Exostar is seeking a senior-level Information Security Engineer to join its Information Security Office. This role serves as the lead auditor and audit engineer for Identity Access Management (IAM) assurance, including the Federal PKI Annual Review, Kantara certification audits, and Exostar's broader internal and external audit programs. The position blends audit program development with hands-on technical depth.
What You'll Do
- Plan and execute the PKI internal audit program, including scoping, test procedures, evidence requests, control validation, and reporting.
- Lead Annual Review readiness and submission support for FPKI-related requirements, including coordination with engineering, operations, policy, and external stakeholders.
- Support Federal Bridge cross-certification activities and ongoing compliance obligations; translate CP/CPS and operational practices into audit-ready evidence.
- Lead and support Kantara assessments (e.g., Classic / Rev.3 as applicable) including criteria mapping, evidence compilation, and auditor coordination.
- Track PKI and identity audit findings, document corrective actions, and drive remediation through verification and closure.
- Lead and manage the calendar of internal and external audits and assessments (e.g., ISO 27001, SOC 2 Type 2, Cyber Essentials, firewall audit, user account management audit, customer/security validation processes).
- Own audit lifecycle management: scope definition, evidence request lists, control walkthroughs, sampling, issue management, and final report coordination.
- Develop and maintain audit control narratives that accurately reflect current architecture and operations.
- Partner with control owners across infrastructure, development, and business functions to ensure consistent evidence quality and timely delivery.
- Design and implement audit-support tooling and automation to reduce evidence collection burden and increase repeatability (e.g., system baselines, access reviews, configuration and logging attestations).
- Provide hands-on engineering support to validate technical controls for identity, access, network security, and platform services across on-prem and cloud environments.
- Create and maintain control test scripts, runbooks, and evidence pipelines aligned to audit criteria and internal standards.
- Support secure SDLC/DevSecOps practices by enabling auditable change management, traceability, and control verification.
- Perform security risk assessments and threat modeling for identity and high-impact systems to inform control design and audit priorities.
- Maintain and evolve PKI governance documentation, including Certificate Policy (CP) and Certification Practice Statement (CPS), ensuring alignment between policy and operations.
- Lead or support the Policy Management Authority (PMA) process, including change reviews, approvals, and documented decisions impacting IAM/PKI/OTP programs.
- Author and maintain information security policies, standards, and procedures supporting enterprise audits (e.g., access control, logging/monitoring, vulnerability management, incident response).
- Monitor relevant standards and regulatory drivers (e.g., NIST, FICAM/FPKI, FedRAMP Moderate, CMMC Level 2) and assess impact to security controls and audit obligations.
- Support physical security and badging program oversight, including reporting and audit evidence for facilities controls as applicable.
- Maintain and deliver targeted security and privacy awareness training relevant to trusted roles and audit obligations.
What We're Looking For
- 7+ years of information security engineering, audit engineering, or security assurance experience in complex technical environments.
- Demonstrated experience auditing or assuring PKI and identity systems (e.g., Microsoft CA/AD CS, HSM-backed key management, certificate lifecycle, CRL/OCSP).
- Experience leading internal/external audits and interacting directly with auditors and customers; strong capability to produce defensible evidence and narratives.
- Hands-on understanding of identity, access management, and authentication systems across on-prem and cloud environments.
- Ability to assess secure architectures and validate technical controls spanning network, systems, and platform services.
- Strong written and verbal communication skills; ability to drive cross-functional remediation to closure.
- Ability to pass background investigation and attain/maintain Trusted Role access to company systems.
- U.S. Citizens only.
Nice to Have
- Experience with Federal PKI (FPKI) Annual Review processes and/or Federal Bridge cross-certification audits.
- Experience with Kantara Initiative assessments (including NIST SP 800-63A/63B-aligned service criteria).
- Experience with ISO/IEC 27001, SOC 2 Type 2, Cyber Essentials, and customer security assessments.
- Experience building evidence automation (e.g., scripts, API-based data pulls, GRC workflow enablement, CI/CD-integrated evidence capture).
- Working knowledge of SIEM/logging architectures and File Integrity Monitoring (FIM) technologies; familiarity with tools such as Splunk and CrowdStrike.
- Experience with Jira/Confluence (or equivalent) for audit tracking, evidence management, and remediation workflows.
- Relevant certifications (one or more): CISSP, CISA, CISM, CMMC CCP/CCA, FedRAMP auditor/implementer (or equivalent).
Technical Stack
- Microsoft CA/AD CS
- HSM-backed key management
- Splunk
- CrowdStrike
- Jira
- Confluence
Team & Environment
You will be a member of the Exostar Information Security Office.
Benefits & Compensation
- Employee development and internal promotion
- Training and educational assistance
- Fun, engaged workplace with social and community-building events
- Comprehensive benefits
- Flexible time off plans
Work Mode
This is a hybrid role based in Herndon, Virginia.
Exostar is an Equal Opportunity Employment Employer. The company provides equal employment opportunities to all applicants without regard to race, color, religion, sex, national origin, age, marital status, disability status or genetic information. Exostar is committed to providing equal employment opportunities for all persons in all facets of employment including recruiting, hiring, compensation, promotion, training, benefits, transfers and working conditions.
