Security Architect (FedRamp)

Black Duck Software, Inc. helps organizations build secure, high-quality software, minimizing risks while maximizing speed and productivity. Black Duck, a recognized pioneer in application security, provides SAST, SCA, and DAST solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Black Duck helps organizations maximize security and quality in DevSecOps and throughout the software development life cycle.

Security Architect (for FedRAMP) 

Description 

We are seeking an experienced Security Architect for FedRAMP to serve as the primary technical lead for our FedRAMP authorization and ongoing continuous monitoring (ConMon) compliance. In this role, you'll own the technical interface between our contracted GRC vendor-partner, internal engineering teams, and FedRAMP stakeholders while driving remediation activities across the organization. 

You'll hold authority to halt deployments and reject ConMon packages that do not meet FedRAMP evidence and SLA requirements. You'll coordinate technical implementation of NIST 800-53 Rev 5 security controls, ensure effectiveness and auditability, and serve as the final technical quality gate for control implementations and evidence schemas before submission. 

As the primary technical point of contact with our GRC vendor, you'll ensure seamless collaboration on monthly ConMon deliverables including vulnerability deltas, configuration scan results, updated POA&M, inventory, access reviews, and disaster recovery documentation. You'll coordinate engineering Subject Matter Experts (SME) for Third Party Assessment Organizations (3PAO) audits and control demonstrations and lead technical discussions with FedRAMP Program Management Office (PMO) and Agency Sponsors. 

Eligibility requirement: 

US-based with ability to work Eastern Standard Time core business hours. 

Key job responsibilities 

As an experienced security professional, you will: 

• Drive vulnerability remediation to meet FedRAMP SLAs: Critical/High ≤30 days, Moderate ≤90 days, Low ≤180 days, KEV ≤14 days 

• Own monthly privileged access reviews with identity removal attestations attached to Continuous Monitoring packages 

• Certify asset inventory completeness and scan coverage before each Continuous Monitoring submission 

• Review and validate technical evidence before submission to GRC vendor 

• Act as final technical quality gate for control implementations and evidence collection 

• Own FIPS 140-3 validation tracking for all cryptographic modules; maintain Appendix Q (Ports, Protocols, and Services) 

• Ensure logs meet retention requirements: 12 months searchable online, 18 months archived; provide monthly attestation 

• Plan and deliver annual penetration tests, red team exercises, DR/IR tests, and contingency exercises; track findings to POA&M closure 

• Run SBOM/VEX generation and vendor SCRM reviews aligned to NIST SP 800-161 Rev 1 

• Enforce End Of Life (EOL) software removal and trust store governance (root certificates, signing keys, Certificate Authorities [CA]) 

• Block FedRAMP releases lacking SCR impact analysis for boundary, crypto, logging, and control regressions 

• Review all architecture changes touching FedRAMP Moderate boundary or GSS stack 

• Lead technical discussions with FedRAMP PMO and Agency Sponsors 

• Coordinate incident response for FedRAMP systems (one-hour reporting for high-impact incidents) 

Basic Qualifications 

• 8+ years of experience in information security with 3+ years in cloud security architecture 

• 3+ years of direct experience with FedRAMP authorization or FedRAMP continuous monitoring programs 

• 3+ years of experience managing vulnerability remediation programs with Plan of Actions and Milestones (POA&M) tracking and closure 

• 2+ years of hands-on experience with Google Kubernetes Engine (GKE), Cloud Logging/Monitoring, Customer Managed Encryption Keys (CMEK) on GCP, or equivalent cloud security services 

• 2+ years of experience implementing and validating NIST 800-53 controls in production environments 

• Bachelor's degree in information security, computer science, or related field 

• Current security certification: CISSP, CISM 

• Direct experience coordinating with Third Party Assessment Organizations (3PAO) and Public Sector Customers for FedRAMP assessments 

Preferred Qualifications 

• Experience with OSCAL frameworks and compliance automation platforms 

• Knowledge of SSDF, SBOM/VEX generation, and supply chain security (NIST SP 800-161) 

• Familiarity with Terraform, OPA, or infrastructure-as-code security tooling 

• Background in SOC 2, ISO 27001, CMMC, or DoD IL4/5/Continuous Authority To Operate (cATO) programs 

• Container security experience in Kubernetes environments 

Reporting Structure 

Reports directly to the Director of Cybersecurity Governance with dotted-line responsibility to Product and Engineering Leadership. Direct communication authority with GRC Vendor, FedRAMP PMO, and U.S. Government Agency Sponsor. 

Additional, as-required responsibilities: 

Assist GRC and Security Operations functions in support of operational business needs. 

Black Duck considers all applicants for employment without regard to race, color, religion, sex, gender preference, national origin, age, disability, or status as a Covered Veteran in accordance with federal law. In addition, Black Duck complies with applicable state and local laws prohibiting discrimination in employment in every jurisdiction in which it maintains facilities. Black Duck also provides reasonable accommodation to individuals with a disability in accordance with applicable laws.