Cloud Security & Compliance Engineer

Job DescriptionECS DevLabs is seeking a Cloud Security & Compliance Engineer to own the design, implementation, and continuous assessment of security controls across our AWS commercial environment, with a forward path into AWS GovCloud. This is a hands-on engineering role - the person writing the Terraform that implements a control is the same person writing the narrative that documents it, and the evidence that proves it.Our commercial AWS environment supports internal ECS DevLabs workloads and does not require formal CMMC certification today. However, we hold ourselves to a high standard: we aim to be aligned with NIST SP 800-53, NIST SP 800-171. AWS CIS Benchmarks, and CMMC practices - treating these frameworks as engineering best practices regardless of mandate. When the organization stands up an AWS GovCloud account to support external government customers, that environment will have a formal CMMC compliance requirement, and this role will lead that effort.Alongside compliance engineering, you will own day-to-day security operations - vulnerability management, incident response, and security monitoring - and serve as the security partner for internal ECS engineering teams running workloads across EC2, containers, Kubernetes, and other deployment mechanisms in our environment.About Our Internal ToolingECS DevLabs develops and operates CloudForge, an internally built cost, operations, and security platform that aggregates data across our AWS accounts and Kubernetes clusters. CloudForge's Govern module consolidates Security Hub, GuardDuty, container vulnerabilities, encryption posture, network security, and compliance framework mapping into a single dashboard. You will rely on CloudForge daily for monitoring and evidence collection, and you will help shape its roadmap as a primary power user.No prior CloudForge experience is expected - we will onboard you to the platform. What matters is that you know what good security telemetry looks like and can push us to make CloudForge better.Why This Role ExistsMost compliance programs fail at the handoff between policy authors and infrastructure engineers. We're eliminating that handoff by hiring one person who can do both. If you enjoy translating a control requirement directly into Terraform, validating it in AWS Security Hub, working with the team that owns the affected workload to remediate, and writing the narrative that ties it all together - this role is built for you.Primary ResponsibilitiesCompliance Engineering (primary workstream) Commercial AWS Environment (ECS DevLabs):Implement and continuously improve security controls aligned to NIST SP 800-53, AWS CIS Benchmarks, and CMMC Level 1 and Level 2 practices as engineering best practicesBuild control implementations in Terraform and infrastructure-as-code - encryption defaults, centralized logging, access controls, network segmentation, audit baselinesTrack compliance posture against these frameworks using CloudForge Govern and AWS Security Hub compliance standardsMaintain internal control documentation so the organization understands what is implemented, what is in progress, and what is an accepted gapConduct periodic internal assessments and drive remediation of identified gapsContinuously raise the security baseline so that a formal compliance effort is a documentation exercise, not a re-engineering effortAWS GovCloud Environment (when established): Lead formal CMMC compliance implementation for the GovCloud account supporting external government customersAuthor and maintain the System Security Plan (SSP) covering applicable NIST SP 800-171 practicesImplement the full set of CMMC Level 2 controls (110 practices) in TerraformMaintain the Plan of Action & Milestones (POA&M) for open gapsConduct quarterly internal self-assessments against NIST SP 800-171Prepare evidence artifacts for C3PAO third-party assessment - configuration exports, policy documentation, audit logs, and narrative responsesPartner with the Platform Engineering Lead on GovCloud account architecture - isolated VPC, EKS, RDS, and IAM boundariesImplement and validate Controlled Unclassified Information (CUI) boundary protectionsConfigure FIPS 140-2 validated encryption for all GovCloud resources handling CUIDefine and enforce access control policies for CUI-handling systems - least privilege, universal MFA, session managementMaintain an incident response plan aligned to the CMMC IR domainWorkload Security Partnership (cross-team work) ECS DevLabs hosts internal engineering teams running a wide variety of workloads - EC2 virtual machines, containerized services on EKS, serverless functions, managed databases, and other deployment patterns. When vulnerabilities or misconfigurations are identified in those workloads, you are the engineer who partners with the responsible team to get them fixed.Serve as the primary security point of contact for internal ECS engineering teams operating workloads in our environmentTriage vulnerabilities across EC2 instances, AMIs, container images, Kubernetes workloads, Lambda functions, and managed services - then work directly with the owning team on remediationTranslate findings from AWS Inspector, Trivy, GuardDuty, and SonarQube into actionable guidance that non-security engineers can executeAdvise teams on secure deployment patterns - hardened AMIs, image baselines, IAM policy design, network segmentation, secrets handlingReview proposed architectures and pre-production deployments for security concerns, and help teams land changes without blocking deliveryDrive accountability for remediation timelines while recognizing operational realities and negotiating risk-based extensions where appropriateBuild and maintain internal security guidance - secure-by-default patterns, hardening checklists, and "golden path" templates teams can adoptSecurity Monitoring & Incident ResponseMonitor CloudForge Govern dashboards daily - Security Hub, GuardDuty, Container Security, Encryption Compliance, Network SecurityTriage and respond to GuardDuty threat findingsManage Security Hub finding workflow - suppress, remediate, or formally accept risk with documentationLead investigation and response for security incidents; coordinate with the ECS SOC, internal engineering teams, and external stakeholders as neededPartner with Site Reliability Engineering on incident remediation and post-incident reviewsVulnerability ManagementReview AWS Inspector findings for EC2 instances, Lambda functions, and container images in ECRReview Trivy container scan results from CI/CD pipelines and prioritize remediation by exploitability and exposureCurate the .trivyignore baseline with documented justifications; re-evaluate quarterlyApprove and monitor automated vulnerability remediation merge requests generated by CloudForge's remediation engineMaintain SBOM inventory for supply chain risk visibilityReview SonarQube security hotspots and vulnerability findingsCoordinate patch cycles for operating system packages, AMIs, container base images, and application dependenciesTrack remediation across EC2, container, and serverless workloads with appropriate SLAs by severityGovernance & Access ControlMaintain awareness of additional frameworks that may apply - FedRAMP, SOC 2, DoD Cloud Computing SRGConduct periodic access reviews across Entra ID, GitLab, and AWS IAMReview and approve IAM policy changes that grant elevated or cross-account privilegesAudit CloudTrail logs for suspicious activity patternsMonitor encryption compliance across EBS, RDS, and S3; drive remediation of gapsReview WAF rules, Shield Advanced protections, and Firewall Manager policiesTrack tagging compliance and enforce organizational tagging standardsPrepare evidence packages for customer security questionnaires and partner auditsTools & Artifacts You Will OwnControl implementations in Terraform across commercial AWS (and GovCloud, when established)Internal compliance documentation mapped to NIST SP 800-53, CIS Benchmarks, and CMMC practicesAWS Security Hub finding management and compliance dashboardsVulnerability remediation workflow across EC2, container, and serverless workloads - AWS Inspector, Trivy, SonarQube, and CloudForge GovernInternal security guidance and secure-by-default patterns for engineering teamsIncident response procedures and runbooksAccess review processes and evidence collection pipelineEncryption, audit logging, and network segmentation baselines (Future) System Security Plan (SSP), POA&M, and C3PAO evidence packages for GovCloudWork EnvironmentFully remote with quarterly on-site collaboration at the Fairfax, VA headquartersHands-on engineering culture - controls are written in code, reviewed in merge requests, and validated with automated toolingClose collaboration with Platform Engineering, SRE, the ECS SOC, and internal engineering teams operating workloads in our environmentHigh-trust, low-ceremony environment; engineers own their work end-to-endWhat Success Looks LikeFirst 90 daysOnboard to CloudForge Govern, AWS Security Hub, and the internal engineering team landscapeAssess current commercial AWS posture against NIST SP 800-53, CIS Benchmarks, and CMMC practices; deliver a prioritized gap listEstablish working relationships with internal engineering teams and build a shared vulnerability remediation cadenceIdentify the top 10 control improvements achievable through Terraform changes and begin implementationFirst 6 monthsCommercial AWS environment measurably aligned to CIS Benchmark Level 1 and core CMMC Level 1 practicesVulnerability remediation SLAs agreed with internal teams and consistently metFirst wave of NIST 800-53 control improvements implemented and documentedInternal security guidance published - secure-by-default patterns for EC2, container, and serverless workloadsFirst 12 monthsCommercial AWS environment demonstrably aligned to CMMC Level 2 practices as engineering best practice (without formal certification)GovCloud compliance program underway (if the environment has been stood up), with SSP in draft and initial controls implementedInternal compliance posture reportable to customers and partners on demandMeasurable reduction in mean-time-to-remediate across EC2 and container vulnerabilitiesRequired SkillsU.S. Citizenship required (to support future GovCloud and CUI handling)5+ years in information security, compliance engineering, or security architectureHands-on Terraform and infrastructure-as-code proficiency - able to implement security controls as code, not just document themDeep expertise in AWS security services: Security Hub, GuardDuty, Inspector, IAM, WAF, CloudTrail, AWS Config, KMSWorking knowledge of at least one major compliance framework - NIST SP 800-53, NIST SP 800-171, CMMC, AWS CIS Benchmarks, FedRAMP, or SOC 2 - and a demonstrated ability to translate control language into technical configurationsVulnerability management across mixed workload types - experience remediating findings in EC2, containers, Kubernetes, and serverless environmentsContainer security fundamentals - image scanning, SBOM, supply chain riskIdentity and access management - least privilege, MFA, conditional accessIncident response planning and execution experienceStrong cross-team collaboration skills - ability to partner with engineering teams on remediation without being seen as a blockerStrong technical writing skills - control narratives, evidence packages, and remediation guidance must be clear and auditableDesired SkillsDirect experience with NIST SP 800-171 and/or CMMC Level 2 - SSP authoring, control implementation, or assessment preparationAWS GovCloud experience (or strong AWS commercial expertise with demonstrated ability to learn GovCloud differences) Familiarity with the C3PAO assessment process and expectationsPrior experience leading an organization through an initial CMMC Level 2 certificationKnowledge of FedRAMP Moderate or High authorization boundariesExperience with AWS Control Tower, Organizations, and Service Control PoliciesFIPS 140-2 validated encryption implementation experienceScripting proficiency (Python, Bash, or Go) for automating evidence collection and control validationFamiliarity with GitOps workflows (Flux or ArgoCD) and SOPS-encrypted secrets managementUnderstanding of CUI handling requirements and data boundary protectionsExperience building AMI hardening pipelines (Packer, EC2 Image Builder) or container base image programs#EverforthECS1ECS FEDERAL LLC is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.Everforth ECS is the federal segment of Everforth , a $4B global organization with over 10,000 employees. Our nearly 3,500 professionals deliver advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, serving defense, intelligence, and federal civilian agencies.Our work powers mission-critical outcomes, strengthens technology partnerships, and creates meaningful opportunities for our people. We are defined by a commitment to excellence in delivery, a culture of innovation, and an environment where talent can thrive and grow.We value:Attracting and developing top talent and high-performing teamsFostering a culture that is engaging, accountable, and mission-driven Meet the challenge. Make a difference with Everforth ECS!