
Senior DevSecOps Engineer, Government Systems Security – Compliance
Posted Jul 1

Posted Jul 1
This is a fully remote position, open to applicants in California.
• Design and implement CI/CD security measures (SAST, dependency scanning, secrets detection, SBOM generation) within ASR’s version control environments (GitHub, GitLab, or similar).
• Create a structured artifact management system that includes semantic versioning, signed releases, and audit-traceable build provenance; oversee release pipelines across varying compliance tiers (commercial, CMMC-controlled, SIPRNet-classified).
• Take full responsibility for CMMC Level 2 compliance; develop and sustain SSP, POA&M, and ATO/IATT support documentation for government program deliveries.
• Apply NIST SP 800-82 OT security controls to embedded flight software, GCS services, and swarm communications protocols.
• Enforce technical controls for CUI management, export-controlled repository access, and ITAR/EAR compliance within development workflows.
• Establish threat modeling and SSDF (NIST SP 800-218) practices; ensure SBOM generation aligns with EO 14028 and DoD supply chain mandates.
• Verify that the source control organization adheres to necessary security standards: MFA implemented as needed, least-privilege access controls enforced, audit logging verified, and third-party application permissions regulated.
• Assist in corporate IT integration: synchronize ASR’s development environment with larger CMMC and CUI enclave requirements as the organization expands.
• Active Secret clearance or a demonstrated ability and willingness to obtain one.
• Over 5 years of experience in DevSecOps, security engineering, or information assurance, including at least 2 years in a DoD or defense contractor setting.
• Proficient understanding of CMMC 2.0 Level 2 requirements and assessment procedures.
• Hands-on experience with GitHub Actions, GitLab CI, or similar CI/CD platforms, including the ability to write custom pipeline configurations for security automation.
• Capability to read and analyze C++ and Python codebases for threat modeling, SAST triage, and vulnerability assessment.
• Awareness of the differences in OT/embedded system security compared to enterprise IT; ability to implement NIST 800-82 to firmware and autopilot-layer software.
• Familiarity with SBOM generation tools (e.g., Syft, CycloneDX, SPDX) and DoD supply chain security requirements.
• Knowledge of ITAR/EAR technical controls: CUI management, export-controlled repository access, and developer access oversight.
• Comfortable working independently with minimal supervision; capable of maintaining composure and effectiveness under operational pressure.
• Generous annual equity package.
• Potential bonuses.
Evio
DBSync
IRIUM
Sardine
Get handpicked remote jobs straight to your inbox weekly.