Welcome page

Sr. DevSecOps Engineer

ID
2025-24320
Category
Program/Project Management
Location : Location
US-CA-San Diego
Min
USD $120,000.00/Yr.
Max
USD $150,000.00/Yr.
Minimum Clearance Required
Public Trust (NAC)
Travel Requirement
10% - 25%

Overview

SR. DEVSECOPS ENGINEER (PACMED):

 

Bowhead seeks a Sr. DevSecOps Engineer to support in operational systems integration, development, test, evaluation, operation, sustainment, and maintenance using technologies and acquisition management to support technical, ancillary, and clinical support to military medical treatment facilities in the pacific Region. This position will support building a next-generation automated compliance and AI-driven security operations platform supporting DoD, federal health, and enterprise health-care environments. The Sr. DevSecOps Engineer will provide deep experience in DISA STIGs, SCAP automation, RMF workflows, container security, SIEM/SOAR integrations, and AI-assisted security operations.

 

Responsibilities

SCAP / STIG Automation

  • Build automated OpenSCAP pipelines to scan Ubuntu 24.04 LTS and other Linux hosts using DISA STIG benchmarks.
  • Integrate XCCDF and OVAL results into OpenRMF using automated ingestion workflows.
  • Develop hardened base images (VMs and containers) aligned to DISA STIG requirements.

Container Security

  • Integrate RapidFort scans into CI/CD pipelines.
  • Automate ingestion of SCAP JSON into OpenRMF.
  • Ensure curated images remain compliant and low-CVE.

Compliance Operations (RMF/FedRAMP/CMMC)

  • Support generation of automated DISA checklists (CKLs) and POA&M updates.
  • Work with compliance and engineering teams to resolve findings and track remediation progress via OpenRMF.

Security Telemetry & SIEM Engineering

  • Deploy/tune Wazuh agents across hosts and workloads.
  • Configure pipelines from Wazuh → Elastic → Tines.
  • Write and maintain Elastic SIEM detection rules.

SOAR Automation & AI SOC Buildout

  • Develop Tines workflows to automate:
    • SCAP ingestion
    • RapidFort event processing
    • Elastic SIEM alert enrichment
    • Compliance notifications & ticketing
  • Integrate LLMs to:
    • Summarize alerts
    • Draft POA&M entries
    • Generate remediation guidance
    • Produce daily/weekly SOC and compliance reports

Infrastructure & DevSecOps

  • Contribute to secure CI/CD pipelines, secrets management, system hardening, logging, and access control aligned with DoD RMF.

Qualifications

Must-Have Technical Expertise

  • Five to ten (10+) years Linux engineering with security hardening focus
  • Hands-on experience with OpenSCAP, DISA STIGs, SCAP benchmarks, and STIG automation
  • Experience working with OpenRMF (or similar RMF automation platforms)
  • Strong knowledge of RMF, FedRAMP, or CMMC
  • CI/CD pipeline experience (GitLab CI, GitHub Actions, Jenkins, etc.)
  • Hands-on experience with Elastic Stack and Wazuh
  • Experience deploying or integrating SOAR platforms (Tines preferred; XSOAR or Splunk SOAR acceptable)
  • Container security experience (RapidFort, Anchore, Trivy, Aqua, etc.)

Bonus Skills

  • Familiarity with ATO workflows (IL4/IL5, DoD impact levels)
  • AI integration experience using OpenAI, Azure OpenAI, or similar
  • Python or Bash scripting for automation
  • Experience with NIST 800-53, CNSSI 1253, or DoD Cybersecurity standards

Soft Skills

  • Ability to lead architecture decisions and mentor others
  • Strong communicator capable of translating compliance needs into technical workflows
  • Able to operate independently in a fast-paced federal/healthcare environment
  • Comfortable producing documentation for audits and ATO packages

 

Physical Demands:

  • Must be able to lift up to 20 pounds
  • Must be able to stand and walk for prolonged amounts of time
  • Must be able to twist, bend and squat periodically

 

SECURITY CLEARANCE REQUIREMENTS: Must be able to obtain a security clearance at the Public Trust level. US Citizenship is a requirement.

 

#LI-KC1

Options

<p style="margin: 0px;"><span style="font-size: 11.0pt; font-family: 'Arial',sans-serif;">Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.</span></p>
Share on your newsfeed

Applicants may be subject to a pre-employment drug & alcohol screening and/or random drug screen, and must follow UIC’s Non-DOT Drug & Alcohol Testing Program requirements. If the position requires, an applicant must pass a pre-employment criminal background history check. All post-secondary education listed on the applicant’s resume/application may be subject to verification.

Where driving may be required or where a rental car must be obtained for business travel purposes, applicants must have a valid driver license for this position and will be subject to verification. In addition, the applicant must pass an in-house, online, driving course to be authorized to drive for company purposes.

UIC is an equal opportunity employer. We evaluate qualified applicants without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other protected characteristics EOE/D/V. In furtherance, pursuant to The Alaska Native Claims Settlement Act 43 U.S.C. Sec. 1601 et seq., and federal contractual requirements, UIC and its subsidiaries may legally grant certain preference in employment opportunities to UIC Shareholders and their Descendants, based on the provisions contained within The Alaska Native Claims Settlement Act. Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities. Please view Equal Employment Opportunity Posters provided by OFCCP here.

All candidates must apply online at www.uicalaska.com, and submit a completed application for all positions they wish to be considered. Once the employment application has been completed and submitted, any changes to the application after submission may not be reviewed. Please contact a UIC HR Recruiter if you have made a significant change to your application. In accordance with the Americans with Disabilities Act of 1990 (ADA), persons unable to complete an online application should contact UIC Human Resources for assistance www.uicalaska.com/careers/recruitment/.

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)

UIC Government Services (UICGS / Bowhead) provides innovative business solutions to federal and commercial customers in the areas of engineering, maintenance services, information technology, program support, logistics/base support, and procurement. Collectively, the fast-growing Bowhead Family of Companies offers a breadth of services which are performed with a focus on quality results. Headquartered in Springfield, VA, we are a fast-growing, multi-million-dollar company recognized as a top Alaska Native Corporation providing services across the Department of Defense and many federal agencies. Bowhead offers competitive benefits including medical, dental, vision, life insurance, accidental death and dismemberment, short/long-term disability, and 401(k) retirement plans as well as a paid time off programs for eligible full-time employees. Eligible part-time employees are able to participate in the 401(k) retirement plans and state or contract required paid time off programs.

Join our Talent Community!

Join our Talent Community to receive updates on new opportunities and future events.