Exostar is hiring an Information Security Engineer

Exostar is hiring a senior Information Security Engineer to join our Information Security Office. This role reports to the Manager of Governance & Engineering and is designed for a hands-on engineer who can translate deep technical and architectural expertise into effective security engineering and compliance outcomes.

What You'll Do

• Assess, design, and provide guidance on secure architectures for on-premise and cloud environments, including identity, access, network, and platform services.
• Engage directly with infrastructure, platform, and development teams to translate security requirements into implementable technical designs and controls.
• Provide hands-on engineering support for the implementation, validation, and remediation of technical security controls.
• Perform threat modeling and security risk assessments and coordinate actionable mitigation strategies.
• Provide engineering support for controls aligned to frameworks such as CMMC L2, FedRAMP Moderate, ISO/IEC 27001, IAM, SOC 2, etc.
• Write and maintain technical control descriptions based on current architecture and operational practices.
• Support and lead internal and external audits and assessments, including direct interaction with auditors and customers.
• Translate technical implementations into clear, accurate, and defensible audit evidence.
• Create, review, and update information security policies, standards, procedures, and guidelines to reflect actual system architecture and operations.
• Identify, assess, and communicate security risks to technical and non-technical stakeholders.
• Track remediation efforts and drive issues to closure across multiple teams.
• Evaluate emerging technologies, regulatory changes, and industry trends to assess potential impact to Exostar’s security posture.
• Provide subject matter expertise for Identity and Access Management (IAM) and Public Key Infrastructure (PKI) systems.
• Support auditing and compliance of PKI, identity federation, and authentication services.
• Collaborate on governance documentation related to identity, trusted roles, and access control programs.

What We're Looking For

• 7+ years of demonstrated IT Security engineering experience providing guidance to technical teams.
• 5+ years of demonstrated experience performing threat modeling and security risk assessments.
• 5+ years of demonstrated network engineering and administration experience.
• 5+ years of demonstrated experience designing and implementing security controls in on-premise and cloud environments.
• Strong experience with secure SDLC practices in Agile and DevSecOps environments.
• Demonstrated experience authoring SSPs, POA&Ms, and technical audit documentation.
• Significant experience working with ISO/IEC 27001/27002, NIST SP 800-171, and NIST SP 800-53.
• Experience supporting and participating in audits and assessments (e.g., SOC 2, ISO 27001, Cyber Essentials).
• Strong written and verbal communication skills with the ability to explain technical concepts to auditors, leadership, and business stakeholders.
• Significant experience working in Jira and Confluence.
• Ability to pass background investigation to attain and maintain Trusted Role access to company systems.
• Technical experience or familiarity with core network services (HTTP, SMTP, DNS) and supporting server technologies.
• Technical experience or familiarity with encryption technologies (IPSec, SSL/TLS).
• Technical experience or familiarity with network security controls (firewalls, proxies, NAC, phishing prevention, etc.).
• Technical experience or familiarity with SIEM and logging architectures; familiarity with FIM technologies.
• Technical experience or familiarity with Windows Active Directory and domain services.

Nice to Have

• CMMC CCA or CCP.
• FedRAMP auditor / implementer experience.
• CISSP and other similar technical certifications.
• Experience with Governance, Risk, and Compliance tools.
• Cloud computing and architecture experience.
• Windows Domains and Active Directory expertise.
• End-point Protections (HIPS/HIDS) experience.
• Web Application Programming (Java and related technologies).
• Knowledge and demonstrated experience designing multi-tier, highly available, multi-threaded, scalable architectures.
• Secure development frameworks (e.g. OWASP SAMM, Microsoft Security Development Lifecycle, IBM Secure Engineering Framework, etc.).
• Public Key Infrastructure (PKI) experience.
• Identity Federation Technologies (SAML, etc.).
• Business Continuity and Disaster Recovery planning.
• SharePoint experience.
• Data Loss Prevention (DLP).
• Data Labeling and Information Rights Management.
• S/MIME-based Secure Email.
• Identity Access Management (IAM) expertise.

Technical Stack

• Network/Infra: HTTP, SMTP, DNS, IPSec, SSL/TLS, Firewalls, Proxies, NAC, SIEM, FIM, Windows Active Directory
• Tools: Jira, Confluence
• Platforms: Cloud computing, Java, PKI, SAML, SharePoint, DLP, S/MIME, IAM

Team & Environment

You will be a member of the Exostar Information Security Office, reporting to the Manager of Governance & Engineering.

Benefits & Compensation

• Employee development and internal promotion focus.
• Training and educational assistance.
• Comprehensive benefits.
• Flexible time off plans.
• A fun, engaged workplace with social and community-building events.

Work Mode

This is a hybrid position based in Herndon, Virginia.

Exostar is an Equal Opportunity Employment Employer. The company provides equal employment opportunities to all applicants without regard to race, color, religion, sex, national origin, age, marital status, disability status or genetic information.