Role Description CORMAC is seeking a Security Compliance Engineer. The duties of this role involve security analysis, framework governance, and hands-on development work. Both technical and governance responsibilities are handled by the Security Compliance Developer in this pivotal role for safeguarding complex federal healthcare systems: - Handles code development work to implement secure coding solutions. - Maintains a strong security posture across applications in robust cloud environments. - Works with stakeholders to develop & maintain a cybersecurity governance framework and organizational security policies. Responsibilities: - Review applications and services for security issues, then directly implement changes to code to remediate security issues as well as proactively implement security controls. - Work closely with the Product Owners, ISSOs, engineering and infrastructure staff to provide guidance on implementation of security policies, standards, and procedures. - Create design documentation following federal security and compliance frameworks, including HIPAA, NIST, etc. - Analyze and interpret agency security requirements and ensure compliance with standards. - Collaborate with agency representatives to implement security initiatives through direct code development work. - Conduct and subsequently handle code-based remediation for vulnerability assessments. - Monitor networks, databases, and Web-based assets for potential system breaches. - Respond to alerts from information security tools. Report, investigate, and resolve higher level security incidents. - Iterate on security rules and alerting capabilities. - Create and maintain security tool dashboards and reporting. - Educate and communicate security requirements and teach safe coding practices to organization users with hands-on lessons, focusing on continuous improvement of security standards and maintenance of internal security. - Provide vulnerability & compliance reviews and present any findings to government stakeholders, followed by direct remediation work as a developer. Qualifications - Bachelor's degree in Cybersecurity, Computer Science, Information Technology, or similar field. - Must be a U.S. Citizen. - Must be able to obtain a Public Trust (Tier I) Clearance. - Minimum of 5+ years of progressive experience in information security, cybersecurity engineering, or system security roles, with demonstrated technical depth and increasing responsibility. - Ability to maintain cybersecurity framework compliance from a governance perspective while handling direct coding work through hands-on development and remediation for security issues or security control implementation. - Experience in coding, with the ability to directly handle updating code in a development role. - Hands-on coding, scripting, or automation experience using Python, JavaScript, and Bash to improve security operations, remediate security issues, or perform compliance validation. - Proven experience owning and maintaining an Authorization to Operate (ATO), including authoring, updating, and defending security artifacts such as System Security Plans (SSPs), Incident Response Plans, contingency plans, and related documentation. - Demonstrated hands-on experience managing vulnerability and compliance scanning programs remediation using tools such as Tenable, AWS Security Hub, and Snyk. - Ability to assess security findings through reviewing code, determine risk severity, prioritize remediation, and drive closure through directly updating code. - Strong hands-on experience securing cloud-based environments, with a focus on AWS (IAM, GuardDuty, CloudTrail, Security Hub) and SaaS platforms. - Experience with least-privilege enforcement across cloud, application, and CI/CD environments. - Strong written and verbal communication skills, with the ability to clearly articulate security risks, requirements, and remediation strategies to technical teams, leadership, and government stakeholders. - Ability to work independently and as part of a cross-functional team, managing multiple priorities in a fast-paced, highly regulated environment. Preferred Qualifications - Master’s of Science in Cybersecurity, Computer Science, Information Technology, or similar fields. - Experience with governance and direct engineering/development work in complying with NIST 800-53, HIPAA, ISO 20000-1 frameworks. - Federal government contracting experience supporting complex, multi-system environments, preferably within health, civilian, or defense agencies. - Advanced or senior-level industry security certifications, such as: CISSP, CISM, CRISC, or GIAC (GSEC, GCSA, GPEN). - Cloud security and architecture certifications, including: AWS Certified Security – Specialty, AWS Solutions Architect, CCSP or CCSK. - DevSecOps, automation, or platform security certifications, such as: Kubernetes Security (CKS), GitHub Advanced Security or equivalent. - Offensive or advanced technical security certifications, including: OSCP, CEH, GPEN, GWAPT, or similar. - Experience securing SaaS platforms from both a governance and direct developer level, with preference for Salesforce GovCloud, including roles, profiles, permission sets, MFA, OAuth, and third-party monitoring tools. - Experience designing or maintaining security dashboards and executive-level metrics for visibility into vulnerabilities, compliance posture, access reviews, and risk trends. - Experience facilitating incident response activities, tabletop exercises, and driving lessons learned into measurable, continuous improvement. - Demonstrated ability to mentor engineers and product teams on secure development practices, threat modeling, and evolving security risks. Location Leesburg, VA Work arrangement 100% Remote Why CORMAC? At CORMAC, we leverage the power of Data Management and Analytics to enable our customers to achieve their strategic goals. With over 20 years of experience in Health Information Technology (HIT), human-centered design principles, and Agile development methodologies, CORMAC delivers complex digital solutions to solve some of the most challenging problems facing public healthcare programs today. As a US Federal Government contractor in the public healthcare sector, our work is impactful and cutting-edge while being performed in a supportive, collaborative, and welcoming environment. We offer flexible work schedules with remote, hybrid, or fully in-person workplace options to empower our employees to decide the workplace most suitable for them. At CORMAC, we have a highly diverse workforce and believe the work environment is a place where creativity, collaboration, enthusiasm, and innovation happen, regardless of location. E-Verify Participation/EEO As an Equal Employment Opportunity employer, CORMAC provides equal employment opportunity to all employees and applicants without regard to an individual's protected status, including race/ethnicity, color, national origin, ancestry, religion, creed, age, gender, gender identity/expression, sexual orientation, marital status, parental status, including pregnancy, childbirth, or related conditions, disability, military service, veteran status, genetic information, or any other protected status.