Back to search
Helios HR Linkedin · Posted 19d ago

Senior Cybersecurity Engineer (CSE)

Annapolis Junction

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

Our client, Pueo Business Solutions, is hiring for a Senior Cybersecurity Engineer in the Annapolis Junction, MD area.


Pueo is seeking a highly skilled Senior Cyber Security Engineer with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards such as NIST 800-53, DISA STIGs, and RMF/ATO workflows.


Responsibilities

Air-Gapped / Classified Container Platforms

  • Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave.
  • Support cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments.
  • Work with image, helm, and chart mirroring, FIPS 140 validated cryptography, operating system hardening, and SELinux enforcing.
  • Maintain and govern a disconnected container registry, ensuring content sources, image signing, software bills of materials, and vulnerability gating.
  • Use tools such as Cosign, Syft, Grype, Trivy, OCI-level attestations, and curated repository promotions.
  • Enforce security baselines and policies without internet dependencies using tools such as OPA Gatekeeper, Kyverno, and image provenance verification.
  • Implement role-based access control, namespace isolation, and mutual TLS for mixed-sensitivity workloads within classified environments.
  • Manage critical Kubernetes vulnerabilities in air-gapped enclaves through risk triage, change windows, and mirrored updates.


CI/CD and Security Test Automation

  • Design CI/CD pipelines to build, test, sign, scan, and promote containers across development, test, and production environments in closed networks.
  • Work with GitLab and Jenkins runners, artifact promotion, and compliance-as-code practices.
  • Implement automated tests for static application security testing, dynamic application security testing, interactive application security testing, software composition analysis, and infrastructure-as-code scanning.
  • Ensure pipeline failures persist if discrepancies are detected.
  • Generate RMF/ATO evidence through automated pipeline outputs, mapping artifacts to NIST controls.
  • Support OSCAL output, control mappings, and integration with evidence stores such as eMASS.
  • Ensure artifacts meet quality and security criteria before promotion to higher environments, including reproducible builds, signed and provenanced artifacts, and passing STIG checks.
  • Implement tests for platform upgrade regressions using tools such as kube-bench, kube-hunter, and end-to-end integration suites.


Federal Cybersecurity Requirements

  • Tailor NIST 800-53 controls for microservices platforms, identifying platform and application team responsibilities.
  • Work with shared responsibility matrices and control inheritance catalogs.
  • Apply and track Kubernetes, Docker, and OpenShift STIG findings and exceptions.
  • Implement STIG-as-code approaches in CI/CD pipelines and perform continuous drift checks.
  • Implement telemetry collection for continuous monitoring using on-premise tools such as Prometheus, Grafana, auditd, and Falco.
  • Design and manage control dashboards and evidence snapshots.
  • Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools such as eMASS.
  • Reconcile conflicts between NIST, CNSS, and program-specific directives using risk-based decision memos and compensating controls.


Networking, Identity, and Zero Trust

  • Implement Zero Trust principles within Kubernetes beyond mutual TLS and role-based access control, using tools such as SPIFFE, SPIRE, and service mesh authorization.
  • Manage certificate lifecycles in air-gapped environments, including offline roots, short-lived certificates, and mesh certificate synchronization strategies.
  • Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments.
  • Support identity propagation from build systems through runtime enforcement using Sigstore attestations and audit chain linking.
  • Securely move artifacts across domains using tamper-evident transfer logs, hash-based validation, and offline review stations.


Operations, Site Reliability, and Incident Response

  • Build observability solutions for logs, metrics, traces, and capacity planning using on-premise tools such as EFK, Prometheus, and Tempo.
  • Design break-glass processes with time-bound privilege elevation, session recording, and immutable logs.
  • Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes.
  • Develop resiliency and disaster recovery strategies for service continuity across multiple isolated sites, including staged upgrades and backup and restore drills.
  • Integrate containerized environments with enterprise Security Operations Center teams during incident detection, containment, and recovery.
  • Define roles, telemetry requirements, and communication channels to support effective incident response.


REQUIRED QUALIFICATIONS:

  • 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience
  • IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines
  • Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments.
  • Deep understanding of CI/CD pipeline architectures, especially in disconnected networks.
  • Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes.
  • Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation.
  • Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment.
  • Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents.
  • Extensive experience in cybersecurity design and architecture.


CLEARANCE:

  • Top Secret minimum


Compensation Range

The salary range for this position is $220,000 to $245,000 annually. Final compensation will be based on experience, qualifications, certifications, clearance, and mission requirements.


Pueo is an equal employment opportunity employer and affirmative action employer. All interested individuals will receive consideration and will not be discriminated against on the basis of race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity, genetic information, or protected veteran status. Pueo takes affirmative action in support of its policy to advance diversity and inclusion of individuals who are minorities, women, protected veterans, and individuals with disabilities.

Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent