Key skills
AIMachine LearningLLMDatabricksAWSTerraformCI/CD
About this role
Craft is a leader in supplier risk intelligence, providing enterprises with tools to monitor and evaluate their suppliers effectively. The company is seeking a Senior DevSecOps Engineer to lead the establishment of a FedRAMP-authorized cloud environment, focusing on security controls and compliance automation to support federal government agencies.
Responsibilities:
- Lead Craft’s FedRAMP readiness program — defining the roadmap, owning the ATO timeline, and driving execution across engineering and security stakeholders
- Design and implement AWS GovCloud architecture that meets FedRAMP Moderate and High requirements
- Translate NIST 800-53 Rev. 5 controls into concrete, auditable, and continuously enforced technical implementations — not just documentation
- Build and maintain compliance automation tooling to continuously validate control adherence across the environment, reducing manual audit burden
- Develop and manage secure CI/CD pipelines with integrated security gates, secrets management, and deployment controls appropriate for FedRAMP environments
- Author and maintain System Security Plans (SSPs), control implementation statements, and audit evidence packages; work directly with auditors and 3PAOs through assessment cycles
- Perform threat modeling, risk assessments, and security architecture reviews across the platform
- Define and drive how FedRAMP controls are embedded across the engineering lifecycle, partnering with full-stack, data, and machine learning teams to ensure consistent, scalable adoption
- Serve as the internal subject matter expert on FedRAMP, NIST 800-53, and federal compliance — upleveling the broader team’s knowledge as the program matures
Requirements:
- You have direct, hands-on FedRAMP ATO experience — you've been through the process, not just observed it
- You have strong working knowledge of NIST 800-53 Rev. 5 controls and how to implement them technically, not just document them
- You have deep hands-on experience securing AWS environments
- You have direct experience with AWS GovCloud, including its constraints and operational differences from commercial AWS
- You write advanced Terraform — modules, policy enforcement, and infrastructure that's auditable by design
- You've built or hardened CI/CD pipelines for secure, compliant deployments — integrating security scanning, secrets management, and access controls
- You've worked directly with auditors and 3PAOs: preparing evidence packages, responding to findings, and supporting assessment activities
- SOC 2 Type II experience, particularly in environments where mapped or extended to support FedRAMP or NIST frameworks
- Experience securing data platforms such as Databricks, including data isolation and access control patterns
- Familiarity with AI and LLM security concepts: prompt injection risks, model data isolation, inference boundary controls
- Experience working in a startup or lean DevSecOps environment where you've had to build programs pragmatically with limited resources