Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Upcoming role

This role is not yet open for application. If you would like to learn more or if you'd like to be notified when the application is open, please sign up join our mailing list.

cloud.gov - Security Compliance Architect

cloud.gov will soon be accepting applications for a GS-15 - Security Compliance Architect. The target date for when this position will be officially open to application has not yet been determined. If you’d like to be notified when this position is open, sign up to our mailing list.

Applications will be open for submission on tbd. Check out Join TTS Hiring Process to learn more about the application process.

Location: Washington, DC; San Francisco, CA; Chicago, IL; New York, NY; Virtual (100% Remote)

Salary Range: The base salary range for this position is: GS-15 Step 1 - $106,595 to GS-15 Step 10 $138,572

The base salary range does not include any adjustment for locality. Your locality will be determined by where you live since most of our positions are remote. If the position isn’t remote, then your locality will be determined by the location of the office where the position is based.

You can find more information about this in the compensation and benefits section on our site.

For specific details on locality pay, please visit OPM’s Salaries & Wages page or for a salary calculator OPM’s 2019 General Schedule (GS) Salary Calculator.

Please note the maximum salary available for the GS pay system is $166,500 Note: You may not be eligible for the maximum salary as it is locality dependent. Please refer to the maximum pay for your locality.

Who May Apply: All United States citizens and nationals (residents of American Samoa and Swains Islands) and applicants must not be GSA employees or contractors

Role Summary:

Security Compliance Architect - GS-15

cloud.gov, a product team within 18F, is looking for a security compliance architect to help us deliver better digital services to the public. You will be a builder, contributor, and a catalyst. With the support of our team of about 15 people, you will solve large complex problems while spreading user-centered, open, and secure culture. cloud.gov is an open source team, so much of what you work on will be open source. Our team is excited to tackle challenging problems to improve the lives of others. We care about respect and listening to each other.

Our vision is to help federal government teams radically reduce the time and labor of the ATO process while fulfilling security requirements and improving security. We do this by providing a modern and cloud-native Platform as a Service (hosted on Infrastructure as a Service) with a FedRAMP Joint Authorization Board Provisional ATO at the Moderate level. Our cloud.gov customer systems inherit much of their security compliance from our system. Your role is critical to this vision, and your work will include:

  • Lead maintenance of the cloud.gov P-ATO
  • Help team members and customers understand security compliance
  • Improve how cloud.gov supports and accelerates customer compliance
  • Publish open source compliance materials and explanations, for reuse and learning by teams in the public and private sectors

This is an Information Systems Security Officer role, so it’s great if you have experience as an ISSO or equivalent. You should have strong technical writing skills. You should be able to explain the security value of engineering best practices such as source control, automated testing, continuous integration and deployment, and peer review. You should have experience making recommendations to engineering and leadership team members. You do not need to write code — it’s more important to be able to write policies and procedures. The best candidates will have a background working on cross-functional, multidisciplinary teams that deliver digital products and services in an incremental, user-focused environment.

Key Objectives

Key objective #1: Lead fulfillment of FedRAMP Authorization requirements.

  • Edit and maintain our security compliance documents using FedRAMP templates and NIST standards, including our System Security Plan, Plan of Actions and Milestones (POAM), Deviation Requests, Significant Change Requests, Incident Response Plan, and Contingency Plan
  • Serve as liaison between the cloud.gov team and our Authorizing Officials (our FedRAMP Joint Authorization Board Technical Reviewers’ Representatives)
  • Serve as liaison between the cloud.gov team and our security auditor (our 3PAO - Third-Party Assessment Organization)
  • Coordinate our Annual Assessments, monthly Continuous Monitoring reports, and Significant Change Request assessments, according to FedRAMP requirements

Key objective #2: Lead high-quality and consistent security compliance within our cloud.gov team.

  • Coordinate with cloud.gov Product Manager, engineering team members, and other team members (including Director and Deputy Director) to explain FedRAMP requirements and plan and prioritize team tasks to fulfill those requirements.
  • Identify internal security compliance needs and issues, and coordinate resolving those issues by working constructively with the rest of the team.
  • Collaborate with team members to interpret, implement, and document requirements in ways that prioritize secure engineering best practices, not simply checking checkboxes.
  • Contribute to our procurement process for compliance-related services and products, such as our 3PAO contracts.
  • Run cloud.gov team compliance trainings, security review meetings, incident response exercises, and other required security compliance meetings in ways that engage and educate our team.
  • Participate in team security incident response and contingency plan response processes, including as Incident Commander when needed.

Key objective #3: Teach and collaborate with customers, fellow teams, and the public.

  • Identify and contribute to ways that cloud.gov can support and accelerate customer compliance, such as new tools, templates, and training.
  • Participate in cloud.gov business development calls and customer support email threads to answer customer questions related to security compliance.
  • Serve as the cloud.gov liaison to our division’s team that handles larger infrastructure and compliance topics.
  • Participate in cross-team working groups for security and compliance, which provide informal advising and learning.
  • Publish our compliance documents as open source materials for reuse by the public, with appropriate security risk management part of our vision is to publish most of our System Security Plan.

Key objective #4: Contribute to the culture and knowledge of the team, practicing and sharing agile methodologies throughout all stages of the project lifecycle.

  • Work within a distributed, multidisciplinary agile team by participating in constructive discussions, sharing knowledge, and demonstrating value for technical and non-technical contributions.
  • Support a safe, inclusive, respectful workplace and a positive team culture where all team members value diversity and individual differences.
  • Develop new insights into situations and question conventional approaches.
  • Provide visibility into each project’s progress, communicate blockers and challenges, and ask for help.
  • Demonstrate a strong understanding of the elements of agile methodology (scrum, kanban, and so on).
  • Support the team practices of human-centered design, user testing, feature prioritization, and DevOps.

Application Evaluation

The information in this sections outlines the criteria that your application will be evaluated against to determine if you meet the Qualifications for the position. There are two very important things to note about this step in the process:

  1. Only applications found “minimally qualified” are shared with the hiring manager and are the only candidates eligible to be interviewed
  2. The Minimum Qualification determination can only be made using the information that’s directly within your resume and directly associated your listed work experience.
    • Examples of stuff that can’t be used:
    • Links to portfolios or other external materials (Yes, the links themselves may be “directly” on the resume but the information is not).
    • Information you include in cover letters, responses to questions, etc. as these are not directly associated with your work experience
    • Lists of tools, technologies, programming languages, etc. that are listed separately from your work experience

The Qualification process is a bureaucratic requirement that we are stuck with. It’s best to think about it as the most intense and rigorous resume review you’ve ever heard of. To get through this process you need make sure your resume directly reflects the Qualifications listed below. We also have more guidance on creating a federal style resume on Join TTS Hiring Process

Qualifications

All applications will be reviewed by a panel of subject matter experts against a scoring rubric created for this role. In order to properly be able to evaluate your previous experience, we recommend being as detailed as possible in your resume and following our general guidance on creating federal style resume.

To qualify for this role, you must have one year of specialized experience equivalent to the GS-14 in the Federal service. Specialized experience is:

  1. Experience managing security compliance responsibilities. This experience must include ALL of the following:
    • Working with Federal Information Security Management Act (FISMA) requirements
    • Serving as a lead of a security compliance documentation process
    • Writing or editing security compliance documentation
  2. Experience working as part of a team to deliver digital products or services.

  3. Experience using agile methodologies.

Qualification determinations cannot be made when resumes do not include the required information, so failure to provide this information may result in disqualification.

For each job on your resume, provide:

  • the exact dates you held each job (from month/year to month/year or “present”)
  • number of hours per week you worked (if part time)

How To Apply

If you would like to learn more or if you’d like to be notified when the application is open, please sign up join our mailing list.