SECURITY & COMPLIANCE ENGINEER (SCE)

ZERMOUNT POSITION DESCRIPTION (PD) SECURITYCOMPLIANCE ENGINEERING (SCE)

POSITION OVERVIEW

Zermount Inc. is seeking System Compliance Engineering (SCE) to support system risk analysis and ensure that federal information systems comply with Information Assurance and cybersecurity standards. The SCE ensures that federal information systems are secure in operation, not merely compliant with documentation. This role directly contributes to mission assurance by identifying, validating, and mitigating real-world cybersecurity risks across enterprise environments.

The SCE operates at the intersection of compliance, engineering, and mission operations, transforming federal mandates (e.g., NIST RMF, FISMA, EO 14028, OMB directives) into measurable, technically enforced security outcomes. Rather than relying solely on static assessments, the role requires continuous evaluation of the system's security posture by directly analyzing configurations, logs, architectures, and control implementations.

This position is designed for individuals with foundational technical expertise across multiple domains, including cloud platforms, network architecture, operating systems, identity systems, and databases. You must be able to independently assess systems, identify exploitable conditions, and validate whether implemented controls effectively reduce risk in real-world scenarios.

The role is a core component of Zermount's Modern GRC mindset, emphasizing:

• Continuous monitoring of system compliance responsibilities
• Real-time risk identification and prioritization
• Direct integration with system teams to drive remediation
• Elimination of "check-the-box" compliance practices

You will be responsible for producing decision-quality outputs that enable system owners, ISSOs, and leadership to make informed, risk-based decisions. This includes identifying control failures, recommending technically sound remediation strategies, and validating that corrective actions are effective and sustainable.

DUTIESRESPONSIBILITIES

General Duties

• Execute RMF lifecycle (Prepare–Monitor) while validating controls directly in operational environments
• Identify and document real-time risks through analysis of logs, telemetry, configurations, and architecture
• Validate implementation of security controls (STIGs, MFA, encryption, access control) using system-level evidence
• Identify exploitable misconfigurations, weak trust boundaries, and gaps across cloud, network, OS, and database layers
• Drive POA&M actions by prioritizing risk based on exploitability and mission impact, ensuring closure within defined timelines
• Perform continuous monitoring (ISCM/CDM) with emphasis on actual system behavior vs. reported compliance
• Translate NIST, EO 14028, OMB, and TIC 3.0 requirements into specific technical remediation actions
• Validate remediation actions with repeatable verification methods (not documentation review)
• Produce executive-quality outputs (risk findings, remediation plans, executive summaries)
• Maintain system artifacts and documentation only as a byproduct of validated technical work

SUBJECT MATTER EXPERTISE (SME)

SME Area #1 – Primary Expertise: Technical Risk Validation (Modern GRC Execution)

Expert-level means:

• Ability to independently assess systems using direct technical inspection techniques, leveraging logs, configs, architecture documents, etc.
• Deep working knowledge of critical frameworks and directives such as:
  • NIST RMF (800-37, 800-53, etc.)
  • FISMA, EO 14028, OMB M-21-31 / M-22-09
  • FIPS 199/200
  • TIC 3.0 and Zero Trust principles (CISA ZT MM, NIST 800-207, etc.)
• Ability to identify threat surfaces within specific systems, not just control gaps
• Ability to convert compliance requirements into specific and actionable remediation actions that the system teams can be used to successfully remediate findings

Required Tools Experience:

• Vulnerability scanning tools such as: Tenable, Qualys, CrowdStrike, etc.
• Log analysis platforms such as: Splunk, Microsoft Sentinel, IBM QRadar, etc.
• Configuration and system inspection tools such as: Ansible, Terraform, Puppet etc.
• GRC platforms such as: Archer, ServiceNow, etc.

SME Area #2 – Secondary Expertise: Multi-Domain Technical Depth

You must have deep knowledge of one or more of the following technical domains and must demonstrate the ability to leverage this experience to inform and complete compliance-related tasks.

Technical Domains

• Cloud: AWS/Azure (IAM, logging, network security, misconfigurations)
• Network: Segmentation, firewalls, boundary protections, Zero Trust enforcement points
• Systems: Windows/Linux hardening, identity systems (AD, MFA)
• Databases/Data: Access control, encryption, auditing

QUALIFICATIONS

Minimum Requirements

• 5+ years of cybersecurity experience supporting U.S. Government systems
• 4+ years performing RMF, ISSO, Assessment, or GRC functions with direct technical validation responsibilities
• Demonstrated hands-on experience in at least two technical domains (cloud, network, systems, or databases)
• Proven ability to analyze:
  • System configurations, ATOs, and other supporting security documentation
  • Logs/telemetry
  • Architecture documentation and data flow diagrams

Preferred Qualifications

• Experience implementing or assessing Zero Trust architectures
• Experience with CDM, ISCM, and enterprise logging programs
• Familiarity with threat-informed defense concepts
• Experience in hybrid cloud environments

Competency

• Technical risk identification and prioritization
• Independent problem-solving in ambiguous environments
• Ability to translate policy into technical action
• Clear communication with both engineers and leadership

EducationCertifications

• Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 5 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role.
• Without a B.S. in a relevant field - A minimum of 10 years of IT Cybersecurity experience, including direct support for the US Government, and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role.
• At least one of the following security certifications is required:
  • Certified Authorization Professional (CAP)
  • Certified Information Security Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Security Professional (CISSP), or Certified Chief Information Security Officer (CCISO)
  • Governance RiskCompliance Certification (CGRC)
  • Or alternatively approved certifications

Clearance Level

Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability

WORK LOCATION

• The position is primarily remote – Continental U.S only
• Primary location when on site: Arlington, VA, and Springfield, VA
• Must be willing to travel - Not to exceed 10% of the time

HOURS OF OPERATION

• 8:00 am EST – 4:30 pm EST
• • Times may fluctuate based on client and business requirements

REPORTING STRUCTURE

• Reports To: Security Compliance Engineering Team Lead
• Direct Reports: N/A