DoW Cloud Security Engineering Information Systems Security Officer (ISSO)
Remote
Full Time
Solutions
Experienced
Tetrad Digital Integrity (TDI) is a 25 year old cybersecurity firm built for high-consequence environments where mission, complexity, and trust intersect.
We are looking for an exceptional Cloud Security Engineering ISSO to support RMF and security execution for a mission-critical cloud-hosted defense system. This is a high-visibility engagement with frequent change, heavy stakeholder involvement, and a system treated as a high-value target. This is an engineering-forward ISSO role: controls must be implemented, measurable, and continuously verifiable—not papered. We need a team player and mission-focused operator who can execute with urgency, drive progress through ambiguity, and deliver customer excellence under pressure while partnering tightly with the Cybersecurity Program Lead and engineering teams.
RESPONSIBILITIES:
We are looking for an exceptional Cloud Security Engineering ISSO to support RMF and security execution for a mission-critical cloud-hosted defense system. This is a high-visibility engagement with frequent change, heavy stakeholder involvement, and a system treated as a high-value target. This is an engineering-forward ISSO role: controls must be implemented, measurable, and continuously verifiable—not papered. We need a team player and mission-focused operator who can execute with urgency, drive progress through ambiguity, and deliver customer excellence under pressure while partnering tightly with the Cybersecurity Program Lead and engineering teams.
RESPONSIBILITIES:
- Own the RMF “engine room”: maintain day-to-day RMF execution across all phases (categorization, control selection, implementation, assessment, authorization, and continuous monitoring) for modern cloud-hosted systems.
- Apply DoD cloud security policies, NIST SP 800-53 controls, CNSS policies, and DoD-specific frameworks such as the Cloud Computing SRG and applicable AI-related guidance.
- Develop and maintain RMF artifacts including SSPs, SARs, POA&Ms, control implementation details, evidence mappings, and assessor-ready supporting documentation with strict traceability from control → implementation → evidence.
- Execute POA&M management with discipline: validate substantiation, track owners/dates, drive remediation follow-through, and ensure closure evidence is real and audit-ready (no “paper POA&Ms”).
- Support security change governance activities (CCB inputs, impact analyses, configuration drift detection) and ensure artifacts/evidence stay aligned to reality after each approved change.
- Conduct security engineering analysis for cloud-native and containerized workloads hosted in Google Cloud Platform (GCP), including baseline validation for Kubernetes/Docker environments and control-implementation verification.
- Engineer evidence and control health: partner with DevSecOps/platform to implement repeatable evidence collection (dashboards/queries/scripts) and reduce manual screenshots and one-off artifacts.
- Integrate security into delivery pipelines: collaborate with teams to implement/verify CI/CD guardrails, IaC baseline enforcement, and policy-as-code patterns where applicable.
- Assist with threat modeling, vulnerability assessments, and risk analysis tailored to cloud environments and (as applicable) AI/ML and LLM components.
- Partner with system architects, developers, DevSecOps, and platform teams to integrate security throughout the SDLC and translate requirements into actionable implementation steps and measurable evidence outputs.
- Support SCAs and coordinate with third-party assessors by preparing artifacts, evidence packages, interview prep, and timely responses to RFIs including managing RFI intake, tracking, and closure.
- Monitor, track, and report security compliance posture through Continuous Monitoring (ConMon) processes and recurring metrics/dashboards including vulnerability and configuration compliance trends, control health, and evidence freshness.
- Optimize and automate compliance operations: develop repeatable workflows (scripts/automation; responsible AI-enabled methods where appropriate) to reduce manual evidence collection, improve quality, and shorten cycle time.
- Active Secret clearance.
- Required security certification: CAP, CASP+ CE, CISM, CISSP (or Associate), GSLC, CCISO.
- Demonstrated experience supporting or leading DoD RMF for modern systems, including authorization package contributions and post-ATO sustainment activities.
- Strong working knowledge of NIST 800-53 and practical RMF execution (inheritance strategy, evidence planning, assessor/AO engagement support, and risk tradeoffs).
- Hands-on cloud security experience (AWS/Azure/GCP) including IAM, logging/monitoring, networking, encryption/KMS, and secure architecture patterns; GCP experience preferred.
- Experience with STIG implementation/validation in production environments.
- Engineering fluency: comfort working with cloud-native delivery patterns (Kubernetes, containers), and implementing/verifying controls via automation and repeatable workflows (e.g., scripting, queries, pipeline checks).
- Strong writing and communication skills: able to produce assessor- and customer-ready deliverables with minimal oversight in a high-change environment.
- Demonstrated adoption of automation (scripts, repeatable workflows, and responsible AI-enabled methods) to reduce manual compliance effort and improve quality.
- Comfort operating in high-change environments with CCBs, shifting priorities, and competing stakeholder demands.
- Cloud certification (e.g., CCSP or cloud provider security/professional certs such as Google’s Professional Cloud DevOps Engineer, Professional Cloud Security Engineer, or Professional Cloud Network Engineer).
If you are looking for a template-driven RMF job, stable requirements, or work where someone else keeps the artifacts/evidence aligned to reality, this will not be a fit. If you can execute RMF with urgency, run disciplined POA&M and evidence management, keep pace with CCB-driven change, and deliver customer-ready outputs with minimal oversight while partnering directly with engineering to make controls real and continuously verifiable, we want to meet you.
TDI does business with the federal government, which restricts employment to individuals who are either US citizens or lawful permanent residents of the United States.
“TDI is an Equal Opportunity Employer. Employment decisions are made based on individual qualifications, merit, and business needs. We do not discriminate in employment opportunities or practices based on race, color, religion, sex, or national origin, in accordance with applicable federal laws.”
Apply for this position
Required*