Senior Information System Security Engineer

Job Description

ECS is seeking a Senior Information System Security Engineer to work in our Washington, DC office.

An Information Systems Security Engineer (ISSE) is responsible for designing, implementing, and maintaining security measures to protect an organization's information systems and data assets from cybersecurity threats and vulnerabilities. Work closely with IT teams, management, and other stakeholders to ensure the confidentiality, integrity, and availability of sensitive information and critical infrastructure.

Salary Range: $190,000 - $200,000

General Description of Benefits

Required Skills

• Must have a current Top-Secret Clearance with the capability of Obtaining SCI / CI-Poly if needed to meet contract requirements
• Bachelor's Degree in Computer Science, Information Assurance, Information Security System Engineering, or related discipline from an accredited college or university is required
• 10+ years of IT related experience
• Expert technical knowledge in security engineering and IT systems engineering.
• Review system architecture to evaluate alignment with:
  • FISMA, Executive Orders, National Manager Memos, and FedRAMP
  • Required NIST SP 800-53 Rev. 5 or CNSSI 1253 (if NSS)
  • DISA STIGs & STGs, CIS benchmarks, OWASP Top 10, ASVS, MASVS, and vendor recommended standards
• Conduct targeted comprehensive threat and risk assessments using:
  • NIST SP 800-30, Microsoft STRIDE, DREAD, Fishbone (Ishikawa) Analysis, OCTAVE, P.A.S.T.A., MITRE ATT&CK, D3FEND, SHIELD, and ATLAS frameworks
• Apply secure design principles when recommending remediation and mitigation approaches from:
  • NIST SP 800-160 Vol. 1 & 2 (Systems Security Engineering)
  • NSA Information Assurance Technical Framework (IATF)
• Evaluate system-level, system of systems, and enterprise-level cybersecurity posture across:
  • Networks (LAN/WAN/wireless/cellular)
  • Hypervisors, Containers, orchestrators, cloud
  • Operating Systems (Windows, Linux, macOS)
  • Application logic and APIs
  • Databases (SQL/NoSQL)
  • Web servers and web logic
  • Firewalls and IPS
• Evaluate cross domain solutions for compliance with the National Cross Domain Strategy and Management Office (NCDSMO) Raise the Bar (RTB) standards
• Evaluate cryptographic implementations and ensure compliance with:
  • FIPS 140-3
  • NIST SP 800-56, 57, 131A, and related series
  • Post-quantum cryptography requirements (NIST and NSA)
• Assess Identity, Credential, and Access Management (ICAM) solutions:
  • Aligning with NIST 800-63 IAL/AAL/FAL levels
  • Support for PIV/CNSS cards, SAML, OIDC, OAuth2
• Assess secure mobile development and deployment:
  • Secure mobile applications, MDM/MAM platforms
  • Address mobile OS-specific threats (iOS, Android)
• Interpret and provide remediation or mitigation strategies based on:
  • Penetration testing results and associated PO&AMs
  • Security control assessments
  • Vulnerability and compliance scans
• Leverage programming language to review static and dynamic code analysis and provide remediation or mitigation recommendations
• Support mission assurance and security of Operational Technology (OT) systems
  • Including real-time operating systems (RTOS) and low-latency requirements
  • Building automation systems, robotics, drones, and scientific machines

Desired Skills

• Deep understanding of information security principles, concepts, and best practices.
• Ability to conduct comprehensive risk assessments, identify vulnerabilities, assess threats, and develop risk mitigation strategies.
• Proficiency in designing secure and resilient information systems architectures, including networks, applications, databases, and cloud environments.
• Researched and evaluated emerging security trends and issues to assist customers in improving the security posture of the organization.
• Understanding of cloud security concepts, architectures, and best practices, including identity and access management, data encryption, and secure configuration management in cloud environments.
• Researched web application firewall (WAF) technology limitations and advised development teams on remediation of vulnerabilities not covered by WAF security policies.
• Knowledge of encryption algorithms, cryptographic protocols, and key management principles to protect data at rest, in transit, and in use.
• Proficiency in security testing methodologies, including penetration testing, vulnerability assessment, code review, and security audits.
• Ability to develop and implement incident response plans and procedures, including detection, analysis, containment, eradication, and recovery from security incidents.
• A deep understanding of enterprise operating systems.
• Knowledge of programming languages and tools.
• Certified Information Systems Security Professional (CISSP)

#ECS1

ECS is an equal opportunity employer and does not discriminate or allow discrimination on the basis any characteristic protected by law. All qualified applicants will receive consideration for employment without regard to disability, status as a protected veteran or any other status protected by applicable federal, state, or local jurisdiction law.

ECS is a leading mid-sized provider of technology services to the United States Federal Government. We are focused on people, values and purpose. Every day, our 3800+ employees focus on providing their technical talent to support the Federal Agencies and Departments of the US Government to serve, protect and defend the American People.