← Back to Jobs
Technology
4345 Senior Cybersecurity Engineer with Security Clearance
Procession SystemsTysons, VA🇺🇸United StatesPosted 13 Jul 2026
Quick Overview
Work Type
Hybrid
Level
Mid Senior
Job Description
OVERVIEW: We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity contr ols in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows. A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2) * Designing a Disconnected Cluster * Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave. * Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments. * Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing. * Registry and Artifact Governance * Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating. * Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions. * Admission Contr ol && Policy Enforcement * Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification. * Cluster Multi-Tenancy in SCIFs * Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility). * Patching and CVE Response Offline * Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates. B) CI/CD && Security Test Automation (Disconnected) * Pipeline Architecture for Classified Enclaves * Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev → Test → Prod in closed networks. * Familiarity with GitLab/Jenkins runners, artifact promotion, and "compliance as code" practices. * Automated Security Testing Coverage * Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines. * Ensure pipeline failures persist if discrepancies are detected. * Evidence Generation for RMF * Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST contr ols. * Knowledge of OSCAL output, contr ol mappings, and integration with evidence stores like eMASS. * Promotion Gates && Provenance * Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments. * Testing for Platform + App Security Regressions * Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites. C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP) * RMF Tailoring in Containerized Systems * Tailor NIST 800-53 contr ols for microservices platforms, identifying platform vs. app team responsibilities. * Work with shared responsibility matrices and contr ol inheritance catalogs. * DISA STIG Application to Kubernetes Workloads * Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions. * Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks. * Continuous Monitoring (CONMON) * Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco). * Design and manage contr ol dashboards and evidence snapshots. * ATO Acceleration through Automation * Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS. * Policy Conflicts && Adjudication * Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating contr ols. D) Networking, Identity && Zero Trust in On-Prem/Classified Enclaves * Zero Trust in Kubernetes * Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ. * Offline PKI Operations * Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies. * East-West Segmentation Strategy * Design and implement micro-segmentation and egress contr ols for multi-tenancy within classified environments. * Identity Propagation Across Layers * Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking. * Cross-Domain and Data Movement Patterns * Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations. E) Operations, SRE && Incident Response in SCIFs * Observability without SaaS * Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo. * Break Glass && Change Contr ol * Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs. * Forensics && Container Runtime * Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes. * Resiliency && DR in Disconnected Sites * Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills. * Application Team && SOC Integration * Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery. * Define roles, telemetry requirements, and communication channels for effective response. REQUIRED QUALIFICATIONS: * 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience * IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines * Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments. * Deep understanding of CI/CD pipeline architectures, especially in disconnected networks. * Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes. * Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation. * Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment. * Strong ability to map pipeline artifacts to RMF/ATO contr ols and support security operations during incidents. * Extensive experience in cybersecurity design and architecture. CLEARANCE: * Top Secret minimum
Skills
Docker
Microservices
Service Mesh
Grafana
Helm
Jenkins
Kubernetes
PKI
Prometheus
Zero Trust
Similar jobs
Senior Storage Engineer
StratEdge It consulting INC · Cincinnati, United States
7 minutes agoDatabricks Data Engineer / Master Data Management (MDM) Specialist
Kentro · Woodlawn, United States
7 minutes ago$145k - $165k/yrLead Satellite Payload Systems Engineer
Booz Allen Hamilton · Chantilly, United States
7 minutes ago$99k - $225k/yrLead Cybersecurity Engineer (SME) USSOCOM - Zero Trust
Kentro · Tampa, United States
7 minutes agoJourneyman Cyber Security Engineer (Splunk/TS) - USSOCOM EDAT Zero Trust
Kentro · Tampa, United States
7 minutes agoData Management Analyst
Booz Allen Hamilton · Cleveland, United States
7 minutes ago$61.9k - $141k/yr