Platform Security & RMF Lead

📋 Description

• • Define and execute the ATO pathway for a mission-critical DoD software platform, including responsibility allocation between government and contractor teams.
• • Author and maintain RMF documentation—including System Security Plan (SSP), Security Assessment Plan (SAP), Security Control Traceability Matrix (SCTM), and Continuous Monitoring (ConMon)—in full compliance with DoDI 8510.01 and NIST 800-53.
• • Coordinate directly with eMASS and Authorizing Officials to facilitate system assessment, authorization, and reauthorization activities throughout the RMF lifecycle.
• • Lead continuous monitoring and reauthorization efforts to ensure ongoing compliance and operational authorization across the system’s lifecycle.
• • Define security requirements for cross-domain data flows operating at IL-5 and IL-6 classification levels and tactical edge environments.
• • Evaluate and recommend DoD-approved cross-domain solutions to enable secure data exchange between classified and unclassified systems.
• • Ensure classification-aware data segmentation is enforceable, auditable, and aligned with policy directives such as NOFORN, REL_TO, and ORCON.
• • Review system architecture to validate compliant handling of classified data flows and prevent unauthorized information leakage.
• • Support secure platform operations across NIPR, SIPR, and higher classification enclaves, defining authorization approaches (inheritance vs. standalone ATOs) for each environment.
• • Ensure security posture scales consistently across enclaves without requiring fundamental architectural changes at each classification level.
• • Maintain alignment with evolving joint and service-level security requirements from DoD components and military branches.
• • Serve as the authoritative internal resource for all DoD security and RMF-related questions across engineering, architecture, and government stakeholder teams.
• • Advise on container security, role-based access control (RBAC), service mesh security, PKI/CAC integration, and secrets management practices.
• • Define expectations for security scanning, container hardening, and vulnerability management without owning the implementation pipeline.
• • Evaluate new technologies and capabilities for security and authorization impacts prior to production deployment to prevent compliance risks.
• • Ensure RMF artifacts and compliance evidence are embedded into the delivery process rather than created as afterthoughts.
• • Enable engineering teams to proactively engage security early in design decisions to build compliance into the platform from inception.
• • Ensure government stakeholders view the platform’s security posture as credible, well-managed, and audit-ready at all times.