Key skills
JavaScriptPythonBashAWSKubernetesIAMOAuthGitHubSaaSSalesforceCI/CDLeadershipCommunicationSnykCloud Security
About this role
CORMAC is seeking a Security Compliance Engineer. The role involves security analysis, framework governance, and hands-on development work to safeguard complex federal healthcare systems, focusing on secure coding solutions and cybersecurity governance.
Responsibilities:
- Review applications and services for security issues, then directly implement changes to code to remediate security issues as well as proactively implement security controls
- Work closely with the Product Owners, ISSOs, engineering and infrastructure staff to provide guidance on implementation of security policies, standards, and procedures
- Creates design documentation following federal security and compliance frameworks, including HIPPA, NIST, etc
- Analyze and interpret agency security requirements and ensure compliance with standards
- Collaborate with agency representatives to implement security initiatives through direct code development work
- Conducts and subsequently handles code-based remediation for vulnerability assessments. Monitors networks, databases and Web-based assets for potential system breaches
- Respond to alerts from information security tools. Report, investigate, and resolve higher level security incidents
- Iterates on security rules and alerting capabilities. Create and maintain security tool dashboards and reporting
- Educates and communicates security requirements and teaches safe coding practices to organization users with hands-on lessons, with a focus on continuous improvement of security standards and maintenance of internal security
- Provide vulnerability & compliance reviews and present any findings to government stakeholders, followed by direct remediation work as a developer
Requirements:
- Bachelor's degree in Cybersecurity, Computer Science, Information technology, or similar field
- Must be a U.S. Citizen
- Must be able to obtain a Public Trust (Tier I) Clearance
- Minimum of 5+ years of progressive experience in information security, cybersecurity engineering, or system security roles, with demonstrated technical depth and increasing responsibility
- Ability to maintain cybersecurity framework compliance from a governance perspective while handling direct coding work through hands-on development and remediation for security issues or security control implementation
- Experience in coding, with the ability to directly handle updating code in a development role
- Hands-on coding, scripting, or automation experience using Python, JavaScript, and Bash improve security operations, remediate security issues, or perform compliance validation
- Proven experience owning and maintaining an Authorization to Operate (ATO), including authoring, updating, and defending security artifacts such as System Security Plans (SSPs), Incident Response Plans, contingency plans, and related documentation
- Demonstrated hands-on experience managing vulnerability and compliance scanning programs remediation using tools such as Tenable, AWS Security Hub, and Snyk
- Ability to assess security findings through reviewing code, determine risk severity, prioritize remediation, and drive closure in through directly updating code
- Strong hands-on experience securing cloud-based environments, with a focus on AWS (IAM, GuardDuty, CloudTrail, Security Hub) and SaaS platforms
- Experience with least-privilege enforcement across cloud, application, and CI/CD environments
- Strong written and verbal communication skills, with the ability to clearly articulate security risks, requirements, and remediation strategies to technical teams, leadership, and government stakeholders
- Ability to work independently and as part of a cross-functional team, managing multiple priorities in a fast-paced, highly regulated environment
- Master's of Science in Cybersecurity, Computer Science, Information Technology, or similar fields
- Experience with governance and direct engineering/development work in complying with NIST 800-53, HIPPA, ISO 20000-1 frameworks
- Federal government contracting experience supporting complex, multi-system environments, preferably within health, civilian, or defense agencies
- Advanced or senior-level industry security certifications, such as: CISSP, CISM, CRISC, or GIAC (GSEC, GCSA, GPEN)
- Cloud security and architecture certifications, including: AWS Certified Security – Specialty, AWS Solutions Architect, CCSP or CCSK
- DevSecOps, automation, or platform security certifications, such as: Kubernetes Security (CKS), GitHub Advanced Security or equivalent
- Offensive or advanced technical security certifications, including: OSCP, CEH, GPEN, GWAPT, or similar
- Experience securing SaaS platforms from both a governance and direct developer level, with preference for Salesforce GovCloud, including roles, profiles, permission sets, MFA, OAuth, and third-party monitoring tools
- Experience designing or maintaining security dashboards and executive-level metrics for visibility into vulnerabilities, compliance posture, access reviews, and risk trends
- Experience facilitating incident response activities, tabletop exercises, and driving lessons learned into measurable, continuous improvement
- Demonstrated ability to mentor engineers and product teams on secure development practices, threat modeling, and evolving security risks