DevSecOps Manager
Description:
Location: Onsite – Fairfax, VA · U.S. Citizen Required (ITAR / Government Customer Requirements)
Type: Full Time
Job description
NextgenID is hiring an on-site, hands-on DevSecOps Manager to lead the security and platform operations for multi-cloud services running across AWS, Azure, and Google Cloud, managing a global network of identity verification stations.
This is a player/coach role: you will lead daily execution while setting the security and delivery standards required for SOC 2 (12–18 months) and FedRAMP Moderate. The role has a defined growth path to Director/VP based on performance, operating maturity, and leadership impact. Role Fit & Non-Negotiables
Onsite in Fairfax, VA — remote is not available.
U.S. citizen required due to ITAR and government customer obligations.
Comfortable operating as an incident leader when needed, with primary operational hours generally 8am–7pm EST.
Hands-on ownership of security posture and DevOps/platform execution — this is not a policy-only or advisory role. What You’ll Own (90–180 Day Outcomes)
Establish an audit-ready Secure SDLC and begin the transition from Azure DevOps (ADO) to GitHub, aligned with FedRAMP expectations.
Implement pragmatic CI/CD controls: SAST/SCA, secrets scanning, infrastructure-as-code scanning, environment protections, and evidence capture.
Harden multi-cloud identity and access: federation/SSO, least privilege, break-glass, and periodic access reviews.
Improve detection and response using Elastic; mature vulnerability management using Qualys with SLAs, dashboards, and exception governance.
Strengthen Windows fleet security using our custom command center: patching strategy, rollout rings/canary, rollback, remote isolate, baseline hardening, and telemetry coverage.
Stand up a repeatable operating cadence: standups, change control, incident review, postmortems, and measurable reliability/security KPIs. Key Responsibilities
Security Leadership (Hands-On)
Own threat modeling and security architecture across edge, cloud, and SDLC.
Lead incident response end-to-end (triage, containment, eradication, recovery, postmortem).
Drive identity, encryption/key management, logging, detection engineering, and secure configuration baselines.
DevOps / Platform Engineering (Hands-On)
Own CI/CD pipelines and release governance across Kubernetes and VM-based workloads.
Define and enforce golden paths (templates, approved patterns, environment promotion, rollback) that accelerate delivery while improving security.
Select and standardize infrastructure-as-code approach (Terraform/CloudFormation/Bicep/Pulumi) and implement policy guardrails.
Compliance Execution (SOC 2 & FedRAMP Moderate)
Translate compliance requirements into engineering deliverables (controls, automation, evidence, continuous monitoring).
Partner with GRC to prepare audit-ready artifacts without creating manual, high-friction processes.
Create operational runbooks and control evidence that meets assessor scrutiny (NIST 800-53 mindset).
People Leadership (Player/Coach)
Lead and mentor a small SOC/NOC and DevOps team, with clear priorities and accountability.
Create a culture of high standards: measurable goals, calm execution under pressure, and continuous improvement.
Hire and scale the team as the platform and compliance program grow. Required Qualifications
7+ years in Security Engineering, DevOps, Platform/SRE, or equivalent roles with direct production ownership.
Demonstrated experience building and operating secure CI/CD and release governance; experience with Azure DevOps and/or GitHub Actions.
Strong cloud security fundamentals and hands-on delivery experience in at least two of AWS/Azure/GCP (multi-cloud preferred).
Practical Windows security experience; ability to harden and operate Windows 10/11 environments at scale (IoT/embedded a plus).
Incident response leadership experience (performed as incident commander or equivalent).
Hands-on experience with SIEM/telemetry operations (Elastic preferred) and vulnerability management (Qualys preferred).
Proven ability to lead, mentor, and build a small team; able to set standards without becoming a bottleneck.
Must be able to work onsite in Fairfax, VA; U.S. citizen. Preferred Qualifications
FedRAMP Moderate experience (NIST 800-53 controls, SSP support, continuous monitoring, assessor engagement) and/or SOC 2 readiness delivery.
Kubernetes security experience (RBAC, admission control, network policy, image policy, workload identity) plus VM hardening experience.
Software supply chain maturity: SBOM, signed artifacts/provenance, dependency governance, runner hardening, secretless authentication (OIDC).
Device fleet operations: staged rollouts, canary rings, rollback safety, remote isolation, and resilience under intermittent connectivity.
PKI/credential management exposure: certificate lifecycle (issue/renew/revoke), CRL/OCSP concepts, HSM/KMS custody patterns, and separation of duties. Signals We Look For
You can explain how you prevent CI/CD credential theft and guarantee artifact integrity (OIDC/short-lived creds, signing/provenance, environment protections).
You have led real incidents and can describe decisions, containment steps, and postmortem-driven improvements — not just tool lists.
You think in terms of guardrails and golden paths: standardization that increases velocity while improving security and reliability.
You can operate across Windows edge realities (physical exposure, patching/rings, remote isolate) and cloud control planes. What Success Looks Like
Security controls are implemented as automated guardrails, not manual gates; delivery speed improves while risk decreases.
Incidents are handled predictably with documented playbooks and measurable improvements (MTTD/MTTR, recurrence reduction).
SOC 2 and FedRAMP readiness progress with high-quality evidence capture and continuous monitoring, minimizing manual audit churn.
The team becomes independent and scalable, enabling a Director-level operating model.