Senior Cybersecurity Engineer

We are seeking a highly skilled Cybersecurity Engineer (CSE) with extensive experience in air-gapped and classified container platforms, CI/CD pipelines, security automation, and federal cybersecurity requirements. The ideal candidate will possess hands-on expertise in Kubernetes, OpenShift, registry management, security test automation, and the implementation of cybersecurity controls in compliance with federal standards like NIST 800-53, DISA STIGs, and RMF/ATO workflows.

A) Air-Gapped / Classified Container Platforms (Kubernetes/OpenShift/RKE2)

• Designing a Disconnected Cluster

• Design and manage a multi-container OpenShift hosted platform in an air-gapped enclave.
• Expertise in cross-domain CI/CD, blue-green testing, and platform deployment within disconnected environments.
• Familiar with image/helm/chart mirroring, FIPS 140 validated crypto, OS hardening (e.g., Alpine), and SELinux enforcing.

• Registry and Artifact Governance

• Maintain and govern a disconnected container registry, ensuring content sources, image signing, SBOMs, and vulnerability gating.
• Familiarity with tools such as Cosign, Syft, Grype, Trivy, OCI level attestations, and curated repository promotions.

• Admission Control & Policy Enforcement

• Enforce security baselines and policies without internet dependencies using tools like OPA Gatekeeper, Kyverno, and image provenance verification.

• Cluster Multi-Tenancy in SCIFs

• Implement RBAC, namespace isolation, and mTLS for mixed-sensitivity workloads within a SCIF (Sensitive Compartmented Information Facility).

• Patching and CVE Response Offline

• Manage critical Kubernetes CVEs in air-gapped enclaves through risk triage, change windows, and mirrored updates.

B) CI/CD & Security Test Automation (Disconnected)

• Pipeline Architecture for Classified Enclaves

• Design CI/CD pipelines to build, test, sign, scan, and promote containers across Dev ? Test ? Prod in closed networks.
• Familiarity with GitLab/Jenkins runners, artifact promotion, and "compliance as code" practices.

• Automated Security Testing Coverage

• Implement automated tests for SAST, DAST, IAST, SCA, and IaC scanning within CI/CD pipelines.
• Ensure pipeline failures persist if discrepancies are detected.

• Evidence Generation for RMF

• Generate RMF/ATO evidence via automated pipeline outputs, mapping artifacts to NIST controls.
• Knowledge of OSCAL output, control mappings, and integration with evidence stores like eMASS.

• Promotion Gates & Provenance

• Ensure artifacts meet quality and security criteria (e.g., reproducible builds, signed/provenanced artifacts, passing STIG checks) before promotion to higher environments.

• Testing for Platform + App Security Regressions
• Implement tests for platform upgrade regressions using tools like kube-bench, kube-hunter, and e2e integration suites.

C) Federal Cybersecurity Requirements (RMF/ATO, STIGs, CNSS, FedRAMP)

• RMF Tailoring in Containerized Systems

• Tailor NIST 800-53 controls for microservices platforms, identifying platform vs. app team responsibilities.

• Work with shared responsibility matrices and control inheritance catalogs.

• DISA STIG Application to Kubernetes Workloads

• Apply and track Kubernetes/Docker/OpenShift STIG findings and exceptions.

• Implement a "STIG as code" approach in CI/CD pipelines and perform continuous drift checks.

• Continuous Monitoring (CONMON)

• Implement telemetry collection for CONMON using on-prem tools (e.g., Prometheus, Grafana, auditd, Falco).

• Design and manage control dashboards and evidence snapshots.

• ATO Acceleration through Automation

• Reduce ATO lead times using automated assessments, OSCAL generation, and integration with tools like eMASS.

• Policy Conflicts & Adjudication

• Reconcile conflicts between NIST, CNSS, and program-specific directives, leveraging risk-based decision memos and compensating controls.

D) Networking, Identity & Zero Trust in On-Prem/Classified Enclaves

• Zero Trust in Kubernetes
• Implement Zero Trust principles within Kubernetes beyond mTLS and RBAC, using tools like SPIFFE, SPIRE, and service mesh authZ.
• Offline PKI Operations
• Manage certificate lifecycles in air-gapped environments, utilizing offline roots, short-lived certs, and mesh cert synchronization strategies.
• East-West Segmentation Strategy
• Design and implement micro-segmentation and egress controls for multi-tenancy within classified environments.
• Identity Propagation Across Layers
• Ensure identity propagation from build systems through runtime enforcement, using tools like Sigstore attestations and audit chain linking.
• Cross-Domain and Data Movement Patterns
• Securely move artifacts across domains with tamper-evident transfer logs, hash-based validation, and offline review stations.

E) Operations, SRE & Incident Response in SCIFs

• Observability without SaaS

• Build observability solutions for logs, metrics, traces, and capacity planning using on-prem tools like EFK, Prometheus, and Tempo.

• Break Glass & Change Control

• Design a break-glass process with time-bound privilege elevation, session recording, and immutable logs.

• Forensics & Container Runtime

• Collect forensic evidence from compromised container nodes while preserving data integrity through disk snapshots and isolated triage nodes.

• Resiliency & DR in Disconnected Sites

• Develop strategies for service continuity across multiple isolated sites, including staged upgrades and backup/restore drills.

• Application Team & SOC Integration

• Integrate containerized environments with enterprise SOC teams during incident detection, containment, and recovery.

• Define roles, telemetry requirements, and communication channels for effective response.

• 12 years of experience and a Masters degree. Degree can be substituted for 6 additional years of applicable experience
• IAT/IAM Level 3 Certification in compliance with DoD 8570/8140 guidelines
• Extensive experience working with Kubernetes, OpenShift, RKE2, and container registry management in air-gapped and classified environments.
• Deep understanding of CI/CD pipeline architectures, especially in disconnected networks.
• Expertise in federal cybersecurity frameworks, such as NIST 800-53, DISA STIGs, RMF, and ATO processes.
• Familiarity with security testing tools (SAST, DAST, IAST, IaC) and automated compliance validation.
• Proven track record of enforcing Zero Trust principles, PKI management, and network segmentation in a classified environment.
• Strong ability to map pipeline artifacts to RMF/ATO controls and support security operations during incidents.
• Extensive experience in cybersecurity design and architecture.

Pueo is known for bringing the best talent and unique tools to every opportunity. Pueo's Parliament (aka workforce) is composed of professionals who are seeking the opportunity to work in a business organization that thrives on career development and independence. In support of mission and professional growth, our Parliament has supported the development of multiple patents, proprietary tools, and applications as well as trademarked processes. Our organization emphasizes career development across multiple career environments (at the members own pace) and ensures those who contribute broadly are properly rewarded. Pueo has four career environments where every member of the parliament can participate. Each environment has opportunities available for all levels. Opportunities are framed by an employee's desires and capabilities, and we ensure challenges, growth, and unique experiences are available for employees at all levels. Our Career Environments (Program, Functional, Service, and Leadership) provide numerous opportunities for employees to invest in their personal growth and those things that offer fulfillment. We invest in helping our members create and execute their career development plans. Our Pods (small teams of 5 or less) are comprised of personnel with similar skillsets to ensure mentorship, understanding, and peer support.