Staff/Principal Security Engineer (HHS)

About Skylight

Skylight is a digital consultancy using design and technology to help government agencies deliver better public services. We’re at the forefront of a civic movement to reinvent how all levels of government serve families, patients, and many others in today's digital world.

If you want to play a part in driving this critical movement forward, we’d love for you to join our growing team of public interest technologists. The work we do matters.

About the job

At Skylight, security engineers strengthen trust in digital systems by embedding modern security practices into every stage of delivery. They help teams adopt secure defaults, automate protections, and respond effectively to evolving threats.

The U.S. Department of Health and Human Services (HHS) is launching one of the most ambitious transformations in government — and this is a rare chance to be part of it. You’ll join a high-impact team of product managers, researchers, designers, engineers, and security experts working side-by-side with HHS leadership to modernize the systems people rely on to access healthcare, strengthen cybersecurity that protects personal data, launch digital services used by tens of millions every day, and integrate data and AI responsibly into daily work across the department so teams at every level can make smarter, safer decisions.

As a security engineer on this project, you’ll lead threat modeling, automate protections, and help teams adopt secure defaults across cloud, infrastructure, and applications. You’ll guide strategies for scaling security in complex environments and strengthen incident readiness. Just as importantly, you’ll prepare federal teams to sustain these improvements by sharing knowledge and practices that last — from training and enablement to reusable tools like templates, playbooks, and decision records.

What you’ll do

• Lead threat modeling, security design reviews, and risk analyses that shape enterprise platforms and services
• Implement remediations and automation that strengthen resilience across infrastructure, cloud environments, and applications
• Define and evolve secure defaults and guardrails — including CI/CD templates, policy as code, and infrastructure as code (IaC) modules
• Partner with product, design, and engineering teams to embed security throughout the delivery lifecycle
• Establish meaningful security metrics (e.g., time-to-remediate, mean time to detect/respond, control coverage) and use them to guide decisions
• Strengthen incident readiness through tabletop exercises, playbooks, and continuous improvement of runbooks and controls
• Advise leadership on tradeoffs and strategies for scaling security in multi-team environments
• Help federal teams sustain improvements by delivering training and enablement, and by leaving behind reusable resources such as templates, playbooks, and decision records

What we're looking for

Minimum qualifications

• Experience identifying, prioritizing, and mitigating security risks across applications, infrastructure, and cloud environments
• Familiarity with embedding security practices throughout product development and delivery
• Ability to script or use automation tools (e.g., Python, Bash, PowerShell, Terraform) to implement security and compliance controls
• Understanding of regulatory and compliance contexts such as the Federal Risk and Authorization Management Program (FedRAMP), the Federal Information Security Modernization Act (FISMA), or the Health Insurance Portability and Accountability Act (HIPAA)
• Clear communication skills to explain risks, tradeoffs, and recommendations across technical and non-technical audiences
• Commitment to equipping federal teams with documentation, training, and mentoring so improvements last beyond the contract
• Ability to work effectively in a professional services environment
• Passion for improving public outcomes through secure, resilient government services
• A mindset and work approach that align with Skylight’s core values

Nice-to-have qualifications

• Deep knowledge of identity and access management (IAM), zero-trust architectures, or continuous Authority to Operate (cATO) practices
• Experience leading large-scale cloud modernization efforts on platforms such as Amazon Web Services (AWS) or Microsoft Azure
• Track record of mentoring engineers and building security practices across organizations
• Experience in civic tech, government, or other highly regulated environments
• Experience working effectively on hybrid or distributed teams
• Ability to spend time on-site at HHS in Washington, DC — either by being based locally or by traveling periodically for in-person collaboration

Don’t meet 100% of the criteria but think you can do the job? We’d love to chat anyway! We’re on a mission to build diverse teams, and studies have shown that women and marginalized folks are less likely to apply to jobs if they don’t check every box.

Other requirements

• All work must be conducted within the U.S., excluding U.S. territories. Some federal contracts require U.S. citizenship to be eligible for employment.
• You must be legally authorized to work in the U.S. now and in the future without sponsorship.
• As a government contractor, you may be required to obtain a public trust or security clearance.
• You may be required to complete a company background check successfully.
• Some of our available roles are on federal contracts that require a degree or additional years of experience as a substitute.

Position type

This is a full-time, exempt position.

Location

This is a remote-friendly role. You can be based anywhere in the U.S. Candidates in the Washington, DC area, or those willing to travel there periodically for in-person collaboration, are especially encouraged to apply.

Care package

Salary

We want to give you the most competitive salary possible. After all, you deserve it! To that end, we use the results of our interview process to determine what salary is most appropriate given your current level of seniority. For a Security Engineer at Skylight, the current salary ranges are as follows:

• Associate Security Engineer: $90,000–$125,000
• Security Engineer I: $120,000–$140,000
• Security Engineer II: $135,000–$160,000
• Senior Security Engineer: $150,000–$185,000
• Staff Security Engineer: $170,000–$203,000
• Principal Security Engineer: $180,000–$230,000

Benefits

Your well-being is important to us, so we focus on supporting you in a variety of ways:

• Medical insurance, dental insurance, vision insurance
• Short-term and long-term disability insurance
• Life and AD&D insurance
• Dependent care FSA, healthcare FSA, health savings account
• Dollar-for-dollar 401(k) match up to 10% of your salary with no vesting period
• Flexible paid time off policy (generally around 25 days per year), plus 11 paid federal holidays
• Up to 12 weeks paid time off for all eligible new birth, adoption, or foster parents
• Performance rewards, including annual salary increase, annual performance bonus, spot bonuses, and stock options
• Business development / sales bonuses
• Referral bonuses
• Annual $2,000 allowance for professional development
• Annual $750 allowance for tech-related purchases
• Annual swag budget of $100 to display your Skylight pride with some merchandise (hoodies, hats, and more)
• Dollar-for-dollar charity donation matching, up to $500 per year
• Flexible, remote-friendly work environment
• An environment that empowers you to unleash your superpowers for public good

Interview tips

• Visit our join page to learn more about how our interview process works.
• Check out our Career Pathways framework to learn more about the different roles within Skylight and the skills needed to do them.
• If you’d like to request reasonable accommodations during the application or interviewing process, please contact our recruiting team at recruiting@skylight.digital.

We participate in E-Verify and upon hire, will provide the federal government with your Form I-9 information to confirm that you’re authorized to work in the U.S.

We are an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, national origin, sex, religion, age, disability, veteran status, or any other category protected by applicable law.