Chief Security Architect, Developer Experience

Description

Chief Security Architect, Developer Experience

"Wanted: The architect who sees that the ATO process isn't a compliance problem-it's an engineering problem-and knows how to build the solution."

Large-scale software delivery in regulated, defense-focused environments runs into the same wall everywhere you look. The compliance process was designed to create an audit trail. Itwasn'tdesigned to enforce security. SSPs capture intent. ATOs authorize environments at a point in time. And by the time the ink is dry, the system has already moved.

The developers building mission-critical software know this pattern. The security organizations know it too. The question has never been whether this model needs to change-it'swhether anyone has the engineering depth and the security credibility to build something thatactually replacesit.

That'swhy this role exists.

We'rebuilding the platform thatis transforminghow thousands of Leidos engineers build and deliver software. At the center of that platform is a fundamental re-architecture of how compliance works: not as a gate you pass through, but as code woven into the infrastructure itself. Policy-as-code. Continuous compliance evidence. A platform ATO that programs inherit rather than pursue on their own.

The goal is a platform that the enterprise security organization looks at and says:this is the thingwe'vebeen trying to build for years. These peoplearen'tgoing around us.They'rehanding us superpowers.

You'rethe person who builds it. Andyou'rethe person who makes that realization inevitable.

Why This Role Matters

Security and compliance in defense-sector software delivery have long lived in a structural paradox: the processes designed to protect mission software are the same processes that slow it down. Manual authorization cycles. Point-in-time snapshots. Documentation that proves intent but not execution. Every program team re-solves the same compliance problems. Every platform that wants to help themhas torun the gauntlet first.

Whatyou'llbuildisn'ta workaround.It'sa better architecture: policy-as-code that enforces complianceat the momentof deployment, continuous evidence that gives auditors real-time proof instead of point-in-time packages, and a platform-level ATO that program teams can inherit rather than pursue. The result is a security posture that's demonstrably stronger than manual review-stricter, more consistent, and infinitely more scalable.

Leidos is one of the largest engineering organizations supporting national security, with thousands of developers building mission-critical software across hundreds of programs. What you build here will shape how that software is delivered-and whether the security guaranteeing it is a paper promise or an enforced fact.

Ifyou'vespent your career knowing this was possible and waiting for an organization big enough to matter and willing enough to move-thisis it.

What You'll Do

• Architect the compliance engine.Design and build the policy-as-code infrastructure that sits at the heart of the platform: the enforcement points, evidence pipeline, continuous compliance dashboards, and attestation framework that make "approved to deploy" a machine-verifiable fact, not a permission you waiton. You know this toolchain-the policy engines, the evidence frameworks, the supply chain attestation standards-andyou'veput it to work in production.

• Own the platform ATO strategy.Chart the path from where we are to a platform-level ATO that programs can inherit. Navigate RMF, NIST 800-53, NIST 800-171, NIST 800-160, and DoD IL4/IL5 requirements alongside the realities of working with internal security reviewers and external auditors (3PAOs, DCMA).You'vedone this before. You know which shortcuts are real and which are traps.

• Be the enterprise security team's most important technical partner.Attend the meetings. Buildthe trust. Co-author the policies. Make the case-technically, patiently, relentlessly-that policy-as-code is more rigorous than manual reviews, not less. You can speak the language of ISSOs and ISSMs, help them see their role shifting from gatekeepers to policy authors, and make that shift feel like a promotion rather than a loss.

• Build the agentic AI security model.Claude Code, Codex, MCP servers, agentic developmentpipelines-all of these require a new security architecture thatdoesn'texist yet at enterprise scale.You'lldesign the controls that let developers use these tools at full power while enterprise security leadership can look at the posture and say "yes, we can see what's happening, and we're comfortable with it."

• Own security architecture across the developer platform.Threat model the full stack-CI/CD pipelines, developer portal, container runtimes, workstation environments, inner and outer developer loop. Design the controls. Keep the security posture visible and auditable-not as an afterthought, but as a first-class platform capability.

• Lead the supply chain security effort.SBOM generation, dependency management, container image provenance, vulnerabilityscanning-you design the enterprise pattern, build the tooling, and make it automatic. Every artifact that comes out of our pipelines has a provenance story you can tell.

• Drive ATO process re-architecture.The current ATO process needs structural change-not circumvention, but a fundamentally better model.You'llhave the technical depth to speak credibly about what the current process gets right, the honesty to name whatit'snot designed for, and the credibility to propose something that security teams willactually embrace.

Who You Are

• A builder, not a reviewer.You'vedesigned security systems.You'veimplemented them.You'veseen them work in production under real conditions. Youdon'tjust know what good looks like on awhiteboard-you know how to build it.

• Fluent incompliance, butnot captured by it.You understand RMF, NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD IL4/IL5 deeply enough to know which requirements the current manual processactually satisfies-and which ones it only claims to satisfy. You can make the argument that automated enforcement is abetteranswer to the underlying security requirement, not a workaround.

• A translator.You can walk into a room with the CISO, explain a Kubernetes admission controller policy in terms of the RA-5 control it satisfies, get heads nodding, and leave witha commitment. You can then turn around and work shoulder-to-shoulder with a platform engineer to implement it. You move fluidly between executive conversations and implementation details.

• Patient and persistent with organizational change.You know that the security and IT organizationsyou'reworking with are not obstacles.They'restakeholders with legitimate concerns who need to be broughtalong, not pushed aside.You'vedone this before. You know it takes time. And you know how to make progress anyway.

• Clear-eyed about the mission.You know that the point of all of thisisn'tcompliance for its own sake.It'ssoftware that powers national security delivered faster, more reliably, and with a security posture that can beproven-not just promised. That understanding shapes how you make decisions.

WhatYou'llFace

• A compliance process built for steady-state operations being applied to a build phase that requires a fundamentally different engagement model.

• A corporate security organization that understands the problem and wants velocity-and needs a technical partner who can help turn thatstatedvalue into structural change.

• Agentic AI tooling that is arriving faster than enterprise security controls can be designed for it.You'llbe building the plane while flying it.

• The bootstrapping paradox:you'reusing the manual compliance process to build the tool that automates the manual compliance process. Every week in review is a weekyou'renot building whateliminatesthe need for review.

• Programs that need platform ATOsnowand a platform thatisn'tmature enough yet to grant them.

And still-you'llmake progress. Becauseyou'venavigated this before. You knowwhat'spossible, you know what takes time, and you know how to keep moving when both are true simultaneously.

Your Technical Impact

• Design and deliver the policy-as-code infrastructure that enforces compliance at deployment-making it impossible to ship non-compliant code rather than hoping itdoesn'thappen.

• Establish continuous compliance evidence generation: every deployment auto-producesartifactsmapped to NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD SRG controls. Auditors query dashboards, not document packages.

• Build the agentic AI security architecture that covers agentic development tools, MCP server governance, and AI-assisted development pipelines at enterprisescale-so securityleadership sees a mature security posture, not an uncontrolled threat surface.

• Architect the path to a platform-level ATO that programs can inherit-reducing what once took months or years to a matter of seconds for teams building on the platform.

• Lead the software supply chain security effort: SBOM generation, image provenance, dependency management, vulnerability scanning-automated, continuous, and integrated into the developer workflow.

• Be the technical voice that turns the security team-DevExrelationship into a genuine partnership: co-authored policies, shared security posture ownership, and a security organization that sees the platform as an asset they helped build rather than ariskthey were asked to accept.

Required Qualifications

• Mastersdegreein Computer Science, Information Security, Software Engineering, or related technical field.

• 15+ yearsof experience in security architecture,DevSecOps, platform security, or related disciplines-with significant hands-on work, not just advisory roles.

• Deepexpertiseinpolicy-as-code tooling: Open Policy Agent (OPA),Kyverno, Rego, Sentinel, or equivalent.You'vewritten policies in production, not just evaluated the category.

• Strong working knowledge ofcompliance frameworks: NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, DoD IL4/IL5/6, RMF, CMMC. You understand the controls, what satisfies them, and how to build automated evidence.

• Hands-on experience withcontainer and Kubernetes security: admission controllers, image scanning, network policies, runtime security, and hardened base images.

• Experience withCI/CD pipeline security: SAST/DAST, SCA, container scanning,IaCscanning, secrets management, hardened images/libraries, and how to integrate these into developer workflows without crushing velocity.

• Familiarity withsoftware supply chain security: supply chain integrity frameworks (SLSA, in-toto), SBOM standards (CycloneDX, SPDX), signed commits, and provenance tooling.

• Experience designing security forAI-assisted development environments, including agent tooling, MCP server governance, LLM-integrated development pipelines, or equivalent emerging threat surfaces (ordemonstratedability to reason credibly about novel security architectures).

• Proven ability toengage effectively with security and compliance stakeholders-not just technically, but organizationally.You'veworked with ISSOs/ISSMs, auditors, and compliance teams. You know how to move them.

• Excellent communication skills-you can explain a Kubernetes admission webhook to a CISO and a FedRAMP control to a platformengineer, andmake both conversations productive.

• U.S. citizenship required; ability to obtain andmaintaina security clearance.

Preferred Qualifications

• Direct experience withUSAF Platform One, DISA Repo One, or equivalent DoDDevSecOpsprograms-you'veseen what continuous ATO looks like in practice.

• Background working with3PAOs, DCMA, or other external auditorsin the context of FedRAMP, DoD IL authorization, or RMF.

• Hands-on experience withWiz, Prisma Cloud, Orca, or equivalent cloud security posture managementplatforms.

• Familiarity withRegScale, TelosXacta, or equivalent GRC toolingand how to automate evidence flows into them.

• Experience building oroperatinganInternal Developer Portal(Backstage, Cortex, or custom) with security capabilities integrated.

• CISSP, CCSP, or equivalent security certifications (valued but notrequiredif the work speaks for itself).

If you're looking for comfort, keep scrolling. At Leidos, we outthink, outbuild, and outpace the status quo - because the mission demands it. We're not hiring followers. We're recruiting the ones who disrupt, provoke, and refuse to fail. Step 10 is ancient history. We're already at step 30 - and moving faster than anyone else dares.

For U.S. Positions: While subject to change based on business needs, Leidos reasonably anticipates that this job requisition will remain open for at least 3 days with an anticipated close date of no earlier than 3 days after the original posting date as listed above.

The Leidos pay range for this job level is a general guideline onlyand not a guarantee of compensation or salary. Additional factors considered in extending an offer include (but are not limited to) responsibilities of the job, education, experience, knowledge, skills, and abilities, as well as internal equity, alignment with market data, applicable bargaining agreement (if any), or other law.

About Leidos

Leidos is an industry and technology leader serving government and commercial customers with smarter, more efficient digital and mission innovations. Headquartered in Reston, Virginia, with 47,000 global employees, Leidos reported annual revenues of approximately $16.7 billion for the fiscal year ended January 3, 2025. For more information, visit www.Leidos.com.

Pay and Benefits

Pay and benefits are fundamental to any career decision. That's why we craft compensation packages that reflect the importance of the work we do for our customers. Employment benefits include competitive compensation, Health and Wellness programs, Income Protection, Paid Leave and Retirement. More details are available at www.leidos.com/careers/pay-benefits.

Securing Your Data

Beware of fake employment opportunities using Leidos' name. Leidos will never ask you to provide payment-related information during any part of the employment application process (i.e., ask you for money), nor will Leidos ever advance money as part of the hiring process (i.e., send you a check or money order before doing any work). Further, Leidos will only communicate with you through emails that are generated by the Leidos.com automated system - never from free commercial services (e.g., Gmail, Yahoo, Hotmail) or via WhatsApp, Telegram, etc. If you received an email purporting to be from Leidos that asks for payment-related information or any other personal information (e.g., about you or your previous employer), and you are concerned about its legitimacy, please make us aware immediately by emailing us at LeidosCareersFraud@leidos.com.

If you believe you are the victim of a scam, contact your local law enforcement and report the incident to the U.S. Federal Trade Commission.

Commitment to Non-Discrimination

All qualified applicants will receive consideration for employment without regard to sex, race, ethnicity, age, national origin, citizenship, religion, physical or mental disability, medical condition, genetic information, pregnancy, family structure, marital status, ancestry, domestic partner status, sexual orientation, gender identity or expression, veteran or military status, or any other basis prohibited by law. Leidos will also consider for employment qualified applicants with criminal histories consistent with relevant laws.

#Remote