DevSecOps Engineer (Ref: 18250)

Position: DevSecOps Engineer (Ref: 18250)

Location: Mechanicsburg, PA USA, 17050

Salary: DOE

Duration: 1 Years 2 Months 22 Days - Contract

Openings: 1

Deadline: 04/17/2026

Description:

***Local Candidates

***Hybrid - 60% remote vs. 40% onsite

We are seeking a Senior DevSecOps Engineer to act as consultant with the Solutions Management group.

Duties:

• Hands-on security automation for AWS delivery.

• Build secure-by-default CDK constructs and CloudFormation templates, wire them into CI/CD, and enforce compliance checks that map to CJIS and NIST.

• Azure support is a future consideration, not a core day-one duty.

• Does not own enterprise AWS Organizations or SCP operations.

• Designs and builds reference guardrails and enforcement patterns that can be deployed by enterprise teams.

• Focuses on preventive controls and compliance automation, not incident response.

• Independent on design and build within standards; proposes guardrails and reference patterns; escalates enterprise-wide changes.

• Work hours: 8AM to 5PM (hourlong lunch)

What you will deliver First 90 days

• Pipeline security templates in GitHub Actions and Azure DevOps with SAST, SCA, IaC, container, and secret scanning gates.

• Compliance as code in reference accounts: AWS Config rules and Security Hub standards aligned to CJIS and NIST 800-53, with exceptions workflow documented.

• IaC reference modules using AWS CDK and CloudFormation for IAM least privilege, KMS, Secrets Manager, logging, and network baselines; Terraform equivalents provided where teams require them.

• Evidence exports tying checks to control IDs and producing auditor-ready artifacts.

Ongoing Support and Day-to-day responsibilities

• Harden CDK/CFT modules and pipeline templates as compliance needs evolve.

• Coach pilot teams to adopt templates.

• Raise gaps to enterprise teams for org-level enforcement.

• Author and maintain AWS CDK constructs and CloudFormation templates; provide Terraform versions as secondary.

• Implement AWS Config conformance, Security Hub standards, and GuardDuty routing in reference accounts.

• Wire scanning in CI/CD for app code, containers, and IaC.

• Create reusable GitHub/Azure DevOps templates with enforcement gates and exception handling.

• Generate posture and evidence reports mapped to CJIS and NIST controls.

Required / Desired Skills

• AWS security automation and DevOps Required - 5 Years

• Strong with AWS CDK and CloudFormation; working proficiency in Terraform Required - 5 Years

• CI/CD authoring in GitHub Actions and Azure DevOps Required - 5 Years

• Proficient in Python and Bash, with PowerShell for Windows automation Required - 5 Years

• Able to read Java and C# to integrate and tune SAST/SCA Required - 5 Years

• Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidence Required - 5 Years

• EKS/ECS/Lambda hardening patterns Required - 1 Years

• OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent Required - 1 Years

• Basic Azure security automation for future phases Required - 1 Years