ZERMOUNT POSITION DESCRIPTION (PD) SECURITY & RISK ENGINEER (SRE) POSITION OVERVIEW Zermount Inc. is seeking a System Risk Engineer (SRE) to support system risk analysis and ensure that federal information systems comply with Information Assurance and cybersecurity standards. The SRE exists to ensure organizational systems are secure, resilient, and defensible in real-world operating conditions, not simply compliant with security documentation. This role directly contributes to mission assurance by identifying, validating, and reducing cybersecurity risk through direct technical assessment, control validation, and risk-based decision support across enterprise environments. Operating at the intersection of security engineering, risk assessment, and compliance, the SRE transforms federal mandates (e.g., NIST RMF, FISMA, EO 14028, OMB directives) into measurable security outcomes by validating the effectiveness of security controls within live systems. The role requires continuous evaluation of system posture through hands-on analysis of architectures, configurations, logs, vulnerability data, and control implementations across cloud, network, operating system, application, and database layers. This position demands foundational technical expertise across multiple domains, enabling the SRE to assess complex enterprise environments, identify exploitable conditions, and determine whether implemented security controls effectively reduce risk. The SRE is expected to go beyond documentation review and verify findings through system-level evidence, testing, and analysis, ensuring the findings reflect actual operational risk. The SRE is a core enabler of Zermount's Modern GRC mindset, which emphasizes: - Continuous, real-time risk identification during compliance assessments - Risk prioritization based on exploitability, exposure, and mission impact - Direct integration with engineering and operations teams to drive remediation - Elimination of "check-the-box" compliance in favor of validated security outcomes You will be directly responsible for supporting system authorization and mission assurance by producing objective, defensible, and technically accurate findings that enable Authorizing Officials, ISSOs, and system owners to make informed risk decisions. This includes conducting security control assessments, validating Zero Trust implementation, analyzing architectural and configuration changes, and ensuring that remediation actions are both effective and sustainable to reduce risk. DUTIES & RESPONSIBILITIES General Duties - Execute Security Assessments (SA), Risk Assessments (RA), and Ongoing Authorization (OA) activities by validating security controls in live environments, not solely through documentation review - Conduct technical verification and validation of security controls across operating systems, applications, databases, cloud platforms, and network infrastructure - Identify real-world security risks, including exploitable vulnerabilities, misconfigurations, weak trust boundaries, and control failures - Perform continuous risk analysis using outputs from vulnerability scans, penetration testing, logging platforms, and configuration assessments - Develop risk-based findings and POA&M matrices, prioritizing remediation based on exploitability, exposure, and mission impact - Produce executive-quality artifacts (SARs, risk memos, ATO packages, executive briefings) with validated, evidence-backed findings - Conduct impact analysis for Requests for Change (RFCs), identifying security implications of architectural, configuration, or system modifications - Validate Zero Trust implementation and alignment across system architectures and capabilities - Perform technical assessments of system architecture, data flows, and trust boundaries to identify control gaps - Conduct compliance validation for TIC, FISMA, and federal cybersecurity mandates through technical inspection and testing - Ensure all deliverables meet accuracy standards with zero rework required and are aligned to program and client expectations - Provide weekly status reporting and briefings with clear articulation of risks, risk mitigation progress, and technical findings SUBJECT MATTER EXPERTISE (SME) SME Area #1 – Primary Expertise: Security Assessment & Technical Risk Validation Expert-level means: - Deep knowledge of: - NIST RMF (800-37, 800-53, etc.) - FISMA, EO 14028, OMB M-21-31 / M-22-09 - FIPS 199/200 - TIC, Zero Trust principles (CISA ZT MM, NIST 800-207, etc.) - Ability to independently conduct: - Security Control Assessments (SCA) - Risk Assessments (RA) - ATO/OA activities - Capability to validate controls using: - System configurations - Logs and telemetry - Vulnerability scanning outputs - Conducting system interviews and demos - Ability to identify real-world attack vectors and control failures, and develop actionable remediation actions that the system teams can use to successfully remediate findings Required Tools Experience: - Vulnerability scanning tools such as: Tenable, Qualys, CrowdStrike, etc. - Log analysis platforms such as: Splunk, Microsoft Sentinel, IBM QRadar, etc. - Configuration and system inspection tools such as: Ansible, Terraform, Puppet, etc. - GRC platforms such as: Archer, ServiceNow, etc. SME Area #2 – Secondary Expertise: Multi-Domain Technical Depth You must have deep knowledge of one or more of the following technical domains and must demonstrate the ability to leverage this experience to inform and complete compliance-related tasks. Technical Domains - Cloud: AWS/Azure (IAM, logging, network security, misconfigurations) - Network: Segmentation, firewalls, boundary protections, Zero Trust enforcement points - Systems: Windows/Linux hardening, identity systems (AD, MFA) - Databases/Data: Access control, encryption, auditing QUALIFICATIONS Minimum Requirements - 7+ years of cybersecurity experience supporting U.S. Government systems - 4+ years performing RMF, ISSO, Assessment, or GRC functions with direct technical validation responsibilities - Demonstrated hands-on experience in at least two technical domains (cloud, network, systems, or databases) - Proven ability to analyze: - System configurations, ATOs, and other supporting security documentation - Logs/telemetry - Architecture documentation and data flow diagrams - Proven ability to conduct technical assessments across multiple domains Preferred Qualifications - Experience with Zero Trust assessments and implementation validation - Experience with CDM, ISCM, and enterprise logging programs - Experience supporting DHS/FISMA environments - Familiarity with threat-informed defense and attack vector analysis Competency - Advanced technical risk analysis and prioritization - Independent problem-solving in ambiguous environments - Strong collaboration with system teams, federal leads - Ability to translate complex technical findings into actionable recommendations - Clear communication with both engineers and leadership Education & Certifications - Bachelor of Science (B.S.) in Computer Science, IT, Cybersecurity, or a related field, and a minimum of 7 years of IT cybersecurity experience, including direct support for the US Government and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role. - Without a B.S. in a relevant field - A minimum of 13 years of IT Cybersecurity experience, including direct support for the US Government, and 4 years acting as an ISSO, Assessor, Compliance, RMF, or GRC with a technical validation role. - At least one of the following security certifications is required: - Certified Authorization Professional (CAP) - Certified Information Security Auditor (CISA) - Certified Information Security Manager (CISM) - Certified Information Systems Security Professional (CISSP), or Certified Chief Information Security Officer (CCISO) - Governance Risk & Compliance Certification (CGRC) - Or alternatively approved certifications Clearance Level Minimum of active Secret Clearance and ability to obtain and maintain DHS suitability WORK LOCATION - The position is primarily remote – Continental U.S only - Primary location when on site: Arlington, VA, and Springfield, VA - Must be willing to travel - Not to exceed 10% of the time HOURS OF OPERATION - 8:00 am EST – 4:30 pm EST - Times may fluctuate based on client and business requirements REPORTING STRUCTURE - Reports To: Security Risk Engineering Team Lead - Direct Reports: N/A