Key skills
NIST SP 800-53 (Moderate)SOC 2 Type II audit processesOWASP Top 10 vulnerability identificationWeb Application Firewall (WAF) deployment and managementSAST toolsDAST toolsSoftware Composition Analysis (SCA) toolsTLS 1.2/1.3 encryptionAES-256 encryptionFIPS 140-2/140-3 complianceNIST SP 800-57 cryptographic key managementNIST SP 800-88 media sanitizationIEEE 802.1x network access controlSoftware Bill of Materials (SBOM) managementApplication allowlistingIncident response proceduresCloud infrastructure securityCISSPCISMCEHCompTIA Security+AWS Security SpecialtyAzure Security SpecialtyAIAWSAzureCI/CDRisk ManagementCommunicationOWASPWAFFirewall
About this role
Peraton is a next-generation national security company that drives missions of consequence spanning the globe. They are seeking an experienced Security Engineer to support the security, compliance, and maintenance of a large-scale, web-based government application, ensuring a comprehensive security posture aligned with various regulatory requirements.
Responsibilities:
- Design, implement, and maintain security controls in accordance with NIST SP 800-53 (Moderate) across all system components
- Deploy, configure, and maintain a Web Application Firewall (WAF) and enforce OWASP Top 10 validation throughout the software development lifecycle
- Implement and manage TLS 1.2/1.3 encryption for data in transit and 256-bit AES (FIPS 140-2/140-3 compliant) encryption for data at rest
- Conduct and coordinate SAST, DAST, and Software Composition Analysis (SCA) as part of the secure development lifecycle
- Maintain a Software Bill of Materials (SBOM) for all applications and manage application allowlisting to prevent unauthorized software execution
- Implement and manage IEEE 802.1x certificate-based network access control
- Develop, maintain, and continuously update the Security Risk Management Plan
- Manage real-time, automated hardware and software asset inventory tracking
- Coordinate and support annual independent security audits (NIST SP 800-53 Moderate or SOC 2 Type II); deliver SOC 2 Type II reports
- Monitor system security logs and provide on-demand access to designated agency personnel
- Lead incident response activities; deliver breach/incident notifications to the Agency within 24 hours of discovery
- Ensure all Agency Data remains within the United States or its territories at all times — no overseas access, transmission, storage, or backup permitted
- Manage cryptographic key lifecycle in accordance with NIST SP 800-57
- Perform data sanitization and media destruction per NIST SP 800-88 (Rev. 1)
- Classify and protect all Agency Data per applicable Oregon Information Asset Classification policies
- Generate User Access Reports and Data Sanitization Certifications upon agency request
- Provide prior notification to the Agency before responding to any third-party or law enforcement requests for Agency Data
- Ensure all personnel complete periodic privacy and security training per NIST SP 800-53 AT family controls
- Support disaster recovery planning and geographically dispersed hosting operations within Oregon
Requirements:
- Bachelors degree and 5 years of experience or an Associates degree and 7 years of experience or a High School diploma and 9 years of experience
- Must be a U.S. Citizen or Green Card holder
- Must be able to pass an FBI NCIC fingerprint-based background check
- 5+ years of experience in information security engineering, cybersecurity, or a related discipline
- Demonstrated experience implementing NIST SP 800-53 (Moderate) security controls in a production environment
- Hands-on experience with SOC 2 Type II audit processes and remediation
- Proficiency with OWASP Top 10 vulnerability identification and remediation
- Experience deploying and managing Web Application Firewalls (WAF)
- Working knowledge of SAST, DAST, and SCA tools and integration into CI/CD pipelines
- Experience with TLS 1.2/1.3, AES-256, and FIPS 140-2/140-3 compliant encryption implementations
- Familiarity with NIST SP 800-57 (cryptographic key management) and NIST SP 800-88 (media sanitization)
- Experience with IEEE 802.1x network access control
- Experience maintaining Software Bills of Materials (SBOM) and application allowlisting technologies
- Knowledge of incident response procedures, including breach notification requirements
- Familiarity with cloud infrastructure security and data residency requirements
- Strong written and verbal communication skills; ability to produce audit-ready documentation and compliance reports
- Experience supporting state or federal government IT systems or election infrastructure
- Knowledge of Oregon Consumer Information Protection Act (OCIPA) (ORS 646A.600–646A.628) and Oregon Statewide Information Security Standards
- Familiarity with Oregon Executive Order 23-26 (AI governance requirements)
- Experience with Peraton Cloud Seed or similar government cloud environments
- Relevant certifications: CISSP, CISM, CEH, CompTIA Security+, AWS/Azure Security Specialty, or equivalent
- Experience with geographically dispersed hosting and disaster recovery in government environments
- Reside in the Oregon/Washington area