Security Engineer

CORMAC is seeking a Security Engineer. This role is pivotal in safeguarding complex federal healthcare systems by guiding teams on security policies and ensuring compliance with standards, along with maintaining a strong security posture across applications in robust cloud environments. Both technical and governance responsibilities are handled by the Security Engineer, as the Engineer reviews security standards with stakeholders and works hands-on to implement any needed application and platform changes through close collaboration with cross‑functional teams.

Responsibilities: 

• Work closely with the Product Owners, ISSOs, engineering and infrastructure staff to provide guidance on implementation of security policies, standards, and procedures
• Analyze new or updated security requirements, collaborate with stakeholders, and develop responses that are clear and accurate.
• Support the development of implementation and design documentation relating to security feature implementation 
• Analyze and interpret agency security requirements and provide governance communication to non-security personnel, including HIPPA, NIST, etc 
• Collaborate with agency representatives to implement security initiatives, coordinate with teams to maintain compliance with comprehensive security standards.
• Conducts vulnerability assessments and monitors systems, networks, databases and Web-based assets for potential system breaches.  
• Responds to alerts from information security tools. Reports, investigates, and resolves higher level security incidents.  
• Responds to security tool outages, degradations in service, tune security rules and alerts, and setup/maintain security tool dashboards and reporting. 
• Research security trends, new methods, and techniques used in unauthorized access of data to preemptively eliminate the possibility of system breach. Ensures compliance with regulations and privacy laws. Conducts research to identify new attack vectors. 
• Educates and communicates security requirements and procedures to organization users, with a focus on continuous improvement of security standards and maintenance of internal security.
• Provide vulnerability & compliance reviews and present any findings to government stakeholders, and plans then assists in for any investigation or remediation activities.

Basic Qualifications: 

• Bachelor's degree in Cybersecurity, Computer Science, Information technology, or similar field. 
• Must be a U.S. Citizen. 
• Must be able to obtain a Public Trust (Tier I) Clearance 
• Minimum of 8+ years of progressive experience in information security, cybersecurity engineering, or system security roles, with demonstrated technical depth and increasing responsibility. 
• Proven experience owning and maintaining an Authorization to Operate (ATO), including authoring, updating, and defending security artifacts such as System Security Plans (SSPs), Incident Response Plans, contingency plans, and related documentation. 
• Demonstrated hands-on experience managing vulnerability and compliance scanning programs remediation using tools such as Tenable, AWS Security Hub, and Snyk.
• Ability to assess security findings, determine risk severity, prioritize remediation, and drive closure in close collaboration with engineering, infrastructure, and DevSecOps teams. 
• Strong hands-on experience securing cloud-based environments, with a focus on AWS (IAM, GuardDuty, CloudTrail, Security Hub) and SaaS platforms. 
• Experience with least-privilege enforcement across cloud, application, and CI/CD environments. 
• Strong written and verbal communication skills, with the ability to clearly articulate security risks, requirements, and remediation strategies to technical teams, leadership, and government stakeholders. 
• Ability to work independently and as part of a cross-functional team, managing multiple priorities in a fast-paced, highly regulated environment. 

Preferred Qualifications: 

• Master’s of Science in Cybersecurity, Computer Science, Information Technology, or similar fields.  
• Federal government contracting experience supporting complex, multi-system environments, preferably within health, civilian, or defense agencies. 
• Advanced or senior-level industry security certifications, such as: CISSP, CISM, CRISC, or GIAC (GSEC, GCSA, GPEN). 
• Cloud security and architecture certifications, including: AWS Certified Security – Specialty, AWS Solutions Architect, CCSP or CCSK. 
• DevSecOps, automation, or platform security certifications, such as: Kubernetes Security (CKS), GitHub Advanced Security or equivalent. 
• Offensive or advanced technical security certifications, including: OSCP, CEH, GPEN, GWAPT, or similar. 
• Experience securing SaaS platforms, with preference for Salesforce GovCloud, including roles, profiles, permission sets, MFA, OAuth, and third-party monitoring tools. 
• Hands-on scripting or automation experience using Python, Bash, PowerShell, or APIs to improve security operations, onboarding/offboarding workflows, or compliance validation. 
• Experience designing or maintaining security dashboards and executive-level metrics for visibility into vulnerabilities, compliance posture, access reviews, and risk trends. 
• Experience facilitating incident response activities, tabletop exercises, and driving lessons learned into measurable, continuous improvement. 
• Demonstrated ability to mentor engineers and product teams on secure development practices, threat modeling, and evolving security risks. 

Why CORMAC? 

At CORMAC, we leverage the power of Data Management and Analytics to enable our customers to achieve their strategic goals. With over 20 years of experience in Health Information Technology (HIT), human-centered design principles and Agile development methodologies, CORMAC delivers complex digital solutions to solve some of the most challenging problems facing public healthcare programs today. 

As a US Federal Government contractor in the public healthcare sector, our work is impactful and cutting-edge while being performed in a supportive, collaborative, and welcoming environment. We offer flexible work schedules with remote, hybrid, or fully in-person workplace options to empower our employees to decide the workplace most suitable for them. At CORMAC, we have a highly diverse workforce, and believe the work environment is a place where creativity, collaboration, enthusiasm, and innovation happens, regardless of location. 

E-Verify Participation/EEO 

As an Equal Employment Opportunity employer, CORMAC provides equal employment opportunity to all employees and applicants without regard to an individual's protected status, including race/ethnicity, color, national origin, ancestry, religion, creed, age, gender, gender identity/expression, sexual orientation, marital status, parental status, including pregnancy, childbirth, or related conditions, disability, military service, veteran status, genetic information, or any other protected status.