• Design, build, and operate secure GCP cloud foundations and landing zones for federal and regulated environments, including organization hierarchy, policy guardrails, Assured Workloads, and Cloud Foundation Toolkit-based deployment patterns.
• Engineer and maintain secure GCP network architectures, including Shared VPC, hub-and-spoke topology, VPC Service Controls, Access Context Manager, Private Google Access, Private Service Connect, Cloud NGFW, Cloud Armor, load balancing, DNS, NAT, VPN, and Interconnect under least-exposure principles.
• Implement and administer identity, access, privileged access, and encryption controls, including least-privilege IAM, custom roles, IAM Conditions, deny policies, service-account hygiene, Workload Identity Federation, Privileged Access Manager, Access Approval, Access Transparency, BeyondCorp Enterprise, IAP, Cloud KMS, Cloud HSM, CMEK, and Cloud EKM.
• Develop and operate security monitoring, threat detection, and response capabilities using Chronicle/Google Security Operations, Security Command Center, curated detections, YARA-L, threat intelligence, SOAR playbooks, telemetry pipelines, and integration with MDR/SOC workflows.
• Build and maintain logging, audit, observability, and reliability capabilities using Cloud Audit Logs, aggregated log sinks, retention policies, BigQuery/Chronicle exports, Cloud Monitoring, Cloud Logging, dashboards, uptime checks, SLIs/SLOs, alerting, on-call operations, incident response, and blameless postmortems.
• Secure and operate cloud workloads and platforms, including Sensitive Data Protection/Cloud DLP for CUI discovery and de-identification, hardened GKE environments, Workload Identity, Shielded/Confidential nodes, network policy, GKE Policy Controller, Binary Authorization, and secure Artifact Registry image promotion.
• Automate infrastructure, security, compliance, and reliability operations using Terraform, Infrastructure Manager, Cloud Foundation Toolkit, policy-as-code, secure CI/CD pipelines, Cloud Build, Cloud Deploy, and scripting in Python, Go, or Bash to reduce manual work and operational toil.
• Translate federal security and compliance requirements into GCP configurations and audit-ready evidence, including NIST SP 800-53, NIST SP 800-171, FedRAMP, CMMC, control inheritance, customer responsibility matrices, RMF/FedRAMP authorization support, and assessor/AO documentation.
• Partner directly with customers and internal stakeholders to communicate technical requirements, operational risks, compliance expectations, and implementation status to both technical and non-technical audiences.
