Cloud Security & Compliance Engineer

ECS DevLabs is seeking a Cloud Security & Compliance Engineer to own the design, implementation, and continuous assessment of security controls across our AWS commercial environment, with a forward path into AWS GovCloud. This is a hands-on engineering role — the person writing the Terraform that implements a control is the same person writing the narrative that documents it, and the evidence that proves it.

Our commercial AWS environment supports internal ECS DevLabs workloads and does not require formal CMMC certification today. However, we hold ourselves to a high standard: we aim to be aligned with NIST SP 800-53, NIST SP 800-171. AWS CIS Benchmarks, and CMMC practices — treating these frameworks as engineering best practices regardless of mandate. When the organization stands up an AWS GovCloud account to support external government customers, that environment will have a formal CMMC compliance requirement, and this role will lead that effort.

Alongside compliance engineering, you will own day-to-day security operations — vulnerability management, incident response, and security monitoring — and serve as the security partner for internal ECS engineering teams running workloads across EC2, containers, Kubernetes, and other deployment mechanisms in our environment.

About Our Internal Tooling

ECS DevLabs develops and operates CloudForge, an internally built cost, operations, and security platform that aggregates data across our AWS accounts and Kubernetes clusters. CloudForge's Govern module consolidates Security Hub, GuardDuty, container vulnerabilities, encryption posture, network security, and compliance framework mapping into a single dashboard. You will rely on CloudForge daily for monitoring and evidence collection, and you will help shape its roadmap as a primary power user.

No prior CloudForge experience is expected — we will onboard you to the platform. What matters is that you know what good security telemetry looks like and can push us to make CloudForge better.

Why This Role Exists

Most compliance programs fail at the handoff between policy authors and infrastructure engineers. We're eliminating that handoff by hiring one person who can do both. If you enjoy translating a control requirement directly into Terraform, validating it in AWS Security Hub, working with the team that owns the affected workload to remediate, and writing the narrative that ties it all together — this role is built for you.

Primary Responsibilities

Compliance Engineering (primary workstream)

Commercial AWS Environment (ECS DevLabs):

• Implement and continuously improve security controls aligned to NIST SP 800-53, AWS CIS Benchmarks, and CMMC Level 1 and Level 2 practices as engineering best practices
• Build control implementations in Terraform and infrastructure-as-code — encryption defaults, centralized logging, access controls, network segmentation, audit baselines
• Track compliance posture against these frameworks using CloudForge Govern and AWS Security Hub compliance standards
• Maintain internal control documentation so the organization understands what is implemented, what is in progress, and what is an accepted gap
• Conduct periodic internal assessments and drive remediation of identified gaps
• Continuously raise the security baseline so that a formal compliance effort is a documentation exercise, not a re-engineering effort

AWS GovCloud Environment (when established):

• Lead formal CMMC compliance implementation for the GovCloud account supporting external government customers
• Author and maintain the System Security Plan (SSP) covering applicable NIST SP 800-171 practices
• Implement the full set of CMMC Level 2 controls (110 practices) in Terraform
• Maintain the Plan of Action & Milestones (POA&M) for open gaps
• Conduct quarterly internal self-assessments against NIST SP 800-171
• Prepare evidence artifacts for C3PAO third-party assessment — configuration exports, policy documentation, audit logs, and narrative responses
• Partner with the Platform Engineering Lead on GovCloud account architecture — isolated VPC, EKS, RDS, and IAM boundaries
• Implement and validate Controlled Unclassified Information (CUI) boundary protections
• Configure FIPS 140-2 validated encryption for all GovCloud resources handling CUI
• Define and enforce access control policies for CUI-handling systems — least privilege, universal MFA, session management
• Maintain an incident response plan aligned to the CMMC IR domain

Workload Security Partnership (cross-team work)

ECS DevLabs hosts internal engineering teams running a wide variety of workloads — EC2 virtual machines, containerized services on EKS, serverless functions, managed databases, and other deployment patterns. When vulnerabilities or misconfigurations are identified in those workloads, you are the engineer who partners with the responsible team to get them fixed.

• Serve as the primary security point of contact for internal ECS engineering teams operating workloads in our environment
• Triage vulnerabilities across EC2 instances, AMIs, container images, Kubernetes workloads, Lambda functions, and managed services — then work directly with the owning team on remediation
• Translate findings from AWS Inspector, Trivy, GuardDuty, and SonarQube into actionable guidance that non-security engineers can execute
• Advise teams on secure deployment patterns — hardened AMIs, image baselines, IAM policy design, network segmentation, secrets handling
• Review proposed architectures and pre-production deployments for security concerns, and help teams land changes without blocking delivery
• Drive accountability for remediation timelines while recognizing operational realities and negotiating risk-based extensions where appropriate
• Build and maintain internal security guidance — secure-by-default patterns, hardening checklists, and "golden path" templates teams can adopt

Security Monitoring & Incident Response

• Monitor CloudForge Govern dashboards daily — Security Hub, GuardDuty, Container Security, Encryption Compliance, Network Security
• Triage and respond to GuardDuty threat findings
• Manage Security Hub finding workflow — suppress, remediate, or formally accept risk with documentation
• Lead investigation and response for security incidents; coordinate with the ECS SOC, internal engineering teams, and external stakeholders as needed
• Partner with Site Reliability Engineering on incident remediation and post-incident reviews

Vulnerability Management

• Review AWS Inspector findings for EC2 instances, Lambda functions, and container images in ECR
• Review Trivy container scan results from CI/CD pipelines and prioritize remediation by exploitability and exposure
• Curate the .trivyignore baseline with documented justifications; re-evaluate quarterly
• Approve and monitor automated vulnerability remediation merge requests generated by CloudForge's remediation engine
• Maintain SBOM inventory for supply chain risk visibility
• Review SonarQube security hotspots and vulnerability findings
• Coordinate patch cycles for operating system packages, AMIs, container base images, and application dependencies
• Track remediation across EC2, container, and serverless workloads with appropriate SLAs by severity

Governance & Access Control

• Maintain awareness of additional frameworks that may apply — FedRAMP, SOC 2, DoD Cloud Computing SRG
• Conduct periodic access reviews across Entra ID, GitLab, and AWS IAM
• Review and approve IAM policy changes that grant elevated or cross-account privileges
• Audit CloudTrail logs for suspicious activity patterns
• Monitor encryption compliance across EBS, RDS, and S3; drive remediation of gaps
• Review WAF rules, Shield Advanced protections, and Firewall Manager policies
• Track tagging compliance and enforce organizational tagging standards
• Prepare evidence packages for customer security questionnaires and partner audits

Tools & Artifacts You Will Own

• Control implementations in Terraform across commercial AWS (and GovCloud, when established)
• Internal compliance documentation mapped to NIST SP 800-53, CIS Benchmarks, and CMMC practices
• AWS Security Hub finding management and compliance dashboards
• Vulnerability remediation workflow across EC2, container, and serverless workloads — AWS Inspector, Trivy, SonarQube, and CloudForge Govern
• Internal security guidance and secure-by-default patterns for engineering teams
• Incident response procedures and runbooks
• Access review processes and evidence collection pipeline
• Encryption, audit logging, and network segmentation baselines
• (Future) System Security Plan (SSP), POA&M, and C3PAO evidence packages for GovCloud

Work Environment

• Fully remote with quarterly on-site collaboration at the Fairfax, VA headquarters
• Hands-on engineering culture — controls are written in code, reviewed in merge requests, and validated with automated tooling
• Close collaboration with Platform Engineering, SRE, the ECS SOC, and internal engineering teams operating workloads in our environment
• High-trust, low-ceremony environment; engineers own their work end-to-end

What Success Looks Like

First 90 days

• Onboard to CloudForge Govern, AWS Security Hub, and the internal engineering team landscape
• Assess current commercial AWS posture against NIST SP 800-53, CIS Benchmarks, and CMMC practices; deliver a prioritized gap list
• Establish working relationships with internal engineering teams and build a shared vulnerability remediation cadence
• Identify the top 10 control improvements achievable through Terraform changes and begin implementation

First 6 months

• Commercial AWS environment measurably aligned to CIS Benchmark Level 1 and core CMMC Level 1 practices
• Vulnerability remediation SLAs agreed with internal teams and consistently met
• First wave of NIST 800-53 control improvements implemented and documented
• Internal security guidance published — secure-by-default patterns for EC2, container, and serverless workloads

First 12 months

• Commercial AWS environment demonstrably aligned to CMMC Level 2 practices as engineering best practice (without formal certification)
• GovCloud compliance program underway (if the environment has been stood up), with SSP in draft and initial controls implemented
• Internal compliance posture reportable to customers and partners on demand
• Measurable reduction in mean-time-to-remediate across EC2 and container vulnerabilities