Cloud Security & Compliance Engineer

Job Description

ECS DevLabs is seeking a Cloud Security & Compliance Engineer to own the design, implementation, and continuous assessment of security controls across our AWS commercial environment, with a forward path into AWS GovCloud. This is a hands-on engineering role - the person writing the Terraform that implements a control is the same person writing the narrative that documents it, and the evidence that proves it.

Our commercial AWS environment supports internal ECS DevLabs workloads and does not require formal CMMC certification today. However, we hold ourselves to a high standard: we aim to be aligned with NIST SP 800-53, NIST SP 800-171. AWS CIS Benchmarks, and CMMC practices - treating these frameworks as engineering best practices regardless of mandate. When the organization stands up an AWS GovCloud account to support external government customers, that environment will have a formal CMMC compliance requirement, and this role will lead that effort.

Alongside compliance engineering, you will own day-to-day security operations - vulnerability management, incident response, and security monitoring - and serve as the security partner for internal ECS engineering teams running workloads across EC2, containers, Kubernetes, and other deployment mechanisms in our environment.

About Our Internal Tooling

ECS DevLabs develops and operates CloudForge, an internally built cost, operations, and security platform that aggregates data across our AWS accounts and Kubernetes clusters. CloudForge's Govern module consolidates Security Hub, GuardDuty, container vulnerabilities, encryption posture, network security, and compliance framework mapping into a single dashboard. You will rely on CloudForge daily for monitoring and evidence collection, and you will help shape its roadmap as a primary power user.

No prior CloudForge experience is expected - we will onboard you to the platform. What matters is that you know what good security telemetry looks like and can push us to make CloudForge better.

Why This Role Exists

Most compliance programs fail at the handoff between policy authors and infrastructure engineers. We're eliminating that handoff by hiring one person who can do both. If you enjoy translating a control requirement directly into Terraform, validating it in AWS Security Hub, working with the team that owns the affected workload to remediate, and writing the narrative that ties it all together - this role is built for you.

Primary Responsibilities

Compliance Engineering (primary workstream)

Commercial AWS Environment (ECS DevLabs):

• Implement and continuously improve security controls aligned to NIST SP 800-53, AWS CIS Benchmarks, and CMMC Level 1 and Level 2 practices as engineering best practices
• Build control implementations in Terraform and infrastructure-as-code - encryption defaults, centralized logging, access controls, network segmentation, audit baselines
• Track compliance posture against these frameworks using CloudForge Govern and AWS Security Hub compliance standards
• Maintain internal control documentation so the organization understands what is implemented, what is in progress, and what is an accepted gap
• Conduct periodic internal assessments and drive remediation of identified gaps
• Continuously raise the security baseline so that a formal compliance effort is a documentation exercise, not a re-engineering effort

AWS GovCloud Environment (when established):

• Lead formal CMMC compliance implementation for the GovCloud account supporting external government customers
• Author and maintain the System Security Plan (SSP) covering applicable NIST SP 800-171 practices
• Implement the full set of CMMC Level 2 controls (110 practices) in Terraform
• Maintain the Plan of Action & Milestones (POA&M) for open gaps
• Conduct quarterly internal self-assessments against NIST SP 800-171
• Prepare evidence artifacts for C3PAO third-party assessment - configuration exports, policy documentation, audit logs, and narrative responses
• Partner with the Platform Engineering Lead on GovCloud account architecture - isolated VPC, EKS, RDS, and IAM boundaries
• Implement and validate Controlled Unclassified Information (CUI) boundary protections
• Configure FIPS 140-2 validated encryption for all GovCloud resources handling CUI
• Define and enforce access control policies for CUI-handling systems - least privilege, universal MFA, session management
• Maintain an incident response plan aligned to the CMMC IR domain

Workload Security Partnership (cross-team work)

ECS DevLabs hosts internal engineering teams running a wide variety of workloads - EC2 virtual machines, containerized services on EKS, serverless functions, managed databases, and other deployment patterns. When vulnerabilities or misconfigurations are identified in those workloads, you are the engineer who partners with the responsible team to get them fixed.

• Serve as the primary security point of contact for internal ECS engineering teams operating workloads in our environment
• Triage vulnerabilities across EC2 instances, AMIs, container images, Kubernetes workloads, Lambda functions, and managed services - then work directly with the owning team on remediation
• Translate findings from AWS Inspector, Trivy, GuardDuty, and SonarQube into actionable guidance that non-security engineers can execute
• Advise teams on secure deployment patterns - hardened AMIs, image baselines, IAM policy design, network segmentation, secrets handling
• Review proposed architectures and pre-production deployments for security concerns, and help teams land changes without blocking delivery
• Drive accountability for remediation timelines while recognizing operational realities and negotiating risk-based extensions where appropriate
• Build and maintain internal security guidance - secure-by-default patterns, hardening checklists, and "golden path" templates teams can adopt

Security Monitoring & Incident Response

• Monitor CloudForge Govern dashboards daily - Security Hub, GuardDuty, Container Security, Encryption Compliance, Network Security
• Triage and respond to GuardDuty threat findings
• Manage Security Hub finding workflow - suppress, remediate, or formally accept risk with documentation
• Lead investigation and response for security incidents; coordinate with the ECS SOC, internal engineering teams, and external stakeholders as needed
• Partner with Site Reliability Engineering on incident remediation and post-incident reviews

Vulnerability Management

• Review AWS Inspector findings for EC2 instances, Lambda functions, and container images in ECR
• Review Trivy container scan results from CI/CD pipelines and prioritize remediation by exploitability and exposure
• Curate the .trivyignore baseline with documented justifications; re-evaluate quarterly
• Approve and monitor automated vulnerability remediation merge requests generated by CloudForge's remediation engine
• Maintain SBOM inventory for supply chain risk visibility
• Review SonarQube security hotspots and vulnerability findings
• Coordinate patch cycles for operating system packages, AMIs, container base images, and application dependencies
• Track remediation across EC2, container, and serverless workloads with appropriate SLAs by severity

Governance & Access Control

• Maintain awareness of additional frameworks that may apply - FedRAMP, SOC 2, DoD Cloud Computing SRG
• Conduct periodic access reviews across Entra ID, GitLab, and AWS IAM
• Review and approve IAM policy changes that grant elevated or cross-account privileges
• Audit CloudTrail logs for suspicious activity patterns
• Monitor encryption compliance across EBS, RDS, and S3; drive remediation of gaps
• Review WAF rules, Shield Advanced protections, and Firewall Manager policies
• Track tagging compliance and enforce organizational tagging standards
• Prepare evidence packages for customer security questionnaires and partner audits

Tools & Artifacts You Will Own

• Control implementations in Terraform across commercial AWS (and GovCloud, when established)
• Internal compliance documentation mapped to NIST SP 800-53, CIS Benchmarks, and CMMC practices
• AWS Security Hub finding management and compliance dashboards
• Vulnerability remediation workflow across EC2, container, and serverless workloads - AWS Inspector, Trivy, SonarQube, and CloudForge Govern
• Internal security guidance and secure-by-default patterns for engineering teams
• Incident response procedures and runbooks
• Access review processes and evidence collection pipeline
• Encryption, audit logging, and network segmentation baselines
• (Future) System Security Plan (SSP), POA&M, and C3PAO evidence packages for GovCloud

Work Environment

• Fully remote with quarterly on-site collaboration at the Fairfax, VA headquarters
• Hands-on engineering culture - controls are written in code, reviewed in merge requests, and validated with automated tooling
• Close collaboration with Platform Engineering, SRE, the ECS SOC, and internal engineering teams operating workloads in our environment
• High-trust, low-ceremony environment; engineers own their work end-to-end

What Success Looks Like

First 90 days

• Onboard to CloudForge Govern, AWS Security Hub, and the internal engineering team landscape
• Assess current commercial AWS posture against NIST SP 800-53, CIS Benchmarks, and CMMC practices; deliver a prioritized gap list
• Establish working relationships with internal engineering teams and build a shared vulnerability remediation cadence
• Identify the top 10 control improvements achievable through Terraform changes and begin implementation

First 6 months

• Commercial AWS environment measurably aligned to CIS Benchmark Level 1 and core CMMC Level 1 practices
• Vulnerability remediation SLAs agreed with internal teams and consistently met
• First wave of NIST 800-53 control improvements implemented and documented
• Internal security guidance published - secure-by-default patterns for EC2, container, and serverless workloads

First 12 months

• Commercial AWS environment demonstrably aligned to CMMC Level 2 practices as engineering best practice (without formal certification)
• GovCloud compliance program underway (if the environment has been stood up), with SSP in draft and initial controls implemented
• Internal compliance posture reportable to customers and partners on demand
• Measurable reduction in mean-time-to-remediate across EC2 and container vulnerabilities

Required Skills

• U.S. Citizenship required (to support future GovCloud and CUI handling)
• 5+ years in information security, compliance engineering, or security architecture
• Hands-on Terraform and infrastructure-as-code proficiency - able to implement security controls as code, not just document them
• Deep expertise in AWS security services: Security Hub, GuardDuty, Inspector, IAM, WAF, CloudTrail, AWS Config, KMS
• Working knowledge of at least one major compliance framework - NIST SP 800-53, NIST SP 800-171, CMMC, AWS CIS Benchmarks, FedRAMP, or SOC 2 - and a demonstrated ability to translate control language into technical configurations
• Vulnerability management across mixed workload types - experience remediating findings in EC2, containers, Kubernetes, and serverless environments
• Container security fundamentals - image scanning, SBOM, supply chain risk
• Identity and access management - least privilege, MFA, conditional access
• Incident response planning and execution experience
• Strong cross-team collaboration skills - ability to partner with engineering teams on remediation without being seen as a blocker
• Strong technical writing skills - control narratives, evidence packages, and remediation guidance must be clear and auditable

Desired Skills

• Direct experience with NIST SP 800-171 and/or CMMC Level 2 - SSP authoring, control implementation, or assessment preparation
• AWS GovCloud experience (or strong AWS commercial expertise with demonstrated ability to learn GovCloud differences)
• Familiarity with the C3PAO assessment process and expectations
• Prior experience leading an organization through an initial CMMC Level 2 certification
• Knowledge of FedRAMP Moderate or High authorization boundaries
• Experience with AWS Control Tower, Organizations, and Service Control Policies
• FIPS 140-2 validated encryption implementation experience
• Scripting proficiency (Python, Bash, or Go) for automating evidence collection and control validation
• Familiarity with GitOps workflows (Flux or ArgoCD) and SOPS-encrypted secrets management
• Understanding of CUI handling requirements and data boundary protections
• Experience building AMI hardening pipelines (Packer, EC2 Image Builder) or container base image programs

#EverforthECS1

ECS FEDERAL LLC is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

Everforth ECS is the federal segment of Everforth , a $4B global organization with over 10,000 employees. Our nearly 3,500 professionals deliver advanced technology solutions in data and AI, cybersecurity, and enterprise transformation, serving defense, intelligence, and federal civilian agencies.

Our work powers mission-critical outcomes, strengthens technology partnerships, and creates meaningful opportunities for our people. We are defined by a commitment to excellence in delivery, a culture of innovation, and an environment where talent can thrive and grow.

We value:

• Attracting and developing top talent and high-performing teams
• Fostering a culture that is engaging, accountable, and mission-driven

Meet the challenge. Make a difference with Everforth ECS!