Chief Security Architect, Developer Experience

Chief Security Architect, Developer Experience"Wanted: The architect who sees that the ATO process isnt a compliance problem-its an engineering problem-and knows how to build the solution." Large-scale software delivery in regulated, defense-focused environments runs into the same wall everywhere you look. The compliance process was designed to create an audit trail. It wasnt designed to enforce security. SSPs capture intent. ATOs authorize environments at a point in time. And by the time the ink is dry, the system has already moved. The developers building mission-critical software know this pattern. The security organizations know it too. The question has never been whether this model needs to change—it's whether anyone has the engineering depth and the security credibility to build something that actually replaces it. Thats why this role exists. Were building the platform that is transforming how thousands of Leidos engineers build and deliver software. At the center of that platform is a fundamental re-architecture of how compliance works: not as a gate you pass through, but as code woven into the infrastructure itself. Policy-as-code. Continuous compliance evidence. A platform ATO that programs inherit rather than pursue on their own. The goal is a platform that the enterprise security organization looks at and says: this is the thing weve been trying to build for years. These people arent going around us. Theyre handing us superpowers. Youre the person who builds it. And youre the person who makes that realization inevitable. Why This Role MattersSecurity and compliance in defense-sector software delivery have long lived in a structural paradox: the processes designed to protect mission software are the same processes that slow it down. Manual authorization cycles. Point-in-time snapshots. Documentation that proves intent but not execution. Every program team re-solves the same compliance problems. Every platform that wants to help them has to run the gauntlet first. What youll build isnt a workaround. Its a better architecture: policy-as-code that enforces compliance at the moment of deployment, continuous evidence that gives auditors real-time proof instead of point-in-time packages, and a platform-level ATO that program teams can inherit rather than pursue. The result is a security posture thats demonstrably stronger than manual review-stricter, more consistent, and infinitely more scalable. Leidos is one of the largest engineering organizations supporting national security, with thousands of developers building mission-critical software across hundreds of programs. What you build here will shape how that software is delivered—and whether the security guaranteeing it is a paper promise or an enforced fact. If youve spent your career knowing this was possible and waiting for an organization big enough to matter and willing enough to move—it's it. What Youll Do Architect the compliance engine. Design and build the policy-as-code infrastructure that sits at the heart of the platform: the enforcement points, evidence pipeline, continuous compliance dashboards, and attestation framework that make "approved to deploy" a machine-verifiable fact, not a permission you wait on. You know this toolchain—the policy engines, the evidence frameworks, the supply chain attestation standards—and youve put it to work in production. Own the platform ATO strategy. Chart the path from where we are to a platform-level ATO that programs can inherit. Navigate RMF, NIST 800-53, NIST 800-171, NIST 800-160, and DoD IL4/IL5 requirements alongside the realities of working with internal security reviewers and external auditors (3PAOs, DCMA). Youve done this before. You know which shortcuts are real and which are traps. Be the enterprise security teams most important technical partner. Attend the meetings. Build the trust. Co-author the policies. Make the case—technically, patiently, relentlessly that policy-as-code is more rigorous than manual reviews, not less. You can speak the language of ISSOs and ISSMs, help them see their role shifting from gatekeepers to policy authors, and make that shift feel like a promotion rather than a loss. Build the agentic AI security model. Claude Code, Codex, MCP servers, agentic development pipelines—all of these require a new security architecture that doesnt exist yet at enterprise scale. Youll design the controls that let developers use these tools at full power while enterprise security leadership can look at the posture and say "yes, we can see whats happening, and were comfortable with it." Own security architecture across the developer platform. Threat model the full stack—CI/CD pipelines, developer portal, container runtimes, workstation environments, inner and outer developer loop. Design the controls. Keep the security posture visible and auditable—not as an afterthought, but as a first-class platform capability. Lead the supply chain security effort. SBOM generation, dependency management, container image provenance, vulnerability scanning—you design the enterprise pattern, build the tooling, and make it automatic. Every artifact that comes out of our pipelines has a provenance story you can tell. Drive ATO process re-architecture. The current ATO process needs structural change—not circumvention, but a fundamentally better model. Youll have the technical depth to speak credibly about what the current process gets right, the honesty to name what its not designed for, and the credibility to propose something that security teams will actually embrace. Who You Are A builder, not a reviewer. Youve designed security systems. Youve implemented them. Youve seen them work in production under real conditions. You dont just know what good looks like on a whiteboard—you know how to build it. Fluent in compliance, but not captured by it. You understand RMF, NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD IL4/IL5 deeply enough to know which requirements the current manual process actually satisfies—and which ones it only claims to satisfy. You can make the argument that automated enforcement is a better answer to the underlying security requirement, not a workaround. A translator. You can walk into a room with the CISO, explain a Kubernetes admission controller policy in terms of the RA-5 control it satisfies, get heads nodding, and leave with a commitment. You can then turn around and work shoulder-to-shoulder with a platform engineer to implement it. You move fluidly between executive conversations and implementation details. Patient and persistent with organizational change. You know that the security and IT organizations youre working with are not obstacles. Theyre stakeholders with legitimate concerns who need to be brought along, not pushed aside. Youve done this before. You know it takes time. And you know how to make progress anyway. Clear-eyed about the mission. You know that the point of all of this isnt compliance for its own sake. Its software that powers national security delivered faster, more reliably, and with a security posture that can be proven—not just promised. That understanding shapes how you make decisions. What You'll Face A compliance process built for steady-state operations being applied to a build phase that requires a fundamentally different engagement model. A corporate security organization that understands the problem and wants velocity—and needs a technical partner who can help turn that stated value into structural change. Agentic AI tooling that is arriving faster than enterprise security controls can be designed for it. Youll be building the plane while flying it. The bootstrapping paradox: youre using the manual compliance process to build the tool that automates the manual compliance process. Every week in review is a week youre not building what eliminates the need for review. Programs that need platform ATOs now and a platform that isnt mature enough yet to grant them. Your Technical Impact Design and deliver the policy-as-code infrastructure that enforces compliance at deployment—making it impossible to ship non-compliant code rather than hoping it doesnt happen. Establish continuous compliance evidence generation: every deployment auto-produces artifacts mapped to NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD SRG controls. Auditors query dashboards, not document packages. Build the agentic AI security architecture that covers agentic development tools, MCP server governance, and AI-assisted development pipelines at enterprise scale—so security leadership sees a mature security posture, not an uncontrolled threat surface. Architect the path to a platform-level ATO that programs can inherit—reducing what once took months or years to a matter of seconds for teams building on the platform. Lead the software supply chain security effort: SBOM generation, image provenance, dependency management, vulnerability scanning—automated, continuous, and integrated into the developer workflow. Be the technical voice that turns the security team-DevEx relationship into a genuine partnership: co-authored policies, shared security posture ownership, and a security organization that sees the platform as an asset they helped build rather than a risk they were asked to accept. Required Qualifications Masters degree in Computer Science, Information Security, Software Engineering, or related technical field. 15+ years of experience in security architecture, DevSecOps, platform security, or related disciplines—with significant hands-on work, not just advisory roles. Deep expertise in policy-as-code tooling : Open Policy Agent (OPA), Kyverno, Rego, Sentinel, or equivalent. Youve written policies in production, not just evaluated the category. Strong working knowledge of compliance frameworks : NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, DoD IL4/IL5/6, RMF, CMMC. You understand the controls, what satisfies them, and how to build automated evidence. Hands-on experience with container and Kubernetes security : admission controllers, image scanning, network policies, runtime security, and hardened base images. Experience with CI/CD pipeline security : SAST/DAST, SCA, container scanning, IaC scanning, secrets management, hardened images/libraries, and how to integrate these into developer workflows without crushing velocity. Familiarity with software supply chain security : supply chain integrity frameworks (SLSA, in-toto), SBOM standards (CycloneDX, SPDX), signed commits, and provenance tooling. Experience designing security for AI-assisted development environments , including agent tooling, MCP server governance, LLM-integrated development pipelines, or equivalent emerging threat surfaces (or demonstrated ability to reason credibly about novel security architectures). Proven ability to engage effectively with security and compliance stakeholders —not just technically, but organizationally. Youve worked with ISSOs/ISSMs, auditors, and compliance teams. You know how to move them. Excellent communication skills—you can explain a Kubernetes admission webhook to a CISO and a FedRAMP control to a platform engineer, and make both conversations productive. U.S. citizenship required ; ability to obtain and maintain a security clearance. Preferred Qualifications Direct experience with USAF Platform One, DISA Repo One, or equivalent DoD DevSecOps programs —youve seen what continuous ATO looks like in practice. Background working with 3PAOs, DCMA, or other external auditors in the context of FedRAMP, DoD IL authorization, or RMF. Hands-on experience with Wiz, Prisma Cloud, Orca, or equivalent cloud security posture management platforms . Familiarity with RegScale, Telos Xacta, or equivalent GRC tooling and how to automate evidence flows into them. Experience building or operating an Internal Developer Portal (Backstage, Cortex, or custom) with security capabilities integrated. CISSP, CCSP, or equivalent security certifications (valued but not required if the work speaks for itself). All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law. Leidos will also consider for employment qualified applicants with criminal histories consistent with relevant laws. J-18808-Ljbffr