InfoSec Systems Engineer SME

Description

Leidos is seeking a motivated candidate for the InfoSec Systems Engineer.

This role involves designing and implementing robust security architectures, managing risk through the system development life cycle, and ensuring strict compliance with U.S. government security standards (e.g., NIST SP 800-53, Intelligence Community ICD 503, and the Risk Management Framework). The ideal candidate has hands-on experience in secure system design, cloud security, cryptographic solutions, and vulnerability management, and can apply industry level security engineering practices into real-world systems. Candidates will work cross-functionally to integrate security into every aspect of system design and operations while maintaining compliance with all relevant regulations and frameworks. As a condition of employment, this position requires the candidate pass both a customer required medical and psychological screening.

• Security Architecture & Engineering: Develop, document, and maintain the security architecture for complex systems and networks, ensuring designs meet defense-in-depth principles and comply with government frameworks (NIST, RMF, ICD 503). This includes reviewing and approving system design changes to verify they align with security requirements and best practices.
• Secure Development Lifecycle (SDLC) Integration: Embed security requirements into the SDLC for all projects. Work closely with software developers, system engineers, and architects to ensure secure coding practices, security test plans, and design reviews are in place. Validate that security controls are implemented during system integration and verify new systems or updates comply with enterprise security policies before deployment.
• Cryptography: Solid understanding of cryptographic principles and experience implementing solutions such as encryption (TLS/IPSec, AES), public key infrastructure (PKI), key management, and secure protocols. Knowledge of secure hashing, digital signatures, and cryptographic standards applicable to government systems.
• Cloud Security: Design and implement security solutions for cloud and hybrid environments (e.g., AWS, Azure). Leverage cloud-native security services and ensure configurations follow FedRAMP, DoD Cloud Computing SRG, and relevant guidelines for government cloud security. Continuously assess cloud infrastructure for vulnerabilities and misconfigurations and enforce strong identity and access management and encryption in cloud services.
• Vulnerability Management: Lead the vulnerability management program by scheduling and performing regular vulnerability scanning (e.g., using Rapid 7) and configuration compliance checks (e.g., DISA STIGs). Analyze scan results to identify weaknesses, prioritize fixes, and work with system engineers and administrators to remediate findings within required timeframes. Track and document all vulnerabilities and mitigations and ensure timely patch management in accordance with organizational policies.
• Compliance & Accreditation: Ensure all systems meet government security standards and certification requirements. Oversee the Risk Management Framework (RMF) process for systems under your purview - including preparing and maintaining Assessment and Authorization (A&A) documentation such as System Security Plans (SSPs), security control traceability matrices, risk assessment reports, and Plan of Action and Milestones (POA&M). Coordinate security testing and evaluations, and work with Authorizing Officials to achieve and maintain an Authority to Operate (ATO). Continuously monitor controls and update accreditation packages in line with ICD 503 and NIST RMF guidelines.
• Continuous Monitoring & Incident Response: Implement continuous monitoring strategies (using SIEM tools, audit log reviews, automated scripts, etc.) to track the security posture of systems in real time. Investigate security alerts and anomalies, and participate in incident response activities by analyzing incidents, containing threats, and recovering services. Work with cyber incident response teams (both internal and external as needed) to perform root cause analysis and update security measures to prevent future incidents. Develop and maintain incident response plans and recovery procedures as part of secure operations.
• Collaboration & Security Guidance: Serve as the security subject matter expert (SME) on multi-disciplinary engineering teams. Provide expert security guidance in architecture design sessions, configuration control boards, and change management meetings. Liaise with system owners, network engineers, developers, and customer Information System Security Managers (ISSM) to ensure security requirements are understood and implemented correctly. Communicate risk posture and security issues to stakeholders and leadership and recommend actionable improvements. Keep the team and overall program updated on emerging security threats and technologies, fostering a culture of security awareness and continuous improvement.

• Clearance: Active TS/SCI with polygraph required
• Master's degree in Cybersecurity, Information Assurance, or Systems Engineering with at least 15+ years of prior relevant experience OR Bachelor's and at least 18+ years of experience OR 20+ years of experience in lieu of degree.
• Active certifications including CISSP, CISSP-ISSEP or other relevant certifications like CASP+, CISM, AWS Certified Security Specialist, Microsoft Azure Security Engineer
• Broad range of knowledge into the latest tools and techniques used to secure both IPv4 & IPv6 network
• Strong oral and written communications skills
• Prior experience working on U.S. Defense or Intelligence Community programs. Familiarity with government accreditation tools and processes
• Demonstrated experience analyzing test results to develop risk/threat mitigation plans
• Demonstrated experience communicating vulnerability results and risk posture to senior executives
• Understanding of DoD and IC security policies and mandates
• Experience coordinating with Information System Security Managers (ISSM) in testing, documenting, and achieving accreditation of systems throughout the development process, and achieving operational acceptance.