cATO TECHNICAL PROJECT MANAGER (PM)

MILITARY FRIENDLY & PREFERRED - HOH SPONSOR

SUMMARY: The cATO Technical PM plans and drives delivery of cybersecurity architecture and engineering initiatives such as enterprise security and Continuous Authorization to Operate (cATO). This role coordinates cross-functional teams to deliver secure cloud and hybrid solutions, automate controls and evidence collection (including OSCAL), and improve risk management outcomes through repeatable standards, roadmaps, and Agile execution.

KEY RESPONSIBILITIES

• Lead planning and execution across cybersecurity architecture and engineering workstreams to support the agency cybersecurity mission.
• Develop, maintain, and evolve the Enterprise Security Reference Architecture (ESRA), security patterns, and standards for cloud and on prem environments.
• Provide architectural input to the Cybersecurity Roadmap and Strategy, including cATO maturity, automated control testing, and improvements to ATO timelines.
• Design and operationalize continuous monitoring and automated evidence collection pipelines (e.g., SIEM/XDR, scanners, cloud APIs, CI/CD) and integrate outputs into AO grade dashboards.
• Develop and manage OSCAL artifacts (profiles, inheritance models) and evidence data contracts to support scalable, repeatable assessments.
• Oversee and quality assure security architecture reviews (SAR), technical risk assessments/threat modeling, secure design reviews, and High Value Asset (HVA) assessments; ensure findings include practical mitigations and recommendations.
• Support ATO intake and assessment workflows and vulnerability scanning programs (vulnerability, compliance, configuration, database, web application, continuous monitoring, and ad hoc) aligned to RMF and federal guidance.
• Provide security architecture leadership for DevSecOps strategy and implementation, including integrating security scanning into pipelines and implementing security controls in accordance with RMF/CSF/FISMA/FedRAMP.
• Design and deploy native cloud security services and reference implementations across AWS, Azure, and GCP, including security in Infrastructure as Code (IaC) templates/blueprints.
• Evaluate and conduct proofs of value for cloud native, COTS, third party, and open source security tools; recommend improvements for coverage, efficacy, and efficiency.
• Partner with operations teams to improve cloud monitoring, detection, and response (e.g., log ingestion/analysis, alert tuning, SOC visibility) and to identify/contain/remediate SDLC vulnerabilities.
• Lead and mentor a team of security architects/engineers; coordinate cross functional stakeholders; provide briefings/presentations to technical and executive audiences.
• Own delivery management: facilitate requirements gathering, backlog refinement, sprint planning, capacity planning, and retrospectives; ensure teams deliver high value increments meeting the Definition of Done.
• Develop and maintain supporting documentation (e.g., SOPs, policies, procedures, review guides, and checklists) as required.
• May be required to perform other tasks and activities associated with the Cybersecurity Architecture and Engineering contract or requested by Executive Leadership to assist with other solutions to support clients or teams.

REQUIRED QUALIFICATIONS

• Excellent written and verbal communication skills; high attention to detail; able to work with minimal guidance.
• Demonstrated ability to operate at both the strategic and hands on technical level; able to explain technical risks and options to executive audiences.
• Proven project leadership experience coordinating cross functional teams and stakeholders; able to manage changing priorities and deliver to schedule.
• Experience leading delivery in Agile environments (e.g., Scrum/Kanban), including backlog refinement, sprint planning, capacity planning, and retrospectives.
• 5+ years (10+ preferred) experience across network, systems, and application security domains (e.g., LAN/WAN, WAF/CDN/DDoS, firewalls, IDS/IPS, virtualization, containers, CI/CD, microservices, serverless).
• 5+ years designing and/or implementing security in cloud environments (AWS required; Azure strongly preferred; GCP a plus), including shared responsibility model and hybrid/multi cloud concepts.
• Working knowledge/experience with cloud security services and tooling such as:
  • AWS: Security Hub, Config, GuardDuty, CloudTrail, CloudWatch, Lambda, IAM/KMS (or equivalent services).
  • Azure: Entra ID/AD, Key Vault, Monitor/Log Analytics, Policy, Defender for Cloud (or equivalent services).
• Experience with DevSecOps security strategy and implementation, including integrating automated security assessments/scanning and evidence collection into CI/CD pipelines.
• Experience designing and assessing architectures in accordance with RMF and federal security guidance (e.g., NIST, FISMA, FedRAMP); familiarity with CSF preferred.
• Familiarity with Zero Trust (EO 14028), SCRM, ICAM, SASE/CASB/SWG/TIC 3.0 concepts and enterprise security operations (SIEM/SOC) preferred.
• Strong analytical and problem solving skills; ability to research, evaluate, and recommend mitigations for threats and vulnerabilities.
• Experience developing security documentation such as SOPs, procedures, guidelines, and assessment reports.

EDUCATION

• Bachelor of Science (or higher) in Computer Science, Information Technology, Cybersecurity, Engineering, or a related technical field.

CERTIFICATIONS

• CISSP is required. In addition, at least one of the following are also required CCSP; AWS Certified Solutions Architect (Associate or higher); AWS Certified Security - Specialty; Microsoft Certified: Azure Solutions Architect Expert; Google Professional Cloud Architect (or equivalent).

CLEARANCE

• Minimum of an active Secret clearance.

LOCATION

• Primary locations are Arlington and Alexandria, VA. Remote work is authorized. Occasional travel to the primary locations will be required.
• Hours: 6:00 am ET – 6:00 pm ET.

Benefits

Full