progress
• Partner with Privacy, FOIA, and Records stakeholders to support breach documentation, consent and data-handling documentation, and incident records

Training, Awareness & Continuous Improvement

• Deliver or coordinate security and privacy awareness activities for engineers, staff, and contractors supporting My HealtheVet
• Brief leadership on emerging threats, HVA-specific risks, and recommended mitigations, translating technical risk into mission impact
• Track emerging threats relevant to healthcare and high-value federal systems (e.g., ransomware, supply chain risk) and drive implementation of safeguards
• Lead remediation efforts for findings from oversight bodies such as OIG, GAO, and external assessors

What you’ll bring:

• 5+ years of experience in IT and cybersecurity, including experience supporting federal systems operating at FISMA Moderate or High
• Strong working knowledge of FISMA, HVA expectations, NIST RMF, and NIST SP 800-53 Rev. 5 (High baseline)
• Hands-on experience managing ATO, reauthorization, and Continuous Monitoring activities
• Experience producing and maintaining federal security documentation (SSP, POA&Ms, assessment artifacts, SAR support)
• Familiarity with privacy and security requirements relevant to federal healthcare systems and protection of sensitive data
• Experience with vulnerability management workflows and security monitoring outputs (e.g., scan results, SIEM dashboards)
• Understanding of Zero Trust concepts, cloud security considerations, and secure SDLC / DevSecOps practices
• Strong written and verbal communication skills, with the ability to brief senior stakeholders and produce audit-ready documentation
• Performs other related duties as assigned

Nice to Haves:

• Experience supporting the Department of Veterans Affairs or other large federal agencies
• Familiarity with Veteran-facing health platforms or the My HealtheVet ecosystem
• Experience supporting or participating in incident response tabletop exercises
• Hands-on experience with federal authorization tooling (e.g., eMASS or equivalent) and evidence repositories

Requirements:

• Applicants must be authorized to work in the United States. In alignment with federal contract requirements, certain roles may also require U.S. citizenship and the ability to obtain and maintain a federal background investigation and/or a security clearance.

Education:

• Bachelor’s Degree

Benefits:

• Fully remote
• Tech & Education Stipend
• Comprehensive Benefits Package
• Company Match 401(k) plan
• Flexible PTO, Paid Holidays

Oddball is an Equal Opportunity Employer and does not discriminate against applicants based on race, religion, color, disability, medical condition, legally protected genetic information, national origin, gender, sexual orientation, marital status, gender identity or expression, sex (including pregnancy, childbirth or related medical conditions), age, veteran status or other legally protected characteristics. Any applicant with a mental or physical disability who requires an accommodation during the application process should contact an Oddball HR representative to request such an accommodation by emailing hr@Oddball.io

Compensation:

At Oddball, it’s important each employee is compensated competitively and fairly. In alignment with state legal requirements. A range for the included position is listed below. Be advised, actual offer details are determined by job category, job location, and candidate skill level.

United States Wage Range: $120,000 – $165,000