Compliance and Security Engineer

You've stumbled upon the rare B Corp government contractor!

At TCG, we aim to prove that businesses can be good to their employees and responsible to their community while being profitable. We're an award-winning IT solutions provider to the Federal government seeking a Compliance and Security Engineer to join our project team at a major Federal agency.

The Compliance and Security Engineer will collaborate with operational teams and the Chief Information Officer (CIO) to uphold the security posture and ensure the implementation and maintenance of security controls in compliance with security plans and regulations. This role offers the unique opportunity to develop both Information Security Officer and Systems Engineering skills, eventually transitioning into a mid-level engineering position with a focus on technical work.

US Citizenship is required for this role. In addition, the selected applicant must submit to a government background investigation and be favorably adjudicated before their first day.

While primarily remote, this position may require occasional on-site meetings. The selected candidate must live within commuting distance of Washington, D.C.

RESPONSIBILITIES:

• Conduct scheduled vulnerability scans with Nessus, Tenable, and Qualys across Windows, Linux, and container platforms; analyze results, document findings, and create POA&M entries to drive remediation planning.
• Operate enterprise SIEM solutions (Splunk, ArcSight, QRadar, etc.), correlating alerts, performing root‑cause investigations, and executing incident containment and closure in accordance with NIST 800‑61.
• Draft, maintain, and update System Security Plans (SSPs), Risk Assessment Reports, POA&M logs, and System Requirements Traceability Matrices (SRTMs) to ensure alignment with NIST 800‑53 Rev 5 and FISMA mandates.
• Generate compliance dashboards and report status to leadership.
• Assist in the design, implementation, and testing of NIST 800‑53 controls (e.g., Access Control, System & Communications Protection, Identification & Authentication).
• Participate in periodic control assessments, including pre-penetration test reviews, to validate the security posture.
• Administer and optimize monitoring stacks; fine‑tune alert thresholds, develop custom probes, and deliver concise "quick‑look" reports to stakeholders.
• Harden operating systems (Windows, RHEL/CentOS, Ubuntu) and container images, applying CIS Benchmarks and conducting baseline compliance scans.
• Review source code snippets (Python, Ruby, Java) for OWASP and CIS guideline violations; recommend secure coding practices.
• Automate repetitive security tasks using lightweight scripts (Python, Bash) to increase efficiency and reduce human error.
• Collaborate with DevSecOps teams to embed security controls throughout CI/CD pipelines (Jenkins, GitLab, Azure DevOps), ensuring secure deployment of applications.
• Provide expert guidance to developers on secure coding, threat modeling, and testing methodologies.
• Mentor junior analysts on monitoring, logging, and documentation best practices.
• Author internal knowledge‑base articles, develop training materials, and conduct short workshops to elevate team capability.

REQUIRED SKILLS & EXPERIENCE:

• Minimum of 4 years of experience in IT security, including 2 years in a federal or ISSO‑equivalent role such as System Security Officer or Security Analyst.
• Demonstrated mastery of NIST 800‑53 Rev 5, NIST 800‑61, and related NIST 800‑series publications, applying these frameworks to security planning and operations.
• Proficient with enterprise SIEM platforms (Splunk, QRadar, ArcSight) for event correlation, threat detection, and incident response.
• Experienced in deploying and interpreting vulnerability scans using tools like Tenable, Qualys, Nexpose, etc., and translating findings into actionable remediation plans.
• Skilled in monitoring infrastructure, including the design of dashboards, threshold tuning, and alert management.
• Adept at configuring and maintaining security appliances to enforce perimeter security and web application protection.
• Comfortable scripting in Python (or PowerShell, Bash) for automation, data extraction, and basic code‑review tasks.
• Solid understanding of networking fundamentals-TCP/IP, DNS, HTTP/HTTPS, and SSL/TLS-including packet analysis and troubleshooting.
• Proficient in Microsoft Office (Word, Excel) and Atlassian suites (Jira, Confluence) for creating SOPs, generating reports, and maintaining dashboards.
• Strong analytical and problem‑solving abilities, capable of exercising independent judgment in complex security scenarios.
• Excellent verbal and written communication skills, with the capacity to craft concise, audience‑appropriate security briefs for both technical and non‑technical stakeholders.

PREFERRED SKILLS & EXPERIENCE:

• Tenable SC/IO, Nessus Advanced, Qualys, or other enterprise vulnerability platforms.
• Experience running Blue/Red‑team exercises or tabletop simulations.
• Knowledge of container security (Docker, Kubernetes), CI/CD automation, and IaC (Terraform, CloudFormation).
• FedRAMP knowledge, understanding of RMF implementation.

EDUCATION:

• Bachelor's degree preferred, preferably in Computer Science, Information Technology, or a related field. Experience may be substituted in the absence of a degree

TCG does not discriminate based on race, sex, color, religion, national origin, age, disability, caste, or veteran status.

Our B Corp mission is reflected in our benefits, including offerings like health care, 401K, parental leave, adoption assistance, financial planning services, student loan repayment assistance, and training budget. There's more; see for yourself.

TCG is recognized for treating employees well. In fact, in 2025, The Washington Post named TCG as a "Top Workplace" for the eleventh straight year based on how our employees feel about the company, the benefits TCG offers, and the work/life balance that our staff achieves. In the Washington Post Top Workplace survey, our CEO was ranked best by TCG employees' votes among all midsize companies.

Try us ... we'll make you happy.

Internal title/grade: System Engineer, E2
Salary Range: $95,000 - $120,000

All individuals being hired to work for TCG must submit to, and successfully pass, a pre-employment background investigation prior to reporting for their first day of work. The pre-employment background investigation will include verification of employment and education, as well as, a criminal and DMV check.

Additional documentation and background checks will also be required for positions that require clearance from the Federal government.