← Back to Jobs
Employee
Technology
Senior Cybersecurity Engineer with Security Clearance
Helios HRMcLean, VA🇺🇸United StatesPosted 13 Jul 2026
Quick Overview
Work Type
On Site
Schedule
Employee
Level
Mid Senior
Job Description
Job Title: Senior Cybersecurity Engineer
Type of Employment: Full Time + benefits
Location: McLean, VA (Onsite)
Clearance: Active Top Secret Job Overview:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows. Required Clearance • Top Secret minimum Required Skills • 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience • IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines • Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments. • Deep understanding of CI/CD pipeline architectures, especially in disconnected networks. • Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes. • Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation. • Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment. • Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents. • Extensive experience in cybersecurity design and architecture. Required Work Experience
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2) • Designing a Disconnected Cluster • Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave. • Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments. • Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing. • Registry and Artifact Governance • Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating. • Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions. • Admission Control & Policy Enforcement • Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification. • Cluster Multi-Tenancy in SCIFs • Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility). • Patching and CVE Response Offline • Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates. B) CI/CD & Security Test Automation (Disconnected) • Pipeline Architecture for Classified Enclaves • Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev ? Test ? Prod in closed networks. • Familiarity with GitLab/Jenkins runners, artifact promotion, and “compliance as code” practices. • Automated Security Testing Coverage • Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines. • Ensure pipeline failures persist if discrepancies are detected. • Evidence Generation for RMF • Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls. • Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS. • Promotion Gates & Provenance • Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments. • Testing for Platform + App Security Regressions • Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites. C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP) • RMF Tailoring in Containerized Systems • Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities. • Work with shared responsibility matrices and control inheritance catalogs. • DISA STIG Application to Kubernetes Workloads • Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions. • Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks. • Continuous Monitoring (CONMON) • Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco). • Design and manage control dashboards and evidence snapshots. • ATO Acceleration through Automation • Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS. • Policy Conflicts & Adjudication • Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls. D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves • Zero Trust in Kubernetes • Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ. • Offline PKI Operations • Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies. • East-West Segmentation Strategy • Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments. • Identity Propagation Across Layers • Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking. • Cross-Domain and Data Movement Patterns • Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations. E) Operations, SRE & Incident Response in SCIFs • Observability without SaaS • Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo. • Break Glass & Change Control • Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs. • Forensics & Container Runtime • Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes. • Resiliency & DR in Disconnected Sites • Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills. • Application Team & SOC Integration • Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery. • Define roles, telemetry requirements, and communication channels for effective response.
Type of Employment: Full Time + benefits
Location: McLean, VA (Onsite)
Clearance: Active Top Secret Job Overview:
We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows. Required Clearance • Top Secret minimum Required Skills • 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience • IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines • Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments. • Deep understanding of CI/CD pipeline architectures, especially in disconnected networks. • Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes. • Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation. • Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment. • Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents. • Extensive experience in cybersecurity design and architecture. Required Work Experience
A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2) • Designing a Disconnected Cluster • Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave. • Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments. • Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing. • Registry and Artifact Governance • Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating. • Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions. • Admission Control & Policy Enforcement • Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification. • Cluster Multi-Tenancy in SCIFs • Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility). • Patching and CVE Response Offline • Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates. B) CI/CD & Security Test Automation (Disconnected) • Pipeline Architecture for Classified Enclaves • Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev ? Test ? Prod in closed networks. • Familiarity with GitLab/Jenkins runners, artifact promotion, and “compliance as code” practices. • Automated Security Testing Coverage • Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines. • Ensure pipeline failures persist if discrepancies are detected. • Evidence Generation for RMF • Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls. • Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS. • Promotion Gates & Provenance • Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments. • Testing for Platform + App Security Regressions • Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites. C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP) • RMF Tailoring in Containerized Systems • Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities. • Work with shared responsibility matrices and control inheritance catalogs. • DISA STIG Application to Kubernetes Workloads • Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions. • Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks. • Continuous Monitoring (CONMON) • Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco). • Design and manage control dashboards and evidence snapshots. • ATO Acceleration through Automation • Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS. • Policy Conflicts & Adjudication • Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls. D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves • Zero Trust in Kubernetes • Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ. • Offline PKI Operations • Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies. • East-West Segmentation Strategy • Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments. • Identity Propagation Across Layers • Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking. • Cross-Domain and Data Movement Patterns • Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations. E) Operations, SRE & Incident Response in SCIFs • Observability without SaaS • Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo. • Break Glass & Change Control • Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs. • Forensics & Container Runtime • Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes. • Resiliency & DR in Disconnected Sites • Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills. • Application Team & SOC Integration • Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery. • Define roles, telemetry requirements, and communication channels for effective response.
Skills
Docker
Microservices
Service Mesh
Grafana
Helm
Jenkins
Kubernetes
PKI
Prometheus
Zero Trust
Similar jobs
Information Systems Security Engineer / ISSE (HPC) with Security Clearance
American Systems Corporation · Arlington, United States
12 minutes ago$165k - $200k/yrSoftware Development with Security Clearance
Altamira Technologies · Warrenton, United States
15 minutes ago$90k - $140k/yrAI Engineer - W2
Judge Group, Inc. · Chandler, United States
22 minutes agoSystems Engineer with Security Clearance
Leidos · Fort Meade, United States
22 minutes ago$87.1k - $157.4k/yrData Analyst Supporting the DEA with Security Clearance
FSA · Arlington, United States
22 minutes agoLead Data Engineer
Judge Group, Inc. · New York, United States
22 minutes ago