Security Operations Center Lead SME

Job Description

Everforth ECS is seeking a Product Manager SME to work in the National Capital Region covering the Pentagon, Falls Church, and Fairfax . Please Note: This position is contingent upon contract award.

The War Data Platform (WDP) is a key initiative within the U.S. Department of War's (DoW) AI-First strategy introduced in early 2026. The WDP focuses on operational warfighting data and aims to accelerate the deployment of artificial intelligence (AI) on the battlefield. The WDP extends to Unclassified, Secret, and Top Secret environments, and supports collaboration between Combatant Commands, Joint Staff directorates, Senior Executive Service leaders, and operational analysts.

The Security Operations Center Lead SME is the senior cybersecurity operations authority within the WDP Core Integration program, responsible for directing continuous monitoring, threat detection, and incident response activities across NIPRNet, SIPRNet, and JWICS environments in support of DoW mission systems. This role leads the WDP SOC function in alignment with ECS's enterprise cybersecurity strategy-which encompasses RMF compliance, vulnerability management, SOC monitoring, supply chain risk management, and defensive cyber operations across the full WDP security enclave portfolio-and serves as the primary escalation authority for all cybersecurity incidents impacting mission availability and information assurance.
Directs daily security operations supporting Department of War mission systems across unclassified and classified networks.
Leads continuous monitoring activities through centralized Security Operations Center workflows, serving as primary escalation authority for cybersecurity incidents impacting mission availability and information assurance.
Oversees SOC analysts conducting alert triage, threat investigation, and incident response using SIEM platforms, endpoint detection tools, network sensors, and threat intelligence feeds.
Tunes and optimizes SIEM correlation rules, detection logic, and analytic use cases to improve signal fidelity and reduce false positives while maintaining coverage against advanced persistent threats.
Coordinates incident response activities with incident handlers, ISSOs, system administrators, and network defenders to contain, eradicate, and recover from malicious activity.
Maintains incident documentation, timelines, and evidence supporting continuous monitoring, RMF reporting, and cybersecurity Body-of-Evidence requirements.
Develops operational procedures, analyst workflows, and shift handover practices to sustain round-the-clock monitoring effectiveness.
Produces SOC performance metrics, incident trend analysis, and executive summaries for cybersecurity leadership and Authorizing Officials using ServiceNow, SharePoint, and reporting dashboards.
Supports training, mentoring, and quality oversight of SOC personnel to maintain investigative rigor and operational consistency.
Delivers improved threat detection, reduced response times, and mission resilience while reinforcing program values of vigilance, accountability, operational readiness, and disciplined cyber defense.
Performs other duties as assigned.

Required Skills

Current Secret security clearance with the ability to obtain and maintain a Top Secret (TS) security clearance.
12 or more years of progressively responsible experience in cybersecurity operations, SOC leadership, or a closely related field, with demonstrated expert-level proficiency directing continuous monitoring and incident response operations across enterprise or multi-enclave DoW environments.
DoW 8140/8570 IAM Level I baseline certification, satisfied by one of the following active credentials: CompTIA Security+ CE, ISC CAP, ISC SSCP, or GIAC GSLC.
Hands-on expertise operating and administering SIEM platforms, endpoint detection and response tooling, network sensors, and threat intelligence feeds in support of 24/7 SOC operations across NIPRNet, SIPRNet, and JWICS environments, including demonstrated proficiency tuning detection logic and analytic use cases to reduce false positives and maintain advanced persistent threat coverage.
Demonstrated experience leading cybersecurity incident response operations, including containment, eradication, and recovery coordination, as well as maintaining incident documentation and evidence artifacts supporting RMF continuous monitoring, eMASS reporting, and authorization Body-of-Evidence requirements.
Strong problem-solving and decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate solution.
Highly developed interpersonal and oral/written communication skills, with the ability to effectively and professionally interact with a diverse set of stakeholders (from peers to end-users to executive management).

Desired Skills

Active Top Secret (TS) security clearance with Sensitive Compartmented Information (SCI) eligibility.
Active Certified Information Systems Security Professional (CISSP) certification, or an equivalent advanced cybersecurity credential such as GCIA, GCIH, GREM, or CISM; possession of a CISSP is specifically identified as a desired qualification for senior cybersecurity roles supporting this program.
Prior experience directing SOC operations on DoW, intelligence community, or defense programs, including familiarity with the DoW Zero Trust Reference Architecture, Cyber Security and Risk Management Compliance (CSRMC) framework, and supply chain risk management practices applicable to mission-critical platforms.
Familiarity with Security Orchestration, Automation, and Response (SOAR) platforms, automated threat hunting workflows, and cloud-native security monitoring tools such as AWS Security Hub, AWS GuardDuty, Microsoft Defender for Cloud, or Splunk Enterprise Security, applied in classified or government cloud environments.
Bachelor's or Master's degree in Cybersecurity, Information Assurance, Computer Science, or a closely related technical field.

ECS Federal LLC is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

Everforth ECS is the federal segment of Everforth , a $4B global organization with over 10,000 employees. Our nearly 3,500 professionals deliver advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, serving defense, intelligence, and federal civilian agencies.

Our work powers mission-critical outcomes, strengthens technology partnerships, and creates meaningful opportunities for our people. We are defined by a commitment to excellence in delivery, a culture of innovation, and an environment where talent can thrive and grow.

We value:

• Attracting and developing top talent and high-performing teams
• Fostering a culture that is engaging, accountable, and mission-driven

Meet the challenge. Make a difference with Everforth ECS!