Security Architect (FedRamp)

Black Duck Software•Atlanta, GA

About The Position

Black Duck Software, Inc. helps organizations build secure, high-quality software, minimizing risks while maximizing speed and productivity. Black Duck, a recognized pioneer in application security, provides SAST, SCA, and DAST solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Black Duck helps organizations maximize security and quality in DevSecOps and throughout the software development life cycle. Security Architect (for FedRAMP) Description We are seeking an experienced Security Architect for FedRAMP to serve as the primary technical lead for our FedRAMP authorization and ongoing continuous monitoring (ConMon) compliance. In this role, you'll own the technical interface between our contracted GRC vendor-partner, internal engineering teams, and FedRAMP stakeholders while driving remediation activities across the organization. You'll hold authority to halt deployments and reject ConMon packages that do not meet FedRAMP evidence and SLA requirements. You'll coordinate technical implementation of NIST 800-53 Rev 5 security controls, ensure effectiveness and auditability, and serve as the final technical quality gate for control implementations and evidence schemas before submission. As the primary technical point of contact with our GRC vendor, you'll ensure seamless collaboration on monthly ConMon deliverables including vulnerability deltas, configuration scan results, updated POA&M, inventory, access reviews, and disaster recovery documentation. You'll coordinate engineering Subject Matter Experts (SME) for Third Party Assessment Organizations (3PAO) audits and control demonstrations and lead technical discussions with FedRAMP Program Management Office (PMO) and Agency Sponsors. Eligibility requirement: US-based with ability to work Eastern Standard Time core business hours.

Requirements

8+ years of experience in information security with 3+ years in cloud security architecture
3+ years of direct experience with FedRAMP authorization or FedRAMP continuous monitoring programs
3+ years of experience managing vulnerability remediation programs with Plan of Actions and Milestones (POA&M) tracking and closure
2+ years of hands-on experience with Google Kubernetes Engine (GKE), Cloud Logging/Monitoring, Customer Managed Encryption Keys (CMEK) on GCP, or equivalent cloud security services
2+ years of experience implementing and validating NIST 800-53 controls in production environments
Bachelor's degree in information security, computer science, or related field
Current security certification: CISSP, CISM
Direct experience coordinating with Third Party Assessment Organizations (3PAO) and Public Sector Customers for FedRAMP assessments

Nice To Haves

Experience with OSCAL frameworks and compliance automation platforms
Knowledge of SSDF, SBOM/VEX generation, and supply chain security (NIST SP 800-161)
Familiarity with Terraform, OPA, or infrastructure-as-code security tooling
Background in SOC 2, ISO 27001, CMMC, or DoD IL4/5/Continuous Authority To Operate (cATO) programs
Container security experience in Kubernetes environments

Responsibilities

Drive vulnerability remediation to meet FedRAMP SLAs: Critical/High ≤30 days, Moderate ≤90 days, Low ≤180 days, KEV ≤14 days
Own monthly privileged access reviews with identity removal attestations attached to Continuous Monitoring packages
Certify asset inventory completeness and scan coverage before each Continuous Monitoring submission
Review and validate technical evidence before submission to GRC vendor
Act as final technical quality gate for control implementations and evidence collection
Own FIPS 140-3 validation tracking for all cryptographic modules; maintain Appendix Q (Ports, Protocols, and Services)
Ensure logs meet retention requirements: 12 months searchable online, 18 months archived; provide monthly attestation
Plan and deliver annual penetration tests, red team exercises, DR/IR tests, and contingency exercises; track findings to POA&M closure
Run SBOM/VEX generation and vendor SCRM reviews aligned to NIST SP 800-161 Rev 1
Enforce End Of Life (EOL) software removal and trust store governance (root certificates, signing keys, Certificate Authorities [CA])
Block FedRAMP releases lacking SCR impact analysis for boundary, crypto, logging, and control regressions
Review all architecture changes touching FedRAMP Moderate boundary or GSS stack
Lead technical discussions with FedRAMP PMO and Agency Sponsors
Coordinate incident response for FedRAMP systems (one-hour reporting for high-impact incidents)
Assist GRC and Security Operations functions in support of operational business needs.