TCG
Compliance and Security Engineer
You've stumbled upon the rare B Corp government contractor!
At TCG, we aim to prove that businesses can be good to their employees and responsible to their community while being profitable. We are an award‑winning IT solutions provider to the federal government seeking a Compliance and Security Engineer to join our project team at a major federal agency.
US citizenship is required for this role. The selected applicant must submit to a government background investigation and be favorably adjudicated before their first day.
While primarily remote, this position may require occasional on‑site meetings. The selected candidate must live within commuting distance of Washington, D.C.
RESPONSIBILITIES
Conduct scheduled vulnerability scans with Nessus, Tenable, and Qualys across Windows, Linux, and container platforms; analyze results, document findings, and create POA&M entries to drive remediation planning.
Operate enterprise SIEM solutions (Splunk, ArcSight, QRadar, etc.), correlating alerts, performing root‑cause investigations, and executing incident containment and closure in accordance with NIST800‑61.
Draft, maintain, and update System Security Plans (SSPs), Risk Assessment Reports, POA&M logs, and System Requirements Traceability Matrices (SRTMs) to ensure alignment with NIST800‑53 Rev5 and FISMA mandates.
Generate compliance dashboards and report status to leadership.
Assist in the design, implementation, and testing of NIST800‑53 controls (e.g., Access Control, System & Communications Protection, Identification & Authentication).
Participate in periodic control assessments, including pre‑penetration test reviews, to validate the security posture.
Administer and optimize monitoring stacks; fine‑tune alert thresholds, develop custom probes, and deliver concise "quick‑look" reports to stakeholders.
Harden operating systems (Windows, RHEL/CentOS, Ubuntu) and container images, applying CIS Benchmarks and conducting baseline compliance scans.
Review source code snippets (Python, Ruby, Java) for OWASP and CIS guideline violations; recommend secure coding practices.
Automate repetitive security tasks using lightweight scripts (Python, Bash) to increase efficiency and reduce human error.
Collaborate with DevSecOps teams to embed security controls throughout CI/CD pipelines (Jenkins, GitLab, Azure DevOps), ensuring secure deployment of applications.
Provide expert guidance to developers on secure coding, threat modeling, and testing methodologies.
Mentor junior analysts on monitoring, logging, and documentation best practices.
Author internal knowledge‑base articles, develop training materials, and conduct short workshops to elevate team capability.
REQUIRED SKILLS & EXPERIENCE
Minimum of 4 years of experience in IT security, including 2 years in a federal or ISSO‑equivalent role such as System Security Officer or Security Analyst.
Demonstrated mastery of NIST800‑53 Rev5, NIST800‑61, and related NIST 800‑series publications, applying these frameworks to security planning and operations.
Proficient with enterprise SIEM platforms (Splunk, QRadar, ArcSight) for event correlation, threat detection, and incident response.
Experienced in deploying and interpreting vulnerability scans using tools like Tenable, Qualys, Nexpose, etc., and translating findings into actionable remediation plans.
Skilled in monitoring infrastructure, including the design of dashboards, threshold tuning, and alert management.
Adept at configuring and maintaining security appliances to enforce perimeter security and web application protection.
Comfortable scripting in Python (or PowerShell, Bash) for automation, data extraction, and basic code‑review tasks.
Solid understanding of networking fundamentals‑TCP/IP, DNS, HTTP/HTTPS, and SSL/TLS‑including packet analysis and troubleshooting.
Proficient in Microsoft Office (Word, Excel) and Atlassian suites (Jira, Confluence) for creating SOPs, generating reports, and maintaining dashboards.
Strong analytical and problem‑solving abilities, capable of exercising independent judgment in complex security scenarios.
Excellent verbal and written communication skills, with the capacity to craft concise, audience‑appropriate security briefs for both technical and non‑technical stakeholders.
PREFERRED SKILLS & EXPERIENCE
Tenable SC/IO, Nessus Advanced, Qualys, or other enterprise vulnerability platforms.
Experience running Blue/Red‑team exercises or tabletop simulations.
Knowledge of container security (Docker, Kubernetes), CI/CD automation, and IaC (Terraform, CloudFormation).
FedRAMP knowledge, understanding of RMF implementation.
EDUCATION
Bachelor's degree preferred, preferably in Computer Science, Information Technology, or a related field. Experience may be substituted in the absence of a degree.
All individuals being hired to work for TCG must submit to, and successfully pass, a pre‑employment background investigation prior to reporting for their first day of work. The pre‑employment background investigation will include verification of employment and education, as well as a criminal and DMV check. Additional documentation and background checks will also be required for positions that require clearance from the federal government.
TCG does not discriminate based on race, sex, color, religion, national origin, age, disability, caste, or veteran status.
#J-18808-Ljbffr
At TCG, we aim to prove that businesses can be good to their employees and responsible to their community while being profitable. We are an award‑winning IT solutions provider to the federal government seeking a Compliance and Security Engineer to join our project team at a major federal agency.
US citizenship is required for this role. The selected applicant must submit to a government background investigation and be favorably adjudicated before their first day.
While primarily remote, this position may require occasional on‑site meetings. The selected candidate must live within commuting distance of Washington, D.C.
RESPONSIBILITIES
Conduct scheduled vulnerability scans with Nessus, Tenable, and Qualys across Windows, Linux, and container platforms; analyze results, document findings, and create POA&M entries to drive remediation planning.
Operate enterprise SIEM solutions (Splunk, ArcSight, QRadar, etc.), correlating alerts, performing root‑cause investigations, and executing incident containment and closure in accordance with NIST800‑61.
Draft, maintain, and update System Security Plans (SSPs), Risk Assessment Reports, POA&M logs, and System Requirements Traceability Matrices (SRTMs) to ensure alignment with NIST800‑53 Rev5 and FISMA mandates.
Generate compliance dashboards and report status to leadership.
Assist in the design, implementation, and testing of NIST800‑53 controls (e.g., Access Control, System & Communications Protection, Identification & Authentication).
Participate in periodic control assessments, including pre‑penetration test reviews, to validate the security posture.
Administer and optimize monitoring stacks; fine‑tune alert thresholds, develop custom probes, and deliver concise "quick‑look" reports to stakeholders.
Harden operating systems (Windows, RHEL/CentOS, Ubuntu) and container images, applying CIS Benchmarks and conducting baseline compliance scans.
Review source code snippets (Python, Ruby, Java) for OWASP and CIS guideline violations; recommend secure coding practices.
Automate repetitive security tasks using lightweight scripts (Python, Bash) to increase efficiency and reduce human error.
Collaborate with DevSecOps teams to embed security controls throughout CI/CD pipelines (Jenkins, GitLab, Azure DevOps), ensuring secure deployment of applications.
Provide expert guidance to developers on secure coding, threat modeling, and testing methodologies.
Mentor junior analysts on monitoring, logging, and documentation best practices.
Author internal knowledge‑base articles, develop training materials, and conduct short workshops to elevate team capability.
REQUIRED SKILLS & EXPERIENCE
Minimum of 4 years of experience in IT security, including 2 years in a federal or ISSO‑equivalent role such as System Security Officer or Security Analyst.
Demonstrated mastery of NIST800‑53 Rev5, NIST800‑61, and related NIST 800‑series publications, applying these frameworks to security planning and operations.
Proficient with enterprise SIEM platforms (Splunk, QRadar, ArcSight) for event correlation, threat detection, and incident response.
Experienced in deploying and interpreting vulnerability scans using tools like Tenable, Qualys, Nexpose, etc., and translating findings into actionable remediation plans.
Skilled in monitoring infrastructure, including the design of dashboards, threshold tuning, and alert management.
Adept at configuring and maintaining security appliances to enforce perimeter security and web application protection.
Comfortable scripting in Python (or PowerShell, Bash) for automation, data extraction, and basic code‑review tasks.
Solid understanding of networking fundamentals‑TCP/IP, DNS, HTTP/HTTPS, and SSL/TLS‑including packet analysis and troubleshooting.
Proficient in Microsoft Office (Word, Excel) and Atlassian suites (Jira, Confluence) for creating SOPs, generating reports, and maintaining dashboards.
Strong analytical and problem‑solving abilities, capable of exercising independent judgment in complex security scenarios.
Excellent verbal and written communication skills, with the capacity to craft concise, audience‑appropriate security briefs for both technical and non‑technical stakeholders.
PREFERRED SKILLS & EXPERIENCE
Tenable SC/IO, Nessus Advanced, Qualys, or other enterprise vulnerability platforms.
Experience running Blue/Red‑team exercises or tabletop simulations.
Knowledge of container security (Docker, Kubernetes), CI/CD automation, and IaC (Terraform, CloudFormation).
FedRAMP knowledge, understanding of RMF implementation.
EDUCATION
Bachelor's degree preferred, preferably in Computer Science, Information Technology, or a related field. Experience may be substituted in the absence of a degree.
All individuals being hired to work for TCG must submit to, and successfully pass, a pre‑employment background investigation prior to reporting for their first day of work. The pre‑employment background investigation will include verification of employment and education, as well as a criminal and DMV check. Additional documentation and background checks will also be required for positions that require clearance from the federal government.
TCG does not discriminate based on race, sex, color, religion, national origin, age, disability, caste, or veteran status.
#J-18808-Ljbffr