Security & Infrastructure Engineer (DevSecOps)

Summary

CivicLock is an early-stage startup pre-raise and is hiring a hands-on security and infrastructure lead in Los Angeles County to take ownership of backend security, chain-of-custody integrity, cloud architecture, and compliance. You will work side by side with the founder, migrate control from a contractor environment to a CivicLock-owned stack, and build the foundation for SOC 2 and CJIS alignment. This is an in-person hybrid role in LA County.

What you will own

• Control and access
• Move all code and cloud assets into CivicLock-owned orgs. Enforce SSO, MFA, least-privilege IAM, and role-based access for staff and contractors.
• Replace personal SSH keys with short-lived, auditable access via SSO, strong device posture, and per-repo deploy keys. All production changes through CI only.
• Evidence security and chain of custody
• Design and implement end-to-end hashing and receipts for every upload. Client and server SHA-256 hashing, signed manifests, immutable audit log, and time stamping.
• Evidence storage hardening with KMS, S3 Object Lock WORM, lifecycle rules, and secure egress for prosecutor exports.
• Cloud architecture
• Stand up a multi-account AWS architecture with IaC. Separate dev, staging, prod. Private subnets, WAF, CloudTrail Lake, central logging, SIEM integration.
• Secrets management with AWS KMS and Parameter Store or Vault. Key rotation policy and break-glass procedures.
• App security and delivery
• CI/CD with branch protections, CODEOWNERS, SAST, dependency scanning, container scanning, IaC scanning. Repeatable blue-green or canary deploys.
• API security, rate limiting, request signing, and scoped presigned uploads.
• Compliance and readiness
• SOC 2 Type II readiness plan. Policies, risk register, asset inventory, vendor management, vulnerability management, incident response program.
• CJIS alignment and a path to GovCloud where required, including personnel controls and logging controls.
• Mentorship and enablement
• Pair with the founder to explain choices, document runbooks, and level up internal capability. Light code reviews with backend vendors.

Must have

• 5+ years in DevSecOps or Security Engineering with production ownership of AWS stacks
• Strong AWS IAM, VPC, KMS, S3 Object Lock, CloudFront, WAF, CloudTrail, GuardDuty
• Terraform or Pulumi, GitHub Actions or similar CI/CD, Docker, container security
• Proven delivery of SOC 2 readiness or certification and policy implementation
• Designing immutable audit trails and cryptographic integrity workflows
• Hardening workflows for external contractors and rotating secrets at scale
• Excellent documentation and the ability to work on site in LA County several days per week
• Willing to pass background screening suitable for handling law enforcement data

Nice to have

• CJIS experience, NIST 800-53 moderate, FedRAMP concepts, or GovCloud migrations
• Evidence or chain-of-custody systems, Merkle trees or tamper-evident logs
• Postgres, Redis, SQS, Step Functions, EKS or Fargate
• SSO and device posture enforcement with MDM

Engagement

• Part-time: Contract-to-hire
• Location: Los Angeles County, hybrid in person
• Compensation: market-competitive base plus early equity. Open to senior or staff level depending on depth.

Job Type: Part-time

Pay: $30.00 - $60.00 per hour

Expected hours: 5 – 40 per week

Work Location: Hybrid remote in Santa Monica, CA 90401