Senior Compliance Automation Engineer

Your Mission

We are seeking a Senior Compliance Automation Engineer to join our Governance, Risk, and Compliance (GRC) team and design and build True Anomaly's compliance automation platform from the ground up. This is a greenfield engineering role, not a configuration or administration position. You will not be deploying off-the-shelf GRC tools and calling it done. Instead, you will architect and engineer a purpose-built, continuous compliance monitoring platform capable of spanning a hybrid environment of on-premises classified systems and multi-cloud infrastructure (AWS GovCloud, Azure Government).

This role sits at the intersection of software engineering, DevSecOps, and compliance, and demands someone who can write production-quality code, design robust API and webhook integration frameworks, and translate NIST SP 800-53 Rev. 5 and NIST SP 800-171 Rev. 3 control requirements into automated, evidence-generating technical workflows. You will own the architecture, build the pipelines, and integrate data from across the enterprise to produce a real-time, auditable, and scalable compliance posture built on infrastructure you design, not a vendor's dashboard.

This position requires the ability to obtain and maintain a security clearance.

Responsibilities

Compliance Automation Platform Engineering

• Architect and build a greenfield Continuous Compliance Monitoring (CCM) platform from first principles, designed to aggregate, correlate, and report on security control status across hybrid on-premises and cloud environments in near real time.
• Design and implement a modular, API-first platform architecture with well-documented internal APIs and extensible data models that support rapid onboarding of new control families, systems, and data sources.
• Develop webhook-driven integration pipelines that ingest telemetry and compliance signals from diverse source systems, including cloud-native security services, SIEM platforms, vulnerability scanners, configuration management tools, and identity providers, without reliance on manual data collection or polling.
• Build control validation microservices that programmatically test the implementation state of NIST SP 800-53 and 800-171 controls, generate machine-readable evidence artifacts, and surface control gaps with contextual remediation guidance.
• Implement an evidence collection and artifact management framework that automatically captures, timestamps, and indexes compliance evidence mapped to specific control requirements, enabling audit-ready artifact packages to be assembled on demand.
• Develop platform capabilities to support continuous authorization workflows, replacing point-in-time assessment cycles with living, automated control validation that feeds directly into ATO decision support.

DevSecOps and Pipeline Integration

• Embed compliance enforcement gates into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) to intercept non-compliant infrastructure-as-code (IaC) changes, insecure configurations, and policy violations before they reach production.
• Develop and maintain policy-as-code libraries using tools such as Open Policy Agent (OPA), Terraform Sentinel, AWS Config Rules, and Azure Policy, translating control requirements into machine-enforceable rulesets.
• Integrate compliance telemetry with infrastructure provisioning workflows using Terraform, Ansible, and Pulumi, ensuring that system authorization boundaries are maintained as infrastructure evolves.
• Build automated STIG validation workflows that apply and verify DISA STIG benchmarks across Linux, Windows, container, and cloud resource configurations using tools such as InSpec, OpenSCAP, and custom-built validation scripts.
• Partner with DevOps and platform engineering teams to implement secure baseline enforcement automation, including automated drift detection and remediation triggering for configuration deviations.

Hybrid Architecture and On-Premises Integration

• Design integration patterns and secure data collection agents for on-premises and air-gapped or limited-connectivity environments, enabling compliance telemetry to flow into the central platform without violating network segmentation or classification boundaries.
• Build bidirectional sync mechanisms between on-premises systems and cloud compliance services where permitted by authorization boundaries, ensuring hybrid posture visibility without creating unauthorized data flows.
• Develop solutions for classified environment compliance monitoring that operate within applicable network and data handling constraints, including support for IL5 and IL6 system boundaries.
• Architect the platform's data pipeline and storage layer with an explicit understanding of CUI, ITAR-controlled data, and classified data handling requirements, ensuring the platform itself does not become a compliance liability.

NIST Framework Implementation and Control Automation

• Serve as the technical authority on programmatic implementation of NIST SP 800-53 Rev. 5 control families, translating AC, AU, CM, IA, IR, RA, SC, SI, and other control families into automatable checks, evidence generators, and remediation workflows.
• Build automation coverage for NIST SP 800-171 Rev. 3 requirements across the full 110-control set, with particular depth in Access Control, Audit and Accountability, Configuration Management, and System and Communications Protection.
• Develop automated SSP population and maintenance workflows, enabling system security plans to be updated dynamically as control implementations change rather than through manual quarterly refresh cycles.
• Implement POA&M lifecycle automation, including automated finding ingestion from scan results and audit outputs, deduplication, severity scoring, and status tracking integrated with ticketing systems such as Jira or ServiceNow.
• Build CMMC Level 3 readiness automation tooling that maps assessment objectives to automated test cases, evidence artifacts, and gap reporting outputs.

Platform Observability and Reporting

• Design and implement a compliance posture dashboard and reporting layer, built in-house, that provides real-time visibility into control implementation status, open findings, POA&M health, and assessment readiness across all scoped systems.
• Build automated compliance scoring and trend analysis capabilities, surfacing control degradation, coverage gaps, and risk concentration patterns to GRC leadership and system owners.
• Develop alerting and escalation workflows that notify responsible parties of control failures, configuration drift, scan findings, or expiring artifacts with appropriate urgency and context.
• Implement structured audit log generation across all platform components, ensuring the compliance platform itself is fully auditable and operates within the control boundaries it enforces.

Qualifications

• 7+ years of experience in security engineering, compliance engineering, DevSecOps, or a closely related discipline, with a demonstrated emphasis on building automation rather than operating tools.
• Proven ability to design and build production-quality software systems, including APIs, data pipelines, and integration services. Proficiency in one or more of: Python, Go, TypeScript/Node.js, or equivalent.
• Deep, hands-on expertise with NIST SP 800-53 Rev. 5 and NIST SP 800-171 Rev. 2/Rev. 3, including the ability to translate control language into specific, automatable technical implementations rather than policy documents alone.
• Demonstrated experience designing and implementing webhook-driven and API-based integrations across heterogeneous security and IT toolsets, including cloud-native services, SIEMs, vulnerability management platforms, and ITSM systems.
• Hands-on experience with policy-as-code frameworks including Open Policy Agent (OPA), Terraform Sentinel, AWS Config, or Azure Policy.
• Proficiency with infrastructure-as-code tools including Terraform, Ansible, Pulumi, or equivalent, with experience enforcing compliance controls through IaC templates and pipelines.
• Experience with CI/CD platforms (GitHub Actions, GitLab CI, Jenkins) and the ability to build and maintain compliance gates as native pipeline components.
• Working experience with STIG validation tooling including InSpec, OpenSCAP, SCC, or equivalent, including custom profile development.
• Familiarity with cloud security services across AWS GovCloud and/or Azure Government, including AWS Security Hub, AWS Config, Azure Security Center, Microsoft Defender for Cloud, and related services.
• Demonstrated experience working within hybrid architectures that include both cloud and on-premises infrastructure, including an understanding of network segmentation, data classification boundaries, and compliance scope delineation.
• Active or ability to obtain SECRET security clearance; TS/SCI strongly preferred.
• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)).

Preferred Qualifications

• Experience with CMMC Level 2 or Level 3 compliance activities, including gap analysis, assessment preparation, and technical control validation.
• Hands-on experience with RMF Authorization processes at DoD IL5 or IL6, including SSP development, ConMon program implementation, and ATO sustainment.
• Familiarity with SIEM and log management platforms and the ability to build compliance-relevant detection rules and dashboards.
• Experience with container and Kubernetes security tooling including Falco, Trivy, kube-bench, or OPA Gatekeeper.
• Familiarity with vulnerability management platforms and experience automating finding ingestion and POA&M workflows from scan outputs.
• Exposure to EAR/ITAR cyber regulations and their implications for system design, data handling, and compliance tooling.
• Experience with database design sufficient to architect a compliance data store, including schema design, indexing for audit query performance, and data retention considerations.
• Familiarity with message queue and event streaming technologies (Kafka, RabbitMQ, AWS SQS/SNS, Azure Service Bus) as applied to real-time compliance telemetry pipelines.
• Industry certifications such as: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), CMMC Registered Practitioner (RP) or Certified Professional (CP), AWS Certified Security – Specialty, Microsoft Certified: Azure Security Engineer Associate, or CompTIA Security+.
• Background in startup, defense technology, aerospace, or SaaS environments operating under DoD compliance obligations.
• Familiarity with Agile/Scrum delivery models and experience managing compliance automation work in sprint-based development cycles.

Compensation

• Base Salary: $135k - $195k
• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience.

Additional Requirements

• Work Location: Successful candidates will be located near Denver, Long Beach, the San Francisco Bay Area, or Washington D.C. While we observe a hybrid work environment, some work must be done on site. (minimum 3 days per week onsite)
• Work Environment: Standard office setting, working at a desk or in a production factory environment.
• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs.

This position will be open until it is successfully filled.

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact.