Salesforce Platform Security Architect/Federal ATO Controls Lead

Location: Remote/ Hybrid/ Client Site as Required
Employment Type: Full-Time
Clearance/Eligibility: Must be a U.S. Citizen and able to pass a federal background investigation. Active Secret or Top Secret clearance preferred.

Position Overview

We are seeking a Salesforce Platform Security Architect / Federal ATO Controls Lead to support corporate and client-facing federal programs involving Salesforce security, secure configuration review, control validation, ATO support, FedRAMP alignment, and POA&M remediation.

The selected candidate will assess Salesforce environments to confirm that access controls, sharing models, identity settings, integrations, audit capabilities, and administrative configurations are properly designed, securely configured, and aligned with federal security requirements. The role requires a senior professional who can review Salesforce orgs in detail, identify security weaknesses, recommend corrective actions, and validate that remediation steps are complete and properly documented.

The candidate must have proven federal experience and the ability to work with technical teams, security teams, program managers, auditors, assessors, and client stakeholders. The role may be performed remotely or in a hybrid model, with occasional on-site meetings required for client discussions, security reviews, assessment support, program briefings, or major delivery milestones.

Key Responsibilities

• Review Salesforce security architecture across production and non-production environments.
• Assess profiles, permission sets, permission set groups, roles, role hierarchy, organization-wide defaults, sharing rules, public groups, queues, object permissions, field-level security, and record-level access.
• Validate that Salesforce access models follow least privilege, separation of duties, and role-based access principles.
• Review administrative permissions, privileged users, integration users, service accounts, external users, guest users, and Experience Cloud users.
• Identify excessive access, weak sharing models, unmanaged permissions growth, unsecured external access, and improper administrative privileges.
• Review high-risk Salesforce permissions, including Modify All Data, View All Data, Manage Users, Customize Application, Author Apex, API Enabled, Export Reports, and Manage Profiles and Permission Sets.
• Assess login policies, session settings, MFA, SSO, identity federation, IP restrictions, trusted IP ranges, certificate use, OAuth policies, and API access.
• Review connected apps, named credentials, external credentials, authentication providers, middleware connections, OAuth scopes, and integration security patterns.
• Evaluate Salesforce Experience Cloud security settings, including guest user access, public endpoint exposure, external sharing, site visibility, and external user data access.
• Review Salesforce Health Check, Security Center, Shield, Event Monitoring, Field Audit Trail, Platform Encryption, Setup Audit Trail, login history, and other security monitoring features where available.
• Recommend practical security improvements that reduce risk of unauthorized access, data exposure, privilege escalation, credential misuse, and insecure system-to-system access.
• Support federal ATO, reauthorization, annual assessment, continuous monitoring, and security impact assessment activities.
• Review NIST SP 800-53 Rev. 5 controls and determine how Salesforce configurations support applicable control requirements.
• Map Salesforce technical configurations to access control, audit, authentication, configuration management, risk assessment, system protection, and monitoring controls.
• Review control implementation statements for technical accuracy and completeness.
• Identify gaps between documented controls and actual Salesforce configuration.
• Prepare control evidence for ISSOs, ISSMs, System Owners, assessors, auditors, 3PAOs, and Authorizing Officials.
• Distinguish between inherited cloud controls, shared controls, customer-configured controls, and application-specific controls.
• Support client-facing discussions related to ATO readiness, control implementation, security posture, remediation status, and residual risk.
• Review POA&M items and determine root cause, affected control, technical risk, remediation approach, responsible owner, target date, and closure evidence.
• Determine whether findings represent technical weaknesses, documentation gaps, inherited-control issues, compensating-control needs, false positives, or risk acceptance candidates.
• Support remediation of findings related to access control, audit logging, configuration management, integration security, vulnerability management, identity management, and continuous monitoring.
• Prepare closure evidence, including screenshots, configuration exports, access review records, audit logs, test results, updated procedures, and revised control narratives.
• Track POA&M status and validate completion of corrective actions.
• Support recurring audit readiness, ConMon reporting, and client security reviews.

Required Qualifications

• U.S. Citizenship required
• Ability to pass a federal background investigation
• Bachelor’s degree preferred or equivalent professional experience
• 8 or more years of experience in cybersecurity, Salesforce security, cloud security, security architecture, ISSO support, control validation, GRC, or federal compliance.
• 4 or more years of hands-on Salesforce security experience.
• Proven experience supporting federal programs, federal clients, ATO activities, FedRAMP environments, or NIST-based security programs.
• Strong understanding of Salesforce security architecture, including profiles, permission sets, roles, sharing rules, organization-wide defaults, object permissions, field-level security, record access, Experience Cloud security, and administrative privileges.
• Experience reviewing Salesforce environments for excessive permissions, external exposure, insecure sharing, weak authentication, unmanaged privileged access, and insecure integrations.
• Working knowledge of NIST SP 800-53 Rev. 5, FedRAMP security expectations, POA&M management, and continuous monitoring.
• Experience supporting control validation, security documentation, assessor evidence, audit readiness, or ATO packages.
• Ability to translate Salesforce technical settings into federal control narratives and evidence.
• Experience reviewing connected apps, OAuth flows, APIs, named credentials, authentication providers, service accounts, integration users, and system-to-system access.
• Strong written and verbal communication skills.

Preferred Qualifications

• Active Secret or Top Secret clearance.
• Prior federal public trust, suitability, or background investigation.
• Experience with Salesforce Government Cloud, Government Cloud Plus, or FedRAMP-authorized Salesforce environments.
• Experience with Salesforce Shield, Event Monitoring, Field Audit Trail, Platform Encryption, Security Center, Health Check, Setup Audit Trail, and Transaction Security.
• Experience supporting 3PAO assessments, independent assessments, annual assessments, reauthorization, or continuous monitoring.
• Experience preparing or reviewing SSPs, control implementation statements, SAR responses, POA&Ms, risk assessments, security impact assessments, and evidence packages.
• Experience with vulnerability management, configuration baselines, SIEM integration, audit logging, privileged user reviews, and recurring access reviews.
• Familiarity with JIRA, Confluence, ServiceNow, Splunk, Okta, Microsoft Entra ID, GitHub, Copado, MuleSoft, or similar enterprise tools.
• Experience supporting federal case management, grants management, financial management, regulatory, law enforcement, or mission support systems.

Benefits:

• 401(k) matching
• Dental insurance
• Health insurance
• Paid time off
• Vision insurance

Work Location: Remote