Security Architecture & Engineering Sme

Zermount Inc. is seeking a Cybersecurity Architect & Engineer SME who can create government solutions that will withstand even the most complex of IT and Cyber threats. The SME will support a federal client's enterprise cybersecurity and Continuous Authorization to Operate (cATO) initiative(s). The SME provides technical expertise, architectural recommendations, and engineering oversight across hybrid environments (on‑prem, cloud, and Cloud). The role focuses on designing secure enterprise architectures, engineering automated control assessments and evidence pipelines, and operationalizing zero trust and cATO capabilities.
You will coordinate with a dynamic team of thought leaders and experts to determine the right tools and methods to translate your client's IT needs and future goals into a plan that delivers secure and efficient solutions. You will assist the client through a critical approach to innovative solutions design, suggesting alternatives and tweaking capabilities to maintain a balance between security and mission needs. The candidate must have experience in delivering measurable improvements in security posture, automation, and compliance maturity.

DUTIES AND RESPONSIBILITIES

• Develop, maintain, and evolve the Enterprise Security Reference Architecture (ESRA).


• Provide architectural input to the organization's Cybersecurity Roadmap and Strategy, addressing: o Continuous ATO (cATO) and automated control testing maturity.
  
  
  
  • Cloud security standards, compliance, and improvements to ATO timelines.
  
  
  • Cloud monitoring, detection, response, and security operations.
  
  
  • Privacy, continuous monitoring, and vulnerability assessment modernization.
  
  
  • Integration of security scanning into cloud pipelines.
  
  
  • Implementation of EO 14028 (ZTA) and SCRM requirements.
  
  
  
  

• Architect and implement continuous monitoring pipelines for automated evidence collection (SIEM, XDR, scanners, cloud APIs, CI/CD).


• Develop and manage OSCAL profiles, inheritance models, and evidence data contracts.


• Integrate telemetry and evidence into AO‑grade dashboards.


• Support ATO intake, assessment workflows, and vulnerability scanning processes.


• Conduct RMF‑aligned security reviews for compliance and best practices.


• Develop security architectural patterns that expedite ATO by pre‑meeting control requirements.


• Collaborate with the Cybersecurity Authorizations & Compliance Branch to design systems supporting cATO, reduce ATO processing times, provide data‑call responses, and participate in working groups.


• Design and deploy native cloud security services across AWS, Azure, and Google Cloud.


• Lead the development of enterprise cloud security blueprints, including security in Infrastructure‑as‑Code (IaC) templates.


• Conduct proofs‑of‑value for cloud‑native, COTS, third‑party, or open‑source security tools.


• Provide security architecture input for DevSecOps strategy, including vulnerability scanning, automated assessments, and implementation of security controls.


• Conduct requirements‑gathering sessions and cATO current‑state assessments.


• Recommend security requirements, architectural direction, and support testing for enterprise initiatives such as: cATO, automated assessments, ZTA, SASE, CASB, SWG, TIC 3.0, ICAM, CMDB, etc.


• Collaborate with operational teams to improve cloud security monitoring, including ingestion and analysis of API, application, database, and flow logs into SIEM platforms.


• Support development of cloud event analysis and alert tuning to increase detection fidelity.


• Identify vulnerabilities across the SDLC and help contain, minimize, and remediate associated risks.


• Provide system engineering and architectural design support, including:
  
  
  
  • Studies and analyses of operational changes; End‑to‑end architecture trade‑off assessments
  
  
  • Development of strategic and tactical plans; Evaluation of new program requirements
  
  
  • Research and assessment of new technologies for operational enhancement
  
  
  
  

• Conduct architectural risk assessments, threat modeling, and secure design reviews.


• Support backlog refinement, sprint planning, capacity planning, and retrospectives.


• Ensure teams deliver high‑value increments meeting the Definition of Done.


• Facilitate stakeholder collaboration as needed.

REQUIREMENTS

• High level of attention to detail, needs minimal guidance, effective verbal, and written communications.


• Adept at both the strategic and operational/technical level.


• Able to adapt to new and changing requirements / priorities and manage work accordingly.


• At least 5 years (preferred 10 years) of network, systems, applications experience, in areas such as:
  
  
  
  • LAN/WAN, WAF/CDN/DDOS, Network Firewalls, IDS/IPS, Virtualization, hypervisor security, container security, Application development, serverless security, microservices, CICD.
  
  
  
  


• At least 5 years of designing and/or implementing security in Cloud environments (AWS and Azure; GCP is also preferred but not required). Operational experience with the following is preferred.
  
  
  
  • Multi-Cloud, Hybrid Cloud, IaaS, PaaS, SaaS, shared responsibility model.
  
  
  • AWS Security Hub, Audit Manager, Config., Guard Duty, CloudTrail, CloudWatch, Lambda.
  
  
  • Azure E3/E5, AD, Blob, Azure Security Center, Key Vault, SSE, Monitor, Log Analytics, Policy.
  
  
  
  


• Experience with DevSecOps strategy and implementation and designing architecture in accordance to RMF, CSF, FISMA, and Fedramp.


• Knowledge of ZTA and SASE Framework, ICAM (OKTA), CWPP, SOC Operations, Vulnerability Threat Management, and Compliance.

EDUCATION

Candidate must have a Bachelor of Science (or higher) in one of the following:

• Engineering, Computer Science, Information Technology (IT), Cybersecurity, or a similar technical field.

CERTIFICATIONS

The candidate must have a: Certified Information Systems Security Professional (CISSP), and

At least one of the following, or equivalent:

• Certified Cloud Security Professional (CCSP), AWS Certified Solutions Architect Associate, AWS Certified Security Specialist, Microsoft Azure Solutions Architect,Google Professional Cloud Architect.

CLEARANCE

• Minimum Background Investigation

LOCATION

• Hybrid - Primary location is Alexandria, VA. Remote work is authorized.
  
  
  
  • Occasional travel to the primary location may be required.